NETWORK LAYER PROTOCOLS

NETWORK LAYER PROTOCOLS

 Internet Protocol Security (IPsec)
• a suite of authentication and encryption
protocols
• developed by the Internet Engineering Task
Force (IETF)
• designed to address the inherent lack of
security for IP-based networks
• . It runs transparently to transport layer and
application layer protocols which do not see it
• RUNS BOTH IN Ip V4 AND Ip V6
• Ipsec offer protection by providing the following services at the
network layer
• Access control—to prevent an unauthorized access to the resource.
• • Connectionless integrity—to give an assurance that the traffic
received has not been modified in any way.
• • Confidentiality—to ensure that Internet traffic is not examined by
nonauthorized parties. This requires all IP datagrams to have their
data field, TCP, UDP, ICMP, or any other datagram data field
segment encrypted.
• • Authentication—particularly source authentication so that when
a destination host receives an IP datagram, with a particular IP
source address, it is possible to be sure that the IP datagram was
indeed generated by the host with the source IP address. This
prevents spoofed IP addresses.
• • Replay protection—to guarantee that each packet exchanged
between two parties is different
• IPsec protocol achieves these two objectives
by dividing the protocol suite into two main
protocols:
• Authentication Header (AH) protocol
– The AH protocol provides source authentication
and data integrity but no confidentiality.
• Encapsulation Security Payload (ESP) protocol
– The ESP protocol provides authentication, data
integrity, and confidentiality.
• Any datagram from a source must be secured
with either AH or ESP
 Authentication Header (AH)
• AH protocol provides source authentication and data integrity but
not confidentiality.
• This is done by a source that wants to send a datagram first
establishing an SA, through which the source can send the
datagram.
• A source datagram includes an AH inserted between the original IP
datagram data and the IP header to shield the data field which is
now encapsulated as a standard IP datagram.
• Upon receipt of the IP datagram, the destination host notices the
AH and processes it using the AH protocol.
• Intermediate hosts such as routers, however, do their usual job of
examining every datagram for the destination IP address and then
forwarding it on
 Encapsulating Security Payload (ESP)
• Unlike the AH protocol, ESP protocol provides source
authentication, data integrity, and confidentiality.
• This has made ESP the most commonly used IPsec header.
• Similar to AH, ESP begins with the source host establishing an
AS which it uses to send secure datagrams to the destination.
• Datagrams are secured by ESP by surrounding their original
IP datagrams with a new header and trailer fields all
encapsulated into a new IP datagram.
• Confidentiality is provided by DES_CBC encryption.
• Next to the ESP trailer field on the datagram is the ESP
Authentication Data field.
 Security Associations
• In order to perform the security services that IPsec
provides, IPsec must first get as much information
as possible on the security arrangement of the two
communicating hosts. Such security arrangements
are called security associations (SAs). A security
association is a unidirectional security
arrangement defining a set of items and
procedures that must be shared between the two
communicating entities in order to protect the
communication process
• in the usual network IP connections, the network layer
IP is connectionless.
• However, with security associations, IPsec creates logical
connection-oriented channels at the network layer.
• This logical connection-oriented channel is created by a
security agreement established between the two hosts
stating specific algorithms to be used by the sending
party to ensure confidentiality (with ESP),
authentication, message integrity, and anti-replay
protection.
• Since each AS establishes a unidirectional channel, for a
full-duplex communication between two parties, two
SAs must be established.
• Since each AS establishes a unidirectional channel, for a full-duplex
communication between two parties, two SAs must be established.
• An SA is defined by the following parameters
• Security Parameter Index (SPI)—a 32-bit connection identifier of
the SA. For each association between a source and destination
host, there is one SPI that is used by all datagrams in the
connection to provide information to the receiving device on how
to process the incoming traffic
• . • IP destination address—address of a destination host.
• • A security protocol (AH or ESP)—to be used and specifying if
traffic is to be provided with integrity and secrecy. The protocol
also defines the key size, the key lifetime, and the cryptographic
algorithms. • Secret key—which defines the keys to be used.
• • Encapsulation mode—defining how encapsulation headers are
created and which parts of the header and user traffic are
protected during the communication process.
 Transport and Tunnel Modes
• Transport Mode provides host-to-host protection to
higher-layer protocols in the communication between
two hosts in both IPv4 and IPv6.
• In IPv4, this area is the area beyond the IP address as
shown.
• In IPv6, the new extension to IPv4, the protection
includes the upper protocols, the IP address, and any
IPv6 header extensions.
• The IP addresses of the two IPsec hosts are in the clear
because they are needed in routing the datagram
through the network.
• Tunnel mode offers protection to the entire IP datagram both in
AH and ESP between two IPsec gateways.
• This is possible because of the added new IP header in both IPv4
and IPv6 as shown in Fig. 17.12.
• Between the two gateways, the datagram is secure and the
original IP address is also secure.
• However, beyond the gateways, the datagram may not be
secure.
• Such protection is created when the first IPsec gateway
encapsulates the datagram including its IP address into a new
shield datagram with a new IP address of the receiving IPsec
gateway.
• At the receiving gateway, the new datagram is unwrapped and
brought back to the original datagram.
• This datagram, based on its original IP address, can be passed on
further by the receiving gateway, but from this point on
unprotected.