Scribd
Upload
10 views

Ip Sec

IPSec provides security services like data integrity, authentication, and confidentiality. It uses the Authentication Header (AH) and Encapsulating Security Payload (ESP) protocols to secure IP communications. AH provides integrity and authentication while ESP provides integrity, authentication, and confidentiality. IPSec can operate in transport mode to secure upper layer protocols or tunnel mode to secure entire IP packets.

Uploaded by

nawazsayyad62it
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
10 views

Ip Sec

IPSec provides security services like data integrity, authentication, and confidentiality. It uses the Authentication Header (AH) and Encapsulating Security Payload (ESP) protocols to secure IP communications. AH provides integrity and authentication while ESP provides integrity, authentication, and confidentiality. IPSec can operate in transport mode to secure upper layer protocols or tunnel mode to secure entire IP packets.

Uploaded by

nawazsayyad62it
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 11

IPSec: Authentication Header,

Encapsulating Security Payload


Protocols

CSCI 5931 Web Security


Edward Murphy
IPSec Architecture
• Set of security services offered by IPSec include
– Connectionless integrity
– Data origin authentication
– Protection against replay attacks
– Confidentiality
– Limited traffic flow confidentiality
• The services can be used alone or in combination
• Security is provided for protection of the IP and/or
upper layer protocols(tcp, udp)
• IPSec can be thought of as a software or hardware
module that is implemented in either a host or a
security gateway (router or firewall)
IPSec Architecture
• IPSec module is used to manage security for
individual connections to other modules
– Security Policy Database (SPD) provides specifications
of the security services to be applied to each packet
– Security Association Database (SAD) contains the
security parameters (encryption algorithms, mode used,
initialization data, session keys) used to enforce a
specific policy
– A connection from one module to another is created
through a security association (SA) that corresponds to
an entry in the SAD
– An SA is a uni-directional connection that defines the
type of security services and mechanisms used between
two modules
IPSec Architecture
IP s e c M o dul e 1 IP s e c M o dul e 2

SP D SP D

SA
IP sec IP sec

SA D SA D
IPSec Protocols
• The protocols used to provide security are the
Authentication Header (AH) and Encapsulating
Security Payload (ESP)
• Each protocol can be used in one of two modes
– Transport mode – used to protect upper layer payloads
of an IP packet (tcp, udp)
– Tunnel mode – used to protect an entire IP packet
including its payload (VPN)
• Transport mode is used as an SA between two
hosts
• Tunnel mode is used as an SA between two
gateways or a host and gateway
IPSec Protocols
• Transport Mode (upper level protocols)

IP IP se c P ayload
Pro te cte d

• Tunnel Mode (entire IP packet)

O ute r
IP se c Inne r IP P ayload
IP
Pro te cte d
IPSec Protocols
• AH is used to provide
– Connectionless integrity and data origin
authentication (integrity)
– Optional anti-replay service
• ESP is used to provide
– Confidentiality and (integrity) connectionless
integrity and data origin authentication
– Connectionless integrity and data origin
authentication (integrity)
– Limited traffic flow confidentiality
– Optional anti-replay service
IPSec Protocols
• Integrity Algorithm (AH, ESP)
– Hashed Message Authentication Code (160 bit key)
• Confidentiality Algorithm (ESP)
– AES CBC mode (128 bit key – 256 bit key)
• Transport Mode Protection
• AH - Integrity
– Immutable sections of the IP header, the AH header,
and the upper level data
• ESP - Integrity
– The ESP header, the upper level data, and the ESP
trailer
• ESP – Confidentiality
– The upper level data, and the ESP trailer
IPSec Protocols
• Transport Mode (AH)
IP U p p e r L e ve l
AH
H eader D a ta
In te g ri ty & A u th e n ti ca ti o n

• Transport Mode (ESP)


IP U p p e r L e ve l E SP
E SP
H eader D a ta T r a ile r
En cry pti o n

In te g ri ty & A u th e n ti ca ti o n
IPSec Protocols
• Tunnel Mode Protection
• AH - Integrity
– Immutable sections of the outer IP header, the
AH header, and the entire inner IP packet
• ESP - Integrity
– The ESP header, the entire inner IP packet, and
the ESP trailer
• ESP – Confidentiality
– The entire inner IP packet, and the ESP trailer
IPSec Protocols
• Tunnel Mode (AH)
O u te r U p p e r L e ve l
AH In n e r IP
IP D a ta
In te g ri ty & A u th e n ti ca ti o n

• Tunnel Mode (ESP)


O u te r U p p e r L e ve l E S P
E SP In n e r IP
IP D a ta T r a ile r
En cry pti o n

In te g ri ty & A u th e n ti ca ti o n

You might also like