Internet Protocol Security (IPSec)

2008 Oct 05

The IETF attempted to build security into the TCP/IP stack with the IP Security, or IPSec, defined in RFCs 2401 and 2412, at the IP layer; offering authentication of the data source, confidentiality, data integrity, and protection against replays. Any two systems compatible with IPSec can communicate securely over the network.

IPSec is in IP version 4, and is made up of two protocols, the Authentication Header (AH) and the Encapsulating Security Payload (ESP), which can be used independently or together in the same packet.

IPSec is also built into IPv6. IPSec is complex and not easy to implement, with many options making it diffucult for independt vendors to have their products succesfully communicate with each other. Another problem limiting IPSec is the safe distribution of ecnryption keys and digital certificates. There is no safe infrastructure for such distribution requiring manual or private distribution systems.

The IPSec Authentication Header (AH)

The Authentication Header provides authentication of the data source, data integrity, and (optionally) protection against replays. In essence AH provides digital signatures for IP packets so that attackers cannot send packets impersonating another machine, or alter data as it moves across the network. Using AH, a system can verify where a packet came from and ensure that it was not altered in transit. AH fits into an IP packet as follows:

AH is inserted in after the IPv4 header, using the method known as transport mode iPSec. Another IPSec option, called tunnel mode, applies AH to an entire IP packet (not just the TCP or UDP part) and then putting a new IP header in fron of the result. The AH format follows:

• The SPI is a reference number, agreed on by both systems of the communications indicating which IPSec connection this packet belongs to. The SPI refers to a specific agreement between the two systems to use particular encryption algorithms, encryption keys, and other parameters for the communication.
• The Sequence Number Field is used to apply a unique sequence number to each packet in the IPSec session to prevent an attacker from replaying data.
• The Authentication Data includes information used to verify the integrity of the packet. IPSec does not specify which encryption algorithms to use, so this data could include a digital signature or a hash function of the data.

The IPSec Encapsulating Security Payload (ESP)

The Encapsulating Security Payload supports confidentiality and (optionally) supports authentication of the data source, data integrity, and protection against replays. ESP is used to encrypt packets so attackers cannot understand the data and to to support digital signatures. ESP is applied to an IPv4 packet in transport mode as follows:

As with AH, ESP inlcudes a Security Parameters Index and Sequence Number Field, serving teh same purpose as in AH. Additionally, ESP includes the encrypted data, referred to as opaque because it is encrypted.

• ESP pads the packet (specifically the variable lenth Opaque Data field to a 32-bit word boundary
• The Next Header field is a pointer to any additioanl headers in the packet
• The allows ESP to provide authentication and integrity services, such as digitally signed packets

2005-2008