Search This Blog
Friday, 20 September 2024

IP Security (IPSec) Protocol

Posted by David Livingston J at 02:04 0 comments

IP Security (IPSec)

  • One of the key areas identified by Internet Architecture Board (IAB) in securing Internet communication is securing the network infrastructure from unauthorized users.
  • Securing the network infrastructure can be done by implementing the following:
    1. Monitoring and controlling the network traffic
    2. Securing end-user-to-end-user traffic using authentication and encryption techniques
  • An enterprise can run a secure, private IP network by doing the following:
    • Disallowing links to untrusted  sites
    • Encrypting packets that leave the premises and
    • Authenticating packets that enter the premises

 

 

  • IPSec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet
  • Implementing security at the IP level can help an organization secure networking through which applications can communicate with the external world
  • IPv6 is the next-generation IP that fully implements IPSec by including the security features such as authentication and encryption.

 

IP Vs IPSec

  • Internet Protocol (IP) is the common standard that determines how data travels over the internet. 
  • IPsec (IP Security) on the other hand, is a suite of security protocols added as an extension to the IP layer by performing the following:
    • IPSec adds encryption and authentication to make IP more secure. For example, it scrambles the data at its source and unscrambles it at its destination. It also authenticates the source of the data. 
    • IPsec can ensure a secure connection between two computing devices over unprotected IP networks, such as the Internet.
    • IPsec is a capability built over IP (IPv4 and IPv6) by means of additional headers.   It consists of three distinct functions – authentication, confidentiality and key management
  • IPSec is a capability that can be added to the current version of the Internet Protocol (IPv4) by means of additional headers

 

Here is a link to have an Animated Video on IPSec


Key Functions of IPSec

IP-level security encompasses three functional areas namely:

  1. Authentication
  2. Confidentiality
  3. Key Management
Authentication:
  • The authentication mechanism assures that a received packet was, in fact, transmitted by the party identified as the source in the packet header
  • It also assures that the packet has not been altered in transit.
Confidentiality:
  • The confidentiality facility enables communicating nodes to encrypt messages to prevent eavesdropping by third parties.
Key Management:
  • The key management facility is concerned with the secure exchange of keys among two communicating parties


 
Figure: An IP Security Scenario
 
  • When IPSec is implemented in a firewall or router, it provides strong security that can be applied to all traffic crossing the perimeter. 
  • Some of the applications of IPSec are as follows:
    • Secure branch office connectivity over the Internet
    • Secure remote access over the Internet
    • Establish extranet and intranet connectivity with partners
    • Enhance electronic commerce security

 

How does IPSec work?

Computers exchange data with the IPSec protocol through the following steps. 

  1. The sender computer determines if the data transmission requires IPSec protection by verifying against its security policy. If it does, the computer initiates secure IPSec transmission with the recipient computer.
  2. Both computers negotiate the requirements to establish a secure connection. This includes mutually agreeing on the encryption, authentication, and other security association (SA) parameters. 
  3. The computer sends and receives encrypted data, validating that it came from trusted sources. It performs checks to ensure the underlying content is reliable. 
  4. Once the transmission is complete or the session has timed out, the computer ends the IPSec connection.

 
 
Figure: IPSec Architecture

  • IPSec protocols send data packets securely.  A data packet is a specific structure that formats and prepares information for network transmission. 
  • A data packet in IPSec consists of a header, payload, and trailer:
    • A header is a preceding section that contains instructional information for routing the data packet to the correct destination. 
    • Payload is a term that describes the actual information contained within a data packet.
    • The trailer is additional data appended to the tail of the payload to indicate the end of the data packet. 

 

The three protocols defined in IPSec

IPsec is a suite of three transport-level protocols used for authenticating the origin and content of IP packets and optionally for data payload encryption.

Authentication header (AH):
  • The authentication header (AH) protocol adds a header that contains sender authentication data and protects the packet contents from modification by unauthorized parties.  It alerts the recipient of possible manipulations of the original data packet. 
  • When receiving the data packet, the computer compares the cryptographic hash calculation from the payload with the header to ensure both values match.  A cryptographic hash is a mathematical function that summarizes data into a unique value. 
Encapsulating security payload (ESP):
  • The encapsulating security payload (ESP) protocol performs encryption on the entire IP packet or only the payload. 
  • ESP adds a header and trailer to the data packet upon encryption. 
Internet key exchange (IKE):
  • Internet key exchange (IKE) is a protocol that establishes a secure connection between two devices on the internet. 
  • Both devices set up security association (SA), which involves negotiating encryption keys and algorithms to transmit and receive subsequent data packets. 

Leave a Reply

Subscribe to: Post Comments (Atom)
 

FFY Center for Learning (CSE) © 2011 FutureForYou Network. Supported by W3G Team and FutureForYou.in