IP Security

IPsec: A Security Architecture for IP

Prof.dr. Ferucio Laurenţiu Ţiplea

Fall 2023

Department of Computer Science

“Alexandru Ioan Cuza” University of Iaşi
Iaşi 700506, Romania
e-mail: [email protected]
Outline

Introduction

What is IPsec?

Transport and tunnel modes

More on AH and ESP

AH format
ESP format

Security associations
Security associations
Basic combinations of SAs
Security association and policy databases

Internet key exchange

Introduction
TCP/IP protocol suite

1. The Internet protocol suite, also known as the TCP/IP protocol

suite, is a framework for organizing the set of communication
protocols used in the Internet and similar computer networks;
2. 1973: DARPA initiated a research program to investigate techniques
and technologies for interlinking packet networks of various kinds;
3. 1974: the first-ever paper on Internet
Vinton Cerf, Robert Kahn: A Protocol for Packet Network Inter-
communication, IEEE Trans on Communications, Vol Com-22,
No 5, May 1974;
4. Sept 1981:
• RFC 791: Internet Protocol;
• RFC 793: Transmission Control Protocol;
5. Updates: RFC 6864 for IPv4 (Feb 2013) and RFC 9293 for TCP
(Aug 2022).

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 2 / 44
TCP/IP protocol suite

Application App data App

Transport TCP/UDP TCP/UDP

header
data TCP/UDP

Internet IP IP
header
TCP/UDP
header
data IP

Link Frame
header
IP
header
TCP/UDP
header
data Frame
footer

0111010011010

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 3 / 44
Security issues with IP

Bellovin (1989) reported several security issues in the TCP/IP protocol

suite, such as:

• Eavesdropping (sniffing, snooping);

• Data modification;

• Sequence number spoofing;

• IP address spoofing;

• Routing attacks.

The Internet will never be fully secure ...

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 4 / 44
Security issues with IP

Application App data App

Transport TCP/UDP TCP/UDP

header
data TCP/UDP

Internet IP IP
header
TCP/UDP
header
data IP

Link Frame
header
IP
header
TCP/UDP
header
data Frame
footer

ty? ity
?
ty ? ali
eg
ri0 1 1 1 0fide1nti0 0 1 1 0the1nti0c
Int n Au
Co

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 5 / 44
What is IPsec?
IPsec: what is it?

• IPsec is a security architecture for the Internet Protocol (IPv4 and

IPv6);
• Provides security services at the IP layer;
• Provides security in three situations:
• host – host;
• host – security gateway;
• security gateway – security gateway;

• Operates in two modes

• transport (for end-to-end);
• tunnel (for VPN).

Current development: IPsec v3 (Seo and Kent (2005)) and IKE v2

(Kaufman et al. (2014)).

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 6 / 44
IPsec: networking concepts

• Node:
• device attached to a network where messages can be created,
received, or transmitted;
• examples: computers, personal digital assistants (PDAs), cell
phones, or various other networked devices;
• on a TCP/IP network, a node is any device with an IP address;

• Host: node that is a computer;

• Security gateway:
• system that implements IPsec protocols;
• examples: router or firewall implementing IPsec.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 7 / 44
IPsec: fundamental components

1. Security protocols:
• Authentication Header (AH): piece of information (MAC) associated
to an IP datagram in order to authenticate certain fields of the
datagram;
• Encapsulating Security Payload (ESP): obtained from an IP
datagram by encrypting, and optionally authenticating, certain fields
of the datagram;

2. Security associations;

3. Key management protocols;

4. Algorithms for authentication and encryption.

Because of these protocols are provided at the IP layer, they can be used
by any higher layer protocol (e.g., TCP, UDP, ICMP etc.).

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 8 / 44
Securing IP datagram

Application App data App

Transport TCP/UDP TCP/UDP

header
data TCP/UDP

IP TCP/UDP data
Internet IP, IPsec header header
Add MAC and AE!
IP, IPsec

Link Frame
header
IP
header
TCP/UDP
header
data Frame
footer

0111010011010

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 9 / 44
IPsec security services

Security service AH ESP ESP with auth

access control yes yes yes

data integrity yes yes

data origin authentication yes yes

confidentiality yes yes

rejection of replayed packages yes yes

limited traffic flow confidentiality yes yes

A traffic flow confidentiality (TFC) mechanism alters or masks statistical

characteristics of the traffic pattern(s).

