2008 Oct 05
The IETF attempted to build security into the TCP/IP stack with the IP Security, or IPSec, defined in RFCs 2401 and 2412, at the IP layer; offering authentication of the data source, confidentiality, data integrity, and protection against replays. Any two systems compatible with IPSec can communicate securely over the network.
IPSec is in IP version 4, and is made up of two protocols, the Authentication Header (AH) and the Encapsulating Security Payload (ESP), which can be used independently or together in the same packet.
IPSec is also built into IPv6. IPSec is complex and not easy to implement, with many options making it diffucult for independt vendors to have their products succesfully communicate with each other. Another problem limiting IPSec is the safe distribution of ecnryption keys and digital certificates. There is no safe infrastructure for such distribution requiring manual or private distribution systems.
The Authentication Header provides authentication of the data source, data integrity, and (optionally) protection against replays. In essence AH provides digital signatures for IP packets so that attackers cannot send packets impersonating another machine, or alter data as it moves across the network. Using AH, a system can verify where a packet came from and ensure that it was not altered in transit. AH fits into an IP packet as follows:
IPv4 Header | Auth. Header (AH) | Upper Layer Protocol (TCP, UDP, etc.) |
AH is inserted in after the IPv4 header, using the method known as transport mode iPSec. Another IPSec option, called tunnel mode, applies AH to an entire IP packet (not just the TCP or UDP part) and then putting a new IP header in fron of the result. The AH format follows:
Next Header | Payload Len. | Reserved |
Security Parameters Index (SPI) | ||
Sequence Number Field | ||
... Authentication Data ... |
The Encapsulating Security Payload supports confidentiality and (optionally) supports authentication of the data source, data integrity, and protection against replays. ESP is used to encrypt packets so attackers cannot understand the data and to to support digital signatures. ESP is applied to an IPv4 packet in transport mode as follows:
|
|
|
As with AH, ESP inlcudes a Security Parameters Index and Sequence Number Field, serving teh same purpose as in AH. Additionally, ESP includes the encrypted data, referred to as opaque because it is encrypted.
Security Parameters Index (SPI) | ||
Sequence Number Field | ||
... Opaque Data ... |
||
... Padding | Pad Length | Next Header |
... Authentication Data ... |
2005-2008