Notes for Lecture-37