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 10 / 44
Transport and tunnel modes
IP datagrams

IP hdr IP payload

Figure 1: IPv4 datagram

IPv6 hdr

IP main hdr ext hdrs IP payload

···
routing extension header
fragmentation extension header
destination options extension header

Figure 2: IPv6 datagram

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 11 / 44
Transport mode

• Typically, the transport mode is used for communication between

two hosts (e.g., a client and a server or two workstations);

• Gateways are not required to support the transport mode!. A

gateway is allowed to support the transport mode when it acts as a
host, that is, when the traffic is destined to the gateway itself;

• Due to its definitions, the transport mode provides protection for

upper layer protocols (e.g., TCP or UDP);

, Fewer processing costs;

/ Mutable fields are not authenticated.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 12 / 44
AH in transport mode

In the transport mode, AH authenticates the IP payload and selected

portions of the IP header (e.g., mutable and unpredictable fields are not
authenticated)

IPv4 IP hdr IP payload

AH (except for mutable fields)

IP hdr AH IP payload

ext hdrs

IPv6 IP main hdr ··· rout AH dest IP payload

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 13 / 44
ESP in transport mode

In the transport mode, ESP encrypts and optionally authenticates the IP

payload (but not the IP header)

IPv4 IP hdr ESP IP payload ESP ESP

hdr trailer auth

Encrypted
Authenticated

ext hdrs

IPv6 IP main hdr ··· rout ESP dest IP payload ESP ESP
hdr trailer auth

Encrypted
Authenticated

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 14 / 44
Tunnel mode

• Tunneling means encapsulation and it consists of wrapping a packet

in a new one;

• Tunnel mode is used whenever either end of an SA is a security

gateway:
• host – security gateway;
• security gateway – security gateway (such as two firewalls);
• security gateway – host;

• Remark that hosts must support both transport and tunnel mode;

, Total protection (possibility of using private addresses);

/ Extra processing costs.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 15 / 44
AH in tunnel mode

In the tunnel mode, AH authenticates the entire inner IP packet plus

selected portions of the outer IP header and outer IP extension headers

IPv4 new IPv4 hdr AH IPv4 datagram

Authenticated (except for mutable fields in the new IPv4 hdr)

IPv6 new IPv6 new ext hdrs AH IPv6 datagram

main hdr

Authenticated (except for mutable fields in the new IP hdr and its extensions hdrs)

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 16 / 44
ESP in tunnel mode

In the tunnel mode, ESP (with authentication) encrypts (and

authenticates) the inner IP packet

IPv4 new IPv4 hdr ESP

hdr
IPv4 datagram ESP ESP
trailer auth

Encrypted
Authenticated

IPv6 new IPv6 new ext hdrs ESP IPv6 datagram ESP ESP
main hdr hdr trailer auth

Encrypted
Authenticated

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 17 / 44
More on AH and ESP
Authentication Header

0 8 16 31
next header payload length researved

security parameter index (SPI)

sequence number

authentication data (variable)

Figure 3: AH format

• Sequence number field: designed to thwart reply attacks;

• Source Address and Destination Address are always authenticated

under AH and ESP and, therefore, address spoofing is prevented.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 18 / 44
Authentication Header

Authentication data field: contains the Integrity Check Value (ICV), or

MAC, for the packet. RFC 8221 recommendation (Wouters et al.
(2017)):

Authentication algorithm Status

AUTH_NONE, HMAC-MD5-95, KPDK_MD5,
MUST NOT
DES_MAC
HMAC-SHA-1-96 MUST-
AES_XCBC_96 SHOULD / MAY
AES_128_GMAC, AES_256_GMAC MAY
HMAC_SHA2_256_128 MUST
HMAC_SHA2_512_256 SHOULD

AUTH_NONE is acceptable only when authenticated encryption

algorithms are used!

