adam's notes

Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec) is a protocol that authenticates hosts and encrypts packets operating at the Network layer of the OSI model.

  • used with other protocols to provide connection security
  • uses:
    • secure IPv4 and/or IPv6 communications on local networks
    • remote access VPN protocol
    • increasingly used as a standalone VPN protocol
  • operates at the Network layer
    • means that
      • can be implemented without having to configure specific application support
      • incurs less packet overhead

Protocols

  • two core protocols
    • can be applied singly or together
    • Authentication Header (AH)
      • IPSec protocol that provides authentication for the origin of transmitted data as well as integrity and protection against replay attacks
      • Provides a mechanism for authentication-only, not encryption
        • payload is not encrypted
        • does not provide confidentiality
      • Performs a cryptographic hash on the whole packet
        • including the IP header and a shared secret key
        • adds this value in its header as an Integrity Check Value (ICV)
      • recipient performs the same function on the packet to verify packet has not been modified
      • protects against replay attacks by using a sequence number in the AH header
    • Encapsulating Security Payload (ESP)
      • Provides a mechanism for both authentication and encryption and protection against replay attacks
      • uses the same AH algorithms for providing integrity and authentication
        • only authenticates the IP payload
      • used to encrypt the payload
        • rather than simply calculating an ICV
      • attaches three fields to the packet:
        • header
        • trailer
          • provides padding for the cryptographic function
        • Integrity Check Value
          • ESP excludes the IP header when calculating the ICV
          • unlike AH
      • can use one or both algorithms for:
        • confidentiality (symmetric cipher)
        • hash function (authentication/integrity)
  • Internet Key Exchange (IKE)

Modes

  • Transport Mode

    • used to secure communications between hosts on a private network (an end-to-end implementation)

    • commonly used for client-to-site VPN connections

    • NAT is not supported in transport mode

    • if ESP is applied in transport mode

      • Only encrypts the payload (data) and ESP trailer
        • IP header for each packet is not encrypted

    • if AH is used in transport mode

      • can provide integrity for the IP header

    • requires more complex hardware configuration on backend and a software client

  • Tunnel Mode

    • used for communications between VPN gateways across an insecure network (creating a VPN)
    • referred to as a router implementation
    • commonly used for site-to-site VPNs
    • NAT is supported with the tunnel mode
    • IP packet is authenticated, encrypted, and encapsulated in a tunneling protocol
      • commonly uses Layer 2 Tunneling Protocol (L2TP)
    • With ESP
      • entire IP packet (header and payload) is encrypted and encapsulated as a datagram with a new IP header
      • this protects the internal routing information
        • by encrypting the IP header of the original packet
    • AH has no real use case in tunnel mode
      • confidentiality is usually required

Info

  • The principles underlying IPSec are the same for IPv4 and IPv6, but the header formats are different
    • IPSec makes use of extension headers in IPv6
    • IPv4,
      • ESP and AH are allocated new IP protocol numbers (50 and 51)
      • and either modify the original IP header or encapsulate the original packet
        • depending on whether transport or tunnel mode is used

Graph View

Backlinks