UNIT-3

IPsec

IPsec (Internet Protocol Security) is a framework for a set of protocols for security at the network or
packet processing layer of network communication.
IPsec is said to be especially useful for implementing virtual private networks and for remote user access
through dial-up connection to private networks.
A big advantage of IPsec is that security arrangements can be handled without requiring changes to
individual user computers.
IPsec provides two choices of security service: Authentication Header (AH), which essentially allows
authentication of the sender of data, and Encapsulating Security Payload (ESP), which supports both
authentication of the sender and encryption of data as well.
The specific information associated with each of these services is inserted into the packet in a header that
follows the IP packet header.

There are two modes of IPsec operation:

Transport mode

In transport mode, only the payload (the data you transfer) of the IP packet is encrypted and/or
authenticated.
Tunnel mode

In tunnel mode, the entire IP packet (data and IP header) is encrypted and/or authenticated.

Authentication Header (AH)

AH is a member of the IPsec protocol suite.
AH is intended to guarantee connectionless integrity and data origin authentication of IP packets.
AH protects the IP payload and all header fields of an IP datagram except for mutable fields (i.e. those
that might be altered in transit).
A brief description of each field follows:
Next header. The 8-bit next-header field defines the type of payload carried by the
IP datagram (such as TCP, UDP, ICMP, or OSPF). It has the same function as the
protocol field in the IP header before encapsulation.

Payload length. it defines the length of the authentication header in 4-byte

multiples, but it does not include the first 8 bytes.

Security parameter index. The 32-bit security parameter index (SPI) field plays
the role of a virtual-circuit identifier and is the same for all packets sent during a
connection called a security association.
Sequence number. A 32-bit sequence number provides ordering information for
a sequence of datagrams.

Authentication data. Finally, the authentication data field is the result of applying
a hash function to the entire IP datagram except for the fields that are changed during
transit (e.g., time-to-live).
The AH Protocol provides source authentication and data integrity, but not privacy.

Encapsulating Security Payload (ESP)

ESP is a member of the IPsec protocol suite. It is the portion of IPsec that provides origin
authenticity, integrity, and confidentiality protection of packets.
Unlike Authentication Header (AH), ESP does not protect the IP packet header.
The following ESP packet diagram shows how an ESP packet is constructed and interpreted:
When an IP datagram carries an ESP header and trailer, the value of the protocol
field in the IP header is 50. A field inside the ESP trailer (the next-header field) holds the
original value of the protocol field (the type of payload being carried by the IP datagram,
such as TCP or UDP). The ESP procedure follows these steps:
1. An ESP trailer is added to the payload.
2. The payload and the trailer are encrypted.
3. The ESP header is added.
4. The ESP header, payload, and ESP trailer are used to create the authentication data.
5. The authentication data are added to the end of the ESP trailer.

6. The IP header is added after the protocol value is changed to 50.

The fields for the header and trailer are as follows:
Security parameter index. The 32-bit security parameter index field is similar to
that defined for the AH Protocol.
Sequence number. The 32-bit sequence number field is similar to that defined for
the AH Protocol.
Padding. This variable-length field (0 to 255 bytes) of 0s serves as padding.
Pad length. The 8-bit pad length field defines the number of padding bytes. The
value is between 0 and 255; the maximum value is rare.
Next header. The 8-bit next-header field is similar to that defined in the AH
Protocol.
It serves the same purpose as the protocol field in the IP header before encapsulation.
Authentication data. Finally, the authentication data field is the result of applying
an authentication scheme to parts of the datagram.

Key management
It is the process of administering or managing cryptographic keys for a cryptosystem. It involves the
generation, creation, protection, storage, exchange, replacement and use of said keys and with another
type of security system built into large cryptosystems, enables selective restriction for certain keys.

key management is also one of the most challenging aspects of cryptography because it deals with many
types of security liabilities beyond encryption, such as people and flawed policies.
A popular example of a key management systems is public key infrastructure (PKI), which is used in
Secure Sockets Layer (SSL) and Transport Layer Security (TLS).