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 19 / 44
Encapsulating Security Payload format

0 16 24 31
security parameter index (SPI)
authenticated

sequence number

payload data (variable)

encrypted

padding (0-255 bytes)

pad length next header

authentication data (variable)

Figure 4: ESP format

The authentication in ESP follows the same recommendations as in AH.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 20 / 44
Encryption in ESP

RFC 8221 recommendation (Wouters et al. (2017)):

Encryption Algorithm Status

DES, DES_IV32, DES_IV64, BLOWFISH, 3IDEA MUST NOT
3DES SHOULD NOT
NULL, AES_CBC, AES_GCM_16 MUST
AES_CCM_8, CHACHA20_POLY1305 SHOULD

NULL does nothing to alter data: it is the identity function with a block
size of 1 byte (therefore, padding is not necessary).

NULL is simply a convenient way to use ESP in order to provide

authentication and integrity without confidentiality.

Authentication and encryption can each be ”NULL”, but not at the same
time!

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 21 / 44
Security associations
Security associations

A security association (SA) is a unidirectional logical connection between

two IP systems, uniquely identified by a triple

(SPI, IP destination address, security protocol)

where:

• SPI (security parameter index) is a 32-bit value used to identify

different SAs with the same destination address and the same
security protocol;

• IP destination address can be unicast, broadcast, or multicast;

• security protocol – this can be either AH or ESP.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 22 / 44
Security associations

1. SAs are uniderectional ! Thus, for bidirectional communication

bewteen two IPsec systems there must be two SAs definied, one for
each direction;

2. A single SA gives security to the traffic carried by it either by using

AH or ESP, but not both;

3. For a connection that needs to be protected by both AH and ESP,

two SAs must be defined for each direction.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 23 / 44
SA bundle

• An SA bundle is a sequence of SAs through which traffic must be

processed to provide a desired security;
• SAs may be combined into bundles in two ways:
• transport adjacency – consists of applying in the transport mode
both security protocols to the same IP datagram;

• iterated tunneling – consists of applying multiple layers of security

protocols through IP tunneling (although there is no limit in the
nesting levels, more than three levels is considered impractical).

These approaches can be combined: e.g., an IP packet with transport

adjacency IPsec headers can be sent through nested tunnels.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 24 / 44
End-to-end security

Internet/
Host 1 intranet Host 2

tunnel
connection

Figure 5: End-to-end security

Two hosts are connected through the Internet or an intranet without any
security gateway between them. They can use ESP, AH, or both. Either
transport or tunnel mode can be applied.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 25 / 44
Basic VPN support

Internet/
Host 1 intranet Gtw 1 intranet Gtw 2 intranet Host 2

tunnel
connection

Figure 6: Basic VPN support

The hosts in the intranets are not required to support IPsec, but the
gateways are required to run IPsec and support tunnel mode (either with
AH or ESP).

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 26 / 44
End-to-end security with VPN support

Internet/
Host 1 intranet Gtw 1 intranet Gtw 2 intranet Host 2

connection

tunnels

Figure 7: End-to-end security with VPN support

This is a combination of the previous two cases. For instance, the

gateways may use AH in tunnel mode, while the hosts use ESP in
transport mode.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 27 / 44
Remote access

Internet/ G2
Host 1 intranet Host 2
intranet (firewall)

connection

tunnels

Figure 8: Remote access

Between the host H1 and the firewall G2, only the tunnel mode is
required (e.g., AH in tunnel mode), and between the host H1 and H2,
either transport or tunnel mode can be used (e.g., ESP in transport
mode).

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 28 / 44
SAD and SPD

1. Each SA has an entry in a Security Association Database (SAD)

2. A Security Policy Database (SPD) specifies; what services are to be

offered to IP datagrams and in what fashion;

3. An SPD consists of an ordered lists of policy entries, each policy

being keyed by one or more (traffic) selectors that define the set of
IP traffic encompassed by this policy entry;

4. Example of policy entry: all matching traffic must be protected by

ESP in transport mode using 3DES-CBC with an explicit IV, nested
inside of AH in tunnel mode using HMAC-SHA-1;

5. SPD must be consulted during the processing of all traffic (inbound

or outbound), including non-IPsec traffic.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 29 / 44
Internet key exchange
Internet key exchange

• Internet Key Exchange (IKE) is a component of IPsec that:

• establishes an IKE SA that includes shared secrets;
• performs mutual authentication between parties;
• establishes AH and ESP SAs and a set of cryptographic algorithms
to be used by them;

• The design of IKE was influenced by three protocols:

• STS (Station-to-Station) protocol (Diffie et al. (1992));
• SKEME protocol (Krawczyk (1996));
• Oakley protocol (Orman (1998)).

