NETWORK LAYER

PROTOCOLS
NETWORK LAYER PROTOCOLS
 Internet Protocol Security
(IPsec)

 A suite of authentication and encryption protocols

 Developed by the Internet Engineering Task Force (IETF)

 Designed to address the inherent lack of security for IP-based

networks

 It runs transparently to transport layer and application layer

protocols which do not see it

 Runs both in IP V4 and IP V6

IP SEC SERVICES
 Access control—to prevent an unauthorized access to the resource.

 Connectionless integrity—to give an assurance that the traffic received

has not been modified in any way.

 Confidentiality—to ensure that Internet traffic is not examined by non

authorized parties.
 This requires all IP datagrams to have their data field, TCP, UDP, ICMP, or any other
datagram data field segment encrypted.

 Authentication—particularly source authentication so that when a

destination host receives an IP datagram, with a particular IP source address,
it is possible to be sure that the IP datagram was indeed generated by the
host with the source IP address. This prevents spoofed IP addresses.

 Replay protection—to guarantee that each packet exchanged between two

parties is different
 IPsec protocol achieves these two objectives by dividing the
protocol suite into two main protocols:

 Authentication Header (AH) protocol

 The AH protocol provides source authentication and data

integrity but no confidentiality.

 Encapsulation Security Payload (ESP) protocol

 The ESP protocol provides authentication, data integrity,

and confidentiality.

 Any datagram from a source must be secured with either

AH or ESP
 Authentication Header (AH)

 AH protocol provides source authentication and data integrity but not

confidentiality.

 This is done by a source that wants to send a datagram first establishing an

SA, through which the source can send the datagram.

 A source datagram includes an AH inserted between the original IP

datagram data and the IP header to shield the data field which is now
encapsulated as a standard IP datagram.

 Upon receipt of the IP datagram, the destination host notices the AH and
processes it using the AH protocol.

 Intermediate hosts such as routers, however, do their usual job of examining

every datagram for the destination IP address and then forwarding it on
 Encapsulating Security Payload (ESP)

 Unlike the AH protocol, ESP protocol provides source authentication, data

integrity, and confidentiality.

 This has made ESP the most commonly used IPsec header.

 Similar to AH, ESP begins with the source host establishing an AS which it
uses to send secure datagrams to the destination.

 Datagrams are secured by ESP by surrounding their original IP datagrams

with a new header and trailer fields all encapsulated into a new IP datagram.

 Confidentiality is provided by DES_CBC encryption.

 Next to the ESP trailer field on the datagram is the ESP Authentication Data
field.
 Security Associations

 In order to perform the security services that IPsec provides, IPsec

must first get as much information as possible on the security
arrangement of the two communicating hosts.

 Such security arrangements are called security associations (SAs).

 A security association is a unidirectional security arrangement

defining a set of items and procedures that must be shared
between the two communicating entities in order to protect the
communication process
 In the usual network IP connections, the network layer IP is
connectionless.

 However, with security associations, IPsec creates logical

connection-oriented channels at the network layer.

 This logical connection-oriented channel is created by a security

agreement established between the two hosts stating specific
algorithms to be used by the sending party to ensure
confidentiality (with ESP), authentication, message integrity, and
anti-replay protection.

 Since each AS establishes a unidirectional channel, for a full-

duplex communication between two parties, two SAs must be
established.
 An SA is defined by the following parameters

 Security Parameter Index (SPI)—a 32-bit connection identifier of

the SA. For each association between a source and destination host,
there is one SPI that is used by all datagrams in the connection to
provide information to the receiving device on how to process the
incoming traffic

 IP destination address—address of a destination host.

 A security protocol (AH or ESP)—to be used and specifying if

traffic is to be provided with integrity and secrecy. The protocol also
defines the key size, the key lifetime, and the cryptographic
algorithms. • Secret key—which defines the keys to be used.

