Search This Blog
Monday, 23 September 2024

IPSec Architecture

Posted by David Livingston J at 18:31 0 comments

Components of IPSec Architecture

IPSec architecture defines the concepts and mechanisms required for securing the data transmission at IP layer, which include the following:

  1. Security Association
  2. Security Protocols - AH and ESP
  3. Key Management Protocol - IKE
  4. Databases - SPD and SAD


Figure: IPSec Architecture


Here is a video introducing IPSec Protocol

Security Associations

  • An association is a one-way relationship between a sender and a receiver that affords security services to the traffic carried on it
  • If a peer relationship is needed, for two-way secure exchange, then two security associations are required
  • A security Association is uniquely identified by three parameters:
    • Security Parameter Index (SPI)
    • IP Destination Address
    • Security Protocol Identifier
  • SA parameters are defined as follows:
    • SPI is a bit string assigned to SA which will be carried in AH or ESP headers to enable the receiving system to identify the corresponding SA that will process the packet further
    • IP Destination Address identifies the destination endpoint of the SA, which may be an end user system or a network system such as a firewall or router
    • Security Protocol Identifier indicates the protocol used for securing the data transmission in the SA

Security Association Database (SAD):

SAD defines the each SA with the following set of parameters:
  • Sequence Number Counter:  A 32-bit value used to generate the Sequence Number field in AH or ESP headers
  • Sequence Counter Overflow:  A flag indicating whether overflow of the Sequence Number Counter should generate an auditable event and prevent further transmission of packets on this SA
  • Anti-Replay Windows:  Used to determine whether an inbound AH or ESP packet is a replay or not
  • AH Information:  Consists of details about authentication algorithm, keys, key lifetimes, and related parameters being used with AH 
  • ESP Information:  Consists of details about encryption and authentication algorithm, keys, initialization values, key lifetimes, and related parameters
  • Lifetime of This Security Association:  A time interval or byte count after which an SA must be replaced with a new SA or terminated
  • IPSec Protocol Mode:  Indicates the mode of operation used - Tunnel, Transport or Wildcard
  • Path MTU:  Any observed path maximum transmission unit (maximum size of a packet that can be transmitted without fragmentation) and aging variables
Security Policy Database (SPD):
  • SPD contains entries, each of which defines a subset of IP traffic and points to an SA for that traffic
  • Each SPD entry is defined by a set of IP and upper-layer protocol field values, called selectors (SA Selectors) 
  • These selectors are used to filter outgoing traffic in order to map it into a particular SA
  • Selectors that determine an SPD entry are as follows:
    • Destination IP Address:  This may be a single IP address, an enumerated list or range of addresses
    • Source IP Address:  This may be a single IP address, an enumerated list or range of addresses
    • UserID:  A user identifier from the operating system.  This is an ID available in the operating system if IPSec is running on the same OS as the user
    • Data Sensitivity Level:  Used for systems providing information flow security
    • Transport Layer Protocol:  Obtained from the IPv4 protocol or IPv6 Next Header field.
    • Source and Destination Ports:  These may be individual TCP or UPD port values, an enumerated list of ports, or a wildcard port
Authentication Header (AH):
  • AH is a security protocol used within the IPSec suite
  • It confirms that the data originates from the expected source
  • Its primary function is to ensure that the data remains unmodified during the transmission from the source to the destination
  • AH achieves authentication by adding a header to IP packets, containing a checksum and a digital signature
Figure: Format of the AH Header

Encapsulating Security Payload (ESP):
  • ESP consists of an encapsulating header and trailer used to provide encryption or combined encryption/authentication

Two Modes of Operation in IPSec

  • Both AH and ESP support two modes of operation: transport and tunnel mode.  
  • Transport mode provide protection primarily for upper layer protocols by protecting the payload of an IP packet.  Whereas, Tunnel mode provides protection for the entire IP packet. 
Transport Mode:
  • Transport mode is used for end-to-end communication between two hosts (e.g., a client and a server, or two workstations)
  • Transport mode encrypts only the data packet's payload and leaves the IP header in its original form. 
  • The unencrypted packet header allows routers to identify the destination address of each data packet. Therefore, IPSec transport mode is used in a close and trusted network, such as securing a direct connection between two computers.
  • ESP in the transport mode encrypts and optionally authenticates the IP payload but no the IP header
  • AH in transport mode authenticates the IP payload and selected portions of the IP header

Tunnel Mode:
  • The IPSec tunnel mode is suitable for transferring data on public networks as it enhances data protection from unauthorized parties. 
  • The computer encrypts all data, including the payload and header, and appends a new header to it.


Video Presentations on IPSec:

 
Video on IPSec Protcols - AH and ESP

Leave a Reply

Subscribe to: Post Comments (Atom)
 

FFY Center for Learning (CSE) © 2011 FutureForYou Network. Supported by W3G Team and FutureForYou.in