IPSEC - Internet Protocol Security

2. IPSEC - Internet Protocol Security

IPSEC focuses on the security that can be provided by the IP-layer of the network. It does not concern itself with application level security such as PGP for instance.

We can divide the security requirements into two distinct parts:

Authentication & Integrity
Confidentiality

These are independent of each other and can be used separately or together according to user needs.

2.1 Authentication & Integrity

Authentication guarantees that the data received is the same as the data that was sent and that the claimed sender is in fact the actual sender. Integrity means that we are sure the transmitted data has arrived at destination without undetected alternation.

The Authentication Header (AH) is a mechanism for providing strong integrity and authentication for IP datagrams. It might also provide non-repudiation*, depending on which cryptographic algorithm is used and how keying is performed. The security is provided by adding authentication information (to the IP datagram) which is calculated using all of the fields in the IP datagram (including not only the IP header but also the other headers and the user data) which do not change in transit (for instance hop-count field in IPv6, and time-to-live field in IPv4, headers cannot be included as they are altered at each relay the datagram passes through).

To no surprise this system provides much more security than the current bare version of IPv4. Authentication might actually be sufficient for some users who do not require confidentiality. The argument for not using more security measure for some types of packets is the processing costs associated with computation of authentication data by the participating end systems. The authentication data is carried in its own payload, hence the systems which are not participating in the authentication may ignore it.

When used with IPv6, the AH is normally placed after the Fragmentation and End-to-End headers, but before the ESP and transport-layer headers (TCP or UDP for example). In IPv4, AH is placed immediately following the IPv4 header. Below are some examples of the IP header structures with and without the AH:

[Authentication Header example when used with IPv4]
AH under IPv4

[Authentication Header example when used with IPv6]
AH under IPv6 - transport mode

[Authentication Header tunnel mode positioning for typical IPv4 and IPv6 packets]
AH tunnel mode positioning for typical IPv4
and IPv6 packets

2.2 Confidentiality

Confidentiality is the property of communicating such that the intended recipients know what was being sent, but unintended parties cannot determine it. A mechanism commonly used for providing confidentiality is called encryption.

IPSEC provides confidentiality services through Encapsulating Security Payload (ESP). ESP can also provide data origin authentication, connectionless integrity, and anti-reply service (a form of partial sequence integrity). Confidentiality can be selected independent of all other services. There are two modes for providing confidentiality using ESP. One is transport mode, and the other is tunnel mode. Tunnel mode encapsulates an entire IP datagram within the ESP header. Transport mode, encapsulates the transport layer frame inside ESP (the term 'transport mode' should not be misconstrued as restricting its use to TCP and UDP).

When incorporating the ESP into the IP system (IPv4, IPv6, or Extension) the protocol header immediately preceding the ESP header will contain the value 50 in its Protocol (IPv4) or Next Header (IPv6) field.

Below are some examples how the typical IPv4 and IPv6 packets might look before and after applying ESP - transport mode:

ESP under IPv4, in transport mode

ESP under IPv6, in transport mode

And an example of tunnel mode:

ESP in tunnel mode under IPv4 and IPv6

2.3 Security Association and Encryption Strength

2.3.1 Security Association

In order to use the security mechanisms, we must agree on how they are going to be used. Security Association (SA) is a set of security information relating to a given network connection or set of connections. The concept of a SA is fundamental to both the IP ESP and the IP AH. The combination of a given Security Parameter Index (SPI) and destination address uniquely identifies a particular SA. This model is required by the implementation of IPSEC, which may support also other options.

A SA normally includes the following parameters:

[required]

Authentication algorithm and algorithm mode being used with the IP AH.
Key(s) used with the authentication algorithm in use with the AH.
Encryption algorithm, algorithm mode, and transform being used with the IP ESP.
Key(s) used with encryption algorithm in use with the ESP.
Presence/absence and size of a cryptographic synchronization or initialization vector field for the encryption algorithm

[recommended]

Authentication algorithm and mode used with the ESP transform (if any in use)
Authentication key(s) used with the authentication algorithm that is part of the ESP transform (if any)
Lifetime of the key or time when key change should occur
Source address(es) of the SA, might be a wild-card address if more than one sending system shares the same SA with the destination
Sensitivity level (for example: Secret or Unclassified) of the protected data [required for all system claiming to provide multi-level security, recommended for all other systems].

A SA is normally one-way. An authenticated communications sessions between two hosts will normally have two SPIs in use (one in each direction).

2.3.2 Encryption strength - algorithms

The encryption and authentication algorithms used for IPSEC are the heart of the system. They are directly responsible for the strength the security the system can provide. There are however major drawbacks in this area. As the Internet is an global network, the IP should provide uniform security everywhere. Many countries, however, either restrict or forbid the use, or export of encryption algorithms. This means that the IPSEC must be able to balance between the legal restrictions in use of strong encryption and authentication, and the one that is available everywhere.

All hosts claiming to provide IPSEC services must implement the AH with at least the MD5 algorithm using a 128-bit key as specified in the AH RFC. An implementation may support other authentication algorithms in addition to keyed MD5. All ESP implementations must support the use of the Data Encryption Standard (DES) in Cipher-Block Chaining (CBC) mode as detailed in the ESP specification. Other cryptographic algorithms and modes may also be implemented in addition to this mandatory algorithm and mode. MD5 and DES-CBC should be set as default algorithms.

2.4 Key distribution

Security Associations rely on keys for the authentication and encryption algorithms to be used with AH and ESP. Sadly, at the time of the writing, no definite system for automatic key distribution has been proposed. Work is underway to define such a system, however currently manual key distribution must be used.

Although this is arguably the most secure method to distribute keys, and the simplest one, it does not scale, and only works in very small, static systems. It can be used for LANs and some firewall systems, but is a short-term approach.

Work is currently under way to provide a secure, and efficient method for automatic key distribution. For more details please visit IETF web site.

* non-repudiation - The property of a receiver being able to prove that the sender of some data did in fact send the data even though the sender might later desire to deny ever having sent that data.

Marcin Dobrucki, 1997