Current development: IKE v2 (Kaufman et al. (2014)).

IKEv2 is more flexible than IKEv1, has fewer negotiation steps, and
brings many significant new features compared to IKEv1. It is not
backward compatible with IKEv1.
Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 30 / 44
IKE exchanges

• Exchange: pair of messages consisting of a request and a response;

• Types of exchanges in IKE:
• The first exchange (IKE_SA_INIT)
• negotiates security parameters for the IKE SA;
• sends nonces;
• sends DH values;
• The second exchange (IKE_AUTH)
• transmits identities;
• proves knowledge of the secrets corresponding to the two identities;
• sets up an SA for the first (and often only) AH or ESP Child SA;
• Subsequent exchanges:
• CREATE_CHILD_SA: creates new Child SAs or re-keys (create a
new SA and then delete the old SA) both IKE SAs and Child SAs;
• INFORMATIONAL: deletes an SA, reports error conditions, or does
other housekeeping.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 31 / 44
IKE exchanges illustrated

Initiator Receptor

crypto suite proposal, DH value, nonce

% IKE_SA_INIT

crypto suite selected, DH value, nonce % unprotected

Alice Bob
Create keys:

SKd % used to create Child SA keys

SKai , SKar , SKei , SKer % used to protect the neg. steps

SKpi , SKpr % used to compute Auth payload

{auth. ident., neg. Child SA}SK

% IKE_AUTH

{auth. ident., complete neg. Child SA}SK % protected by SKex + SKax

Use SKd to create keys

for the first Child SA

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 32 / 44
IKE exchanges illustrated

IKE SA

SKEYSEED = prf (NI k NR , g ir )

keys: SKd , . . .

Child SA

IKE_AUTH
KEYMAT = prf + (SKd , NI k NR )
key(s)

CREATE_CHILD_SA
new Child SA
IKE_SA_INIT

KEYMAT = prf + (SKd , [g ir k] NI k NR )

key(s)

re-key Child SA / re-key IKE SA

CREATE_CHILD_SA

KEYMAT = prf + (SKd , [g ir k] NI k NR )

SKEYSEED = prf (SKd , g ir k NI k NR )

key(s)

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 33 / 44
IKE_SA_INIT

IKE_SA_INIT
I→R : Hdr , SAI1 , KEI , NI
R →I: Hdr , SAR1 , KER , NR [, CertReq]

• Hdr contains SPIs, version numbers, exchange type, message ID,

and flags;
• SAI1 states the cryptographic algorithms the initiator supports for
the IKE SA;
• SAR1 is the responder choice selected from the initiator’s offered
choices (SAI1 );
• NI and NR are nonces;
• KEI and KER are DH values (g i and g r );
• CertReq: certificate request.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 34 / 44
IKE_SA_INIT: key generation

At this point, each party can generate all keys for IKE SA:

SKEYSEED = prf (NI k NR , g ir )

KEYS = prf + (SKEYSEED, NI k NR k SPII k SPIR )
KEYS = SKd k SKai k SKar k SKei k SKer k SKpi k SKpr k · · ·

where prf is a PRF and prf + is an iteration of it

prf + (K , T0 ) = T1 k T2 k T3 k · · ·
T1 = prf (K , T0 k 0x01)
T2 = prf (K , T1 k 0x02)
···

SKd will be used for derivation of further keying material for Child SAs.
SKex + SKax will be used for auth. encryption, where x ∈ {i, r }.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 35 / 44
IKE_AUTH

IKE_AUTH
I→R : Hdr , {IDI , [Cert, ][CertReq, ][IDR , ]Auth, SAI2 , TSI , TSR }SK
R →I: Hdr , {IDR , [Cert, ]Auth, SAR2 , TSI , TSR }SK

• {·}SK means auth. encryption by SKex + SKax , with x ∈ {i, r };

