IP Security

Chapter 5
KEU, Computer Science Faculty
IT Department
 IP Security
 IP Sec is an IETF standard suite of protocols between two communication
points across the IP network.

 provide data authentication, integrity, and confidentiality.

 It also defines the encrypted, decrypted, and authenticated packets.

2
Uses of IP Security
 IPsec can be used to do the following things:
 To encrypt application layer data.
 To provide security for routers sending routing data across the public
internet.
 To provide authentication without encryption, like to authenticate
that the data originates from a known sender.
 To protect network data by setting up circuits using IPsec tunneling in
which all data being sent between the two endpoints is encrypted, as
with a Virtual Private Network(VPN) connection.

3
 Components of IP Security
 It has the following components:
 Encapsulating Security Payload (ESP)
 Authentication Header (AH)
 Internet Key Exchange (IKE)
1. Encapsulating Security Payload (ESP): It provides data integrity,
encryption, authentication, and anti-replay. It also provides authentication
for payload.
2. Authentication Header (AH): It also provides data integrity,
authentication, and anti-replay and it does not provide encryption.
The anti-replay protection protects against the unauthorized transmission
of packets.
It does not protect data confidentiality.

4
 Components of IP Security
3. Internet Key Exchange (IKE): It is a network security protocol designed to
dynamically exchange encryption keys and find a way over Security Association
(SA) between 2 devices.

 Internet Key Exchange (IKE) provides message content protection and also
an open frame for implementing standard algorithms such as SHA and MD5.
 The algorithm’s IP sec users produce a unique identifier for each packet.
This identifier then allows a device to determine whether a packet has
been correct or not. Packets that are not authorized are discarded and not
given to the receiver.
 The Security Association (SA) establishes shared security attributes between
two entities (Device) to support secure communication.

5
IP Security
 have a range of application specific security mechanisms
 eg. SMIME, PGP, Kerberos, SSL/HTTPS
 SecureMultipurpose Internet Mail Extension (SMIME)
 Pretty Good Privacy (PGP) is used for authentication
 Kerberos and PGP are used separately for secure
authentication in remote service till now
 however there are security concerns that cut across protocol layers
 would like security implemented by the network for all applications
IP Security

 general IP Security mechanisms

 provides
 authentication
 confidentiality
 key management
 applicable to use over LANs, across public & private WANs, & for the
Internet
 need identified in 1994 report
 need authentication, encryption in IPv4 & IPv6
 IP Security Uses

 IPSec operate in networking devices( (Router or firewall, that connect LAN to

world). The IPSec networking device typically encrypt and compress traffics
going into WAN, and decrypt and decompress traffic coming from the WAN;
these operations are transparent to workstations and servers on the LAN
Benefits of IPSec
 in a firewall/router provides strong security to all traffic crossing
the perimeter
 in a firewall/router is resistant to bypass
 is below transport layer, hence transparent to applications
 can be transparent to end users
 can provide security for individual users
 secures routing architecture
Advantages of IPSec
 Strong security: IPSec provides strong cryptographic security services
that help protect sensitive data and ensure network privacy and
integrity.
 Wide compatibility: IPSec is an open standard protocol that is widely
supported by vendors and can be used in heterogeneous environments.
 Flexibility: IPSec can be configured to provide security for a wide
range of network topologies, including point-to-point, site-to-site, and
remote access connections.
 Scalability: IPSec can be used to secure large-scale networks and can
be scaled up or down as needed.
 Improved network performance: IPSec can help improve network
performance by reducing network congestion and improving network
efficiency.

10
 Disadvantages of IPSec
 Configuration complexity: IPSec can be complex to configure and requires
specialized knowledge and skills.
 Compatibility issues: IPSec can have compatibility issues with some
network devices and applications, which can lead to interoperability
problems.
 Performance impact: IPSec can impact network performance due to the
overhead of encryption and decryption of IP packets.
 Key management: IPSec requires effective key management to ensure the
security of the cryptographic keys used for encryption and authentication.
 Limited protection: IPSec only provides protection for IP traffic, and other
protocols such as ICMP, DNS, and routing protocols may still be vulnerable
to attacks.

11
 Features of IPSec
 Authentication: IPSec provides authentication of IP packets using digital
signatures or shared secrets. This helps ensure that the packets are not
tampered with or forged.
 Confidentiality: IPSec provides confidentiality by encrypting IP packets,
preventing eavesdropping on the network traffic.
 Integrity: IPSec provides integrity by ensuring that IP packets have not
been modified or corrupted during transmission.
 Key management: IPSec provides key management services, including key
exchange and key revocation ‫ ابطال‬, to ensure that cryptographic keys are
securely managed.
 Tunneling: IPSec supports tunneling, allowing IP packets to be
encapsulated within another protocol, such as GRE (Generic Routing
Encapsulation) or L2TP (Layer 2 Tunneling Protocol).

12
 Features of IPSec

 Flexibility: IPSec can be configured to provide security for a wide

range of network topologies, including point-to-point, site-to-site, and
remote access connections.
 Interoperability: IPSec is an open standard protocol, which means that
it is supported by a wide range of vendors and can be used in
heterogeneous environments.

13
IP Security Architecture
 specification is quite complex, with groups:
 Architecture
 RFC4301 Security Architecture for Internet Protocol

 Authentication Header (AH)

 RFC4302 IP Authentication Header

 Encapsulating Security Payload (ESP)

 RFC4303 IP Encapsulating Security Payload (ESP)

 Internet Key Exchange (IKE)

 RFC4306 Internet Key Exchange (IKEv2) Protocol

 Cryptographic algorithms
 Other
 IP Security Architecture

DOI (Domain of Interpretation): DOI is the identifier that supports both AH and
ESP protocols. It contains values needed for documentation related
15 to each other.
 IPSec Services
 Access control
 Connectionless integrity
 Data original ‫اصالت‬ authentication
 Rejection of replayed packets
 a form of partial sequence integrity
 Confidentiality (encryption)
 Limited traffic flow confidentiality
Transport and Tunnel Modes

 Transport Mode
 to encrypt & optionally authenticate IP data
 can do traffic analysis but is efficient
 good for ESP (Encapsulating Security Payload) host to host traffic
 Tunnel Mode
 encrypts entire IP packet
 add new header for next hop
 no routers on way can examine inside IP header
 good for VPNs, gateway to gateway security
Transport
and
Tunnel
Modes
Transport
and
Tunnel Mode
Protocols
END