 Encapsulation mode—defining how encapsulation headers are

created and which parts of the header and user traffic are protected
during the communication process.
 Transport and Tunnel Modes

 Transport Mode provides host-to-host protection to higher-layer

protocols in the communication between two hosts in both IPv4 and
IPv6.

 In IPv4, this area is the area beyond the IP address as shown.

 In IPv6, the new extension to IPv4, the protection includes the upper
protocols, the IP address, and any IPv6 header extensions.

 The IP addresses of the two IPsec hosts are in the clear because they
are needed in routing the datagram through the network.
 Tunnel mode offers protection to the entire IP datagram both
in AH and ESP between two IPsec gateways.
 This is possible because of the added new IP header in both
IPv4 and IPv6
 Between the two gateways, the datagram is secure and the
original IP address is also secure.
 However, beyond the gateways, the datagram may not be
secure.
 Such protection is created when the first IPsec gateway
encapsulates the datagram including its IP address into a
new shield datagram with a new IP address of the receiving
IPsec gateway.
 At the receiving gateway, the new datagram is unwrapped
and brought back to the original datagram.
 This datagram, based on its original IP address, can be
passed on further by the receiving gateway, but from this
point on unprotected.
 Virtual Private Networks
(VPN)

 A VPN is a private data network that makes use of the public

telecommunication infrastructure, such as the Internet

 Adds security procedures over the unsecure communication

channels.

 Types of VPN

 Remote access which lets single users connect to the

protected company network
 Site-to-site which supports connections between two protected
company networks
 Components of a VPN

 Two terminators which are either software or hardware.

 These perform encrypt tion, decryption, and authentication

services.

 They also encapsulate the information.

 A tunnel—connecting the endpoints.

 The tunnel is a secure communication link between the

endpoints and networks such as the Internet.

 In fact this tunnel is virtually created by the endpoints

 Activities of VPN technology

 IP encapsulation—
 this involves enclosing TCP/IP data packets within another packet with an IP address of
either a firewall or a server that acts as a VPN endpoint.

 This encapsulation of host IP address helps in hiding the host.

 Encryption—
 is done on the data part of the packet.

 Just like in SSL, the encryption can be done either in transport mode which encrypts its data
at the time of generation or tunnel mode which encrypts and decrypts data during
transmission encrypting both data and header.

 Authentication—
 involves creating an encryption domain which includes authenticating computers and data
packets by use for public encryption.
Security Types of VPNs

 Trusted VPNs

 Secure VPNs

 Hybrid VPNs
 Trusted VPNs

 VPN technology consisted of one or more circuits

leased from a communications provider

 this legacy VPN provided customer privacy to the

extent that the communications provider assured the
customer that no one else would use the same circuit

 This security based on trust resulted into what is now

called trusted VPNs.
 Trusted VPNs

 No one other than the trusted VPN provider can affect

the creation or modification of a path in the VPN

 No one other than the trusted VPN provider can change

data, inject data, or delete data on a path in the VPN.

 The routing and addressing used in a trusted VPN must

be established before the VPN is created. security
requirements
 Secure VPNs

 Protocols that would allow traffic to be encrypted at

the edge of one network or at the originating
computer, moved over the Internet like any other
data, and then decrypted when it reaches the
corporate network or a receiving computer.

 Networks that are constructed using encryption are

called secure VPNs.
 security requirements

 All traffic on the secure VPN must be encrypted and

authenticated

 The security properties of the VPN must be agreed

to by all parties in the VPN.

 No one outside the VPN can affect the security

properties of the VPN.
 Hybrid VPNs

 Clearly mark the address boundaries of the secure VPN

within the trusted VPN

 In hybrid VPNs, the secure VPN segments can run as

subsets of the trusted VPN and vice versa.

 Under these circumstances, the hybrid VPN is secure

only in the parts that are based on secure VPNs.
 VPN Tunneling Technology

 IPsec with encryption used in either tunnel or

transport modes.

 Point-to-Point Tunneling Protocol (PPTP)

 Layer 2 Tunneling Protocol

 PPP over SSL and PPP over SSH.

