Chapter 20

IP Security
“If a secret piece of news is divulged
by a spy before the time is ripe, he
must be put to death, together with
the man to whom the secret was
told.”

—The Art of War,

Sun Tzu
IP Security Overview
• RFC 1636
• “Security in the Internet Architecture”
• Issued in 1994 by the Internet Architecture Board
(IAB)
• Identifies key areas for security mechanisms
• Need to secure the network infrastructure from
unauthorized monitoring and control of network
traffic
• Need to secure end-user-to-end-user traffic using
authentication and encryption mechanisms
• IAB included authentication and encryption as
necessary security features in the next
generation IP (IPv6)
• The IPsec specification now exists as a set of
 Applications of IPsec
• IPsec provides the capability to secure
communications across a LAN, •private
Secure branch
and public
office connectivity
WANs, and the Internet over the Internet
• Secure remote
access over the
Example Internet
• Establishing
s extranet and
intranet
include: connectivity with
partners
• Enhancing
electronic
commerce
security
• Principal feature of IPsec is that it can encrypt and/or
authenticate all traffic at the IP level
• Thus all distributed applications (remote logon,
client/server, e-mail, file transfer, Web access) can be
secured
 Benefits of IPSec
• Some of the benefits of IPsec:
• When IPsec is implemented in a firewall or router, it provides
strong security that can be applied to all traffic crossing the
perimeter
• Traffic within a company or workgroup does not incur the overhead of
security-related processing
• IPsec in a firewall is resistant to bypass if all traffic from the outside
must use IP and the firewall is the only means of entrance from the
Internet into the organization
• IPsec is below the transport layer (TCP, UDP) and so is transparent
to applications
• There is no need to change software on a user or server system when
IPsec is implemented in the firewall or router
• IPsec can be transparent to end users
• There is no need to train users on security mechanisms, issue keying
material on a per-user basis, or revoke keying material when users
leave the organization
• IPsec can provide security for individual users if needed
• This is useful for offsite workers and for setting up a secure virtual
subnetwork within an organization for sensitive applications
Routing Applications
• IPsec can play a vital role in the routing
architecture required for internetworking

IPsec can assure

that:
A router
A router
seeking to
establish or
maintain a
A redirect
message comes
advertisement neighbor A routing
from the router
comes from an relationship update is not
to which the
authorized with a router in forged
initial IP packet
router another routing
was sent
domain is an
authorized
router
 Encapsulating Security Internet Key
Payload (ESP) Exchange (IKE)
• Consists of an • A collection of
encapsulating header and documents describing
trailer used to provide the key management
encryption or combined schemes for use with
encryption/authentication IPsec
• The current specification • The main specification
is RFC 4303, IP is RFC 5996, Internet
Encapsulating Security Key Exchange (IKEv2)
Payload (ESP) Protocol, but there are a
Authentication Header number of related RFCs
Cryptographic
(AH) algorithms
• An extension header to • This category
provide message encompasses a large
authentication set of documents that
• The current define and describe
specification is RFC cryptographic
4302, IP Authentication algorithms for
Header encryption, message
Architecture IPsec authentication,
pseudorandom
• Covers the general
concepts, security Documents functions (PRFs), and
Other
cryptographic key
requirements, definitions, •exchange
There are a variety of
and mechanisms defining other IPsec-related
IPsec technology RFCs, including those
• The current specification dealing with security
is RFC4301, Security policy and
Architecture for the management
Internet Protocol information base
(MIB) content
 IPsec Services
• IPsec provides security services at the IP layer by
enabling a system to:
• Select required security protocols
• Determine the algorithm(s) to use for the service(s)
• Put in place any cryptographic keys required to provide
the requested services

• RFC 4301 lists the following services:

• Access control
• Connectionless integrity
• Data origin authentication
• Rejection of replayed packets (a form of partial
sequence integrity)
• Confidentiality (encryption)
• Limited traffic flow confidentiality
 Transport and Tunnel
Modes
Transport Mode Tunnel Mode
• Provides protection primarily for • Provides protection to the entire IP
upper-layer protocols packet
• Examples include a TCP or UDP • Used when one or both ends of a
segment or an ICMP packet security association (SA) are a
security gateway
• Typically used for end-to-end
communication between two • A number of hosts on networks
behind firewalls may engage in
hosts
secure communications without
implementing IPsec
• ESP in transport mode encrypts
and optionally authenticates the • ESP in tunnel mode encrypts and
IP payload but not the IP header optionally authenticates the entire
inner IP packet, including the inner IP
• AH in transport mode header
authenticates the IP payload • AH in tunnel mode authenticates the
and selected portions of the IP entire inner IP packet and selected
header portions of the outer IP header
 Table 20.1
Tunnel Mode and Transport Mode
Functionality
 Security Association
(SA)
Uniquely identified by three parameters:
• A one-way logical
connection between a
sender and a receiver Security
Parameters Index
that affords security (SPI)
services to the traffic • A 32-bit unsigned integer
assigned to this SA and
carried on it having local significance
only

• In any IP packet, the SA

IP Destination
is uniquely identified by Security Address
the Destination Address protocol • Address of the
identifier destination
in the IPv4 or IPv6 • Indicates whether
endpoint of the SA,
which may be an
header and the SPI in the association is an
AH or ESP security
end-user system or
a network system
the enclosed extension association such as a firewall or
router
header (AH or ESP)
 Security Association
Database (SAD)
• Defines the parameters associated with each SA

• Normally defined by the following parameters in a

SAD entry:
• Security parameter index
• Sequence number counter
• Sequence counter overflow
• Anti-replay window
• AH information
• ESP information
• Lifetime of this security association
• IPsec protocol mode
• Path MTU