• IDI , IDR : identities;
• Auth: authentication payload (based on SKpi and SKpr );
• Cert: certificate payload;
• SAI2 , SAR2 : the initiator begins negotiation of a Child SA using the
SAI2 payload, and the receptor completes the negotiation with SAR2 ;
• TSI , TSR : traffic selectors
• A traffic selector is a list of IP addresses and port numbers that are
to be protected by the SA;
• TSI (TSR ) specifies source (destination ) addresses and ports.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 36 / 44
IKE_AUTH: key generation for Child SA

When the first Child SA is created by IKE_AUTH, the keys are generated
as follows:
• The keying material is

KEYMAT = prf + (SKd , NI k NR )

where NI and NR are the nonces from the IKE_SA_INIT exchange;

• Generally, keys are taken from KEYMAT in the order: encryption

key and then integrity key.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 37 / 44
CREATE_CHILD_SA

Used to:

• Create new Child SA (recall that the first Child SA is created by

IKE_AUTH);

• Re-key a Child SA;

• Re-key an IKE SA – the main reason for rekeying the IKE SA is to

ensure that the compromise of old keying material does not provide
information about the current keys, or vice versa.

Re-keying an SA: create a new SA and then delete the old one.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 38 / 44
CREATE_CHILD_SA: new Child SA

CREATE_CHILD_SA: New Child SA

I→R : Hdr , {SA, NI [, KEI ], TSI , TSR }SK
R →I: Hdr , {SA, NR [, KER ], TSI , TSR }SK

where:

• SA: the new security association the initiator wants to create;

• If KEI and KER are not used, the keys are generated as in the case of
a Child SA created by IKE SA but with the fresh nonces NI and NR ;

• If KEI and KER are used, the keys are generated as follows:
• KEYMAT = prf + (SKd , g ir k NI k NR ) (g ir , NI , NR are the fresh
ones);
• the same rules for taking the keys.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 39 / 44
CREATE_CHILD_SA: re-keying a Child SA

CREATE_CHILD_SA: Re-keying a Child SA

I→R : Hdr , {N(REKEY _SA), SA, NI [, KEI ], TSI , TSR }SK
R →I: Hdr , {SA, NR [, KER ], TSI , TSR }SK

where:

• N(REKEY_SA) identifies (by the SPI field) the SA to be rekeyed;

• The keys are generated as in the case of creation of a new Child SA.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 40 / 44
CREATE_CHILD_SA: re-keying IKE SA

CREATE_CHILD_SA: Re-keying IKE SA

I→R : Hdr , {SA, NI , KEI }SK
R →I: Hdr , {SA, NR , KER }SK

where:

• SA re-keys the current IKE SA;

• The new SKEYSEED is computed by

SKEYSEED = prf (SKd , g ir k NI k NR )

where SKd and prf are the old ones;

• The new SKd , SKai etc., are computed as usual (a new prf may be
used).

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 41 / 44
INFORMATIONAL

INFORMATIONAL
I→R : Hdr , {[N, ] [D, ] [CP, ] . . .}SK
R →I: Hdr , {[N, ] [D, ] [CP, ] . . .}SK

where:

• N: notify;

• D: delete;

• CP: configuration;

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 42 / 44
References

References

Bellovin, S. M. (1989). Security problems in the tcp/ip protocol suite. SIGCOMM Comput.
Commun. Rev., 19(2):32–48.
Diffie, W., Van Oorschot, P. C., and Wiener, M. J. (1992). Authentication and authenticated key
exchanges. Des. Codes Cryptography, 2(2):107–125.
Kaufman, C., Hoffman, P. E., Nir, Y., Eronen, P., and Kivinen, T. (2014). Internet Key Exchange
Protocol Version 2 (IKEv2). RFC 7296.
Krawczyk, H. (1996). SKEME: a versatile secure key exchange mechanism for internet. In
Proceedings of Internet Society Symposium on Network and Distributed Systems Security,
pages 114–127.
Orman, H. (1998). The OAKLEY Key Determination Protocol. RFC 2412.
Seo, K. and Kent, S. (2005). Security Architecture for the Internet Protocol. RFC 4301.
Wouters, P., Migault, D., Mattsson, J. P., Nir, Y., and Kivinen, T. (2017). Cryptographic
Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security
Payload (ESP) and Authentication Header (AH). RFC 8221.

Prof.dr. F.L. Ţiplea, UAIC, RO Lectures on Information Security IP SecurityIPsec Fall 2023 43 / 44