 IPsec with encryption

 The host/gateway at one end of a VPN sends a request to the

host/gateway at the other end to establish a VPN connection.

 The remote host/gateway generates a random number and

sends a copy of it to the requesting host/gateway.

 The requesting host/gateway, using this random number,

encrypts its pre-shared key it got from the IKE (shared with the
remote host/gateway) and sends it back to the remote
host/gateway.
 IPsec with encryption

 The remote host/gateway also uses its random number and

decrypts its pre-shared key and compares the two keys for a
match.
 If there is a match with anyone of its keys on the key ring,
then it decrypts the public key using this pre-shared key and
sends the public key to the requesting host/gateway.
 Finally, the requesting host/gateway uses the public key to
establish the Ipsec security association (SA) between the
remote host/gateway and itself.
 This exchange establishes the VPN connection
 Point-to-Point Tunneling Protocol
PPTP

 This is a Microsoft-based dial-up protocol used by

remote users seeking a VPN connection with a

network.

 It is an older technology with limited use.

 Layer 2 Tunneling Protocol
L2TP inside IPsec

 This is an extension of PPP, a dial-up technology.

 Unlike PPTP which uses Microsoft dial-up encryption, L2TP uses

IPsec in providing secure authentication of remote access.

 L2TP protocol makes a host connect to a modem

 And then it makes a PPP to the data packets to a host/gateway

where it is unpacked and forwarded to the intended host.

 PPP over SSL and PPP over SSH

 These are Unix-based protocols for constructing VPNs.

 PPP also tunnels Internet Protocol (IP) or other network layer 3

data between two directly connected nodes over a physical
connection or over a direct link.

 Since IP and Transmission Control Protocol (TCP) do not support

point-to-point connections, the use of PPP can enable them
over Ethernet and other physical media
 Security in the Physical Layer

 Point-to-Point Protocol (PPP)

 A PPP communication begins with a handshake
 It involves a negotiation between the client and the Remote Access
Service
 To settle the transmission and security issues before the transfer of
data could begin
 Packet Filters
 A packet filter is designed to sit between the internal and external
network.
 As packets enter or leave the network, they are compared to a set
of rules.
 This determines if they are passed, rejected, or dropped.
 A router ACL is an example of a packet filter.
 Security in the Physical Layer

 NAT (network address translation)

 is a means of translating addresses.
 Most residential high-speed Internet users use NAT.
 It provides security as it hides the internal address from
external networks.
 CHAP (Challenge-Handshake Authentication Protocol)
 is an authentication protocol that is used as an alternative
to passing clear-text usernames and passwords.
 CHAP uses the MD5 hashing algorithm to encrypt passwords.
 Security in the Physical Layer

 PAP (Password Authentication Protocol

 this may not be the best security mechanism at the physical

layer;

 however, it does provide some protection as it requires a user

to present a username and password.

 Its Achilles heel is that it transmits this information in clear

text.
 Point-to-Point Protocol (PPP)
Authentication
 Password Authentication Protocol (PAP)
 requires the applicant to repeatedly send to the server authentication request
messages, consisting of a username and password, until a response is received or the
link is terminated.
 Challenge-Handshake Authentication Protocol (CHAP)
 works on a “shared secret” basis where the server sends to the client a challenge
message and waits for a response from the client.
 Upon receipt of the challenge, the client adds on a secret message, hashes both, and
sends the result back to the server.
 The server also adds a secret message to the challenge,
 hashes with an agreed-upon algorithm,
 and then compares the results.
 Authentication of the client results if there is a match.
 To harden the authentication process, the server periodically authenticates the client.
 Extensible Authentication Protocol (EAP)
 is open-ended, allowing users to select from among a list of authentication options.
 Point-to-Point Protocol (PPP)
Confidentiality

 During the negotiations, the client and server

must agree on the encryption that must be

used.

 IETF has recommended two such encryptions

 DES

 3DES.