IP Security

Dr. H.R. Chennamma

Asst. Professor, Dept. of MCA
SJCE, Mysore - 6

13/03/2015 1
IP Security?
IP Security (IPSec) is a collection of protocols
designed by the IETF (Internet Engineering
Task Force) to provide security for a packet at
the network layer.

IPSec helps create authenticated and

confidential packets for the IP layer.
IP Security Overview
• Applications of IPSec

• Benefits of IPSec

• IPSec Documents

• IPSec Services
 IPSec Documents
The IPSec specification consists of numerous
documents. The most important of these,
issued in Nov. of 1998, are:
• RFC 2401: An overview of a security
architecture.
• RFC 2402: Description of a packet
authentication extension to IPv4 and IPv6.
• RFC 2406: Description of a packet encryption
extension to IPv4 and IPv6.
• RFC2408: Specification of key management
capabilities.
In addition to these four RFCs, a number of
additional drafts have been published by the
IP Security Protocol Working Group set by the
IETF.

The documents are divided into seven groups as

in shown in the diagram:
• Architecture: Covers the general concepts,
security requirements, definitions, and
mechanisms defining IPSec technology.

• Encapsulating Security Payload (ESP): Covers

the packet format and general issues related
to the use of the ESP for packet encryption
and, optionally, authentication.

• Authentication Header (AH): Covers the

packet format and general issues related to
the use of AH for packet authentication.
• Encryption Algorithm: A set of documents
that describe how various encryption
algorithms are used for ESP.

• Authentication Algorithm: A set of documents

that describe how various authentication
algorithms are used for AH and for the
authentication option of ESP.
• Key Management: Documents that describe
key management schemes.

• Domain of Interpretation (DOI): Contains

values needed for the other documents to
relate to each other. These include identifiers
for approved encryption and authentication
algorithms, as well as operational parameters
such as key lifetime.
• IPSec provides security services at the IP layer
by enabling a system to select required
security protocols,

• determine the algorithms to use for the

services, and put in place any cryptographic
keys required to provide the requested
services.
• Two protocols are used to provide security:

• An authentication protocol designated by the

header of the protocol, AH

• A combined encryption/authentication
protocol designated by the format of the
packet for that protocol, ESP.
 IPSec Services
• Access control
• Connectionless integrity
• Data origin authentication
• Rejection of replayed packets (a form of
partial sequence integrity)
• Confidentiality (encryption)
• Limited traffic flow confidentiality
IPSec Protocols
IPSec defines two protocols

• Authentication Header (AH) protocol

• Encapsulating Security Payload (ESP) protocol
 Authentication Header
• The AH provides support for data integrity and
authentication of IP packets.

• The authentication feature enables an end

system or network device to authenticate the
user or application and filter traffic
accordingly.
• It also prevents the address spoofing attacks
observed in today’s internet.

• The AH also guards against the replay attack.

• Authentication is based on the use of a

message authentication code (MAC). Hence
the two parties must share a secret key.
The AH consists of the following fields:

• Next Header (8 bits): Identifies the type of

header immediately following this header.
• Payload Length (8 bits): Length of AH in 32-bit
words.
• Reserved (16 bits): For future use.
• Security Parameters Index (32 bits): Identifies
a security association.
• Sequence Number (32 bits): A monotonically
increasing counter value.

• Authentication Data (variable): A variable-

length field (must be an integral number of 32
bit words) that contains the Integrity Check
Value (ICV), or MAC, for this packet.
 Encapsulating Security Payload
• The ESP provides confidentiality services,
including confidentiality of message contents
and limited traffic flow confidentiality.

• As optional feature, ESP can also provide an

authentication service.
 The ESP packet format
• Security Parameters Index(32 bits): Identifies
a security association.
• Sequence Number (32 bits): A monotonically
increasing counter value; this provides an anti-
reply function as in AH.
• Payload Data(variable): This is a transport-
level segment (transport mode) or IP packet
(tunnel mode) that is protected by encryption.
• Padding (0-255 bytes):
• Pad Length (8 bits): Indicates the number of
pad bytes immediately preceding this field.
• Next Header (8 bits): Identifies the type of
data contained in the payload data field by
identifying the first header in that payload.
• Authentication Data (variable): A variable-
length field (must be an integral number of
32-bit words) that contains the Integrity Check
Value computed over the ESP packet minus
the Authentication Data field.