UNIT VI

Network Security-II

IPSec Architecture

IP Security is a mechanism, which includes various components how they interact with each other the
protocols in the IPSec family and the modes these operation

Three components

1. IPSec Document
2. IPSec Services
3. Security Association

IPSec Documents

IPSec can be defined by using a number of documents. These feature are mandatory for the next
generation IPV6 and optional for IPV4.

The head that is used for encryption is called the authentication header (AH) that for encryption is called
the ESP header.

Architecture: Covers the general concepts, security requirements, definitions, and

mechanisms defining IPSec technology.
Encapsulating Security Payload (ESP): Covers the packet format and general issues
related to the use of the ESP for packet encryption and, optionally, authentication.
Authentication Header (AH): Covers the packet format and general issues related to the
use of AH for packet authentication.
Encryption Algorithm: A set of documents that describe how various encryption
algorithms are used for ESP.
Authentication Algorithm
Domain of Interpretation (DOI)
Key Management
 Fig. IPSec Document

IPSec Service:

IPSec provides security service at the network layer by enabling a system to select the required security
protocol. IPSec architecture makes use of two major protocols (ESP & AH Protocol)

IPSec Services:

Integrity
Access control
Confidentiality
Authentication

Security Association (SA)

Security Association is one way relationship between a sender and a receiver security association is a
complex connection. That affords security service to the traffic carried sender and receiver work only one
direction at a time. So two security associations are needed for a bidirectional communication one for
each direction.

3 Essential parameters of SA

1. Security Parameter Index (SPI)

2. Destination IP Address
3. Security Protocol
 Authentication Header (AH)

The authentication header is a protocol and a port of IP Sec suite which authenticaites the origin
of IP Packet data grams and generates the integrity of data. It aim is to provide support for
integrity and authentication of IP Packets. It also used to present the IP Spoofing

The Authentication Header consists of the following fields

1. Next Header (8 bits): Identifies the type of header that immediately following the AH.
2. Payload Length: Length of Authentication Header in 32-bit words.
3. Reserved (16 bits): For future use.
4. Security Parameters Index (32 bits): Identifies a security association.
5. Sequence Number (32 bits): A monotonically increasing counter value.
6. Authentication Data (variable): A variable-length field (must be an integral number of 32-
bit words)
 Encapsulating Security Payload (ESP)

ESP Stands for Encapsulating security payload. Encrypt and authenticate each packet. Encrypt is
applies to packet payload.Authentication is applied to data in the IP Sec header as well as the
data contained as payload after encryption is applied. Provides message content confidentiality &
limited traffic flow confidentiality can optionally provide the same authentication services as AH
supports range of ciphers, modes, padding

DES, Triple-DES, RC5, IDEA, CAST etc

CBC & other modes
padding needed to fill blocksize, fields, for traffic flow
 Audit Record

Audit record is used to record information about the action of users. In information or
communications security, information audit means a chronological record of system activities to
enable the reconstruction and examination of the sequence of events and/or changes in an event.

Types of audit records

1. Native records: Store all action of all users

2. Detective records: Collect information in specific to intrusion detection

IP Spoofing

A technique used to gain unauthorized access to computer where by the intruder sender message
to a computer with an IP address indicating that the message is coming from a trusted host. To
engage in IP Spoofing a hacker must first use a variety of technique to find an IP Address of a
trusted host and then modify the packet headers so that it appear that the packets are coming
from that host
 HIDS

HIDS stands for Host based Intrusion detection system. HIDS is monitor a computer system a
which it is installed to detect on intrusion and/or misuse and responds by lagging the activity and
notifying the designed authority. Monitoring dynamic behavior

Monitoring state
Technique
Providing the HIPDS

What are the different combinations of Security Association on a

Security Association ESP

To implement both need to combine Security

form a security association bundle

may terminate at different or same endpoints

Security associations combined two ways

Transport adjacency: Refers to applying more than one security protocol to the
same IP packet, without invoking tunneling.

Iterated tunneling: Refers to the application of multiple layers of security

protocols effected through IP tunneling.
Issue of authentication & encryption order
 Tunnel mode and Transport mode of IPSec

Tunnel Mode:

Provides protection to the entire IP packet.

Used when one or both ends of a security association (SA) are a security gateway.

A number of hosts on networks behind firewalls may engage in secure

communications without implementing IPSec.
ESP in tunnel mode encrypts and optionally authenticates the entire inner IP
packets, including the inner IP header.
AH in tunnel mode authenticates the entire inner IP packet and selected
portions of the outer IP header.
Transport mode:

Provides protection primarily for upper layer protocols.

Examples include a TCP or UDP segment or an ICMP packet.

Typically used for end to end communication between two hosts.

ESP in transport mode encrypts and optionally authenticates the IP payload

but not the IP header.

Internet Security Association and Key Management Protocol (ISAKMP):

Internet Security Association and Key Management Protocol

provides framework for key management

defines procedures and packet formats to establish, negotiate, modify, & delete SAs

independent of key exchange protocol, encryption alg, & authentication method

ISAKMP Payloads & Exchanges

have a number of ISAKMP payload types:

Security, Proposal, Transform, Key, Identification, Certificate, Certificate,
Hash, Signature, Nonce, Notification, Delete
ISAKMP has framework for 5 types of message exchanges:
base, identity protection, authentication only, aggressive, informational
It consists of the following fields:

1. Initiator Cookie (64 bits): Cookie of entity that initiated SA establishment,

SA notification, or SA deletion.
2. Responder Cookie (64 bits): Cookie of responding entity; null in first message from
initiator.
3. Next Payload (8 bits): Indicates the type of the first payload in the message
4. Major Version (4 bits): Indicates major version of ISAKMP in use.
5. Minor Version (4 bits): Indicates minor version in use.
6. Exchange Type (8 bits): Indicates the type of exchange.
7. Flags (8 bits): Indicates specific options set for this ISAKMP exchange.
8. Message ID (32 bits): Unique ID for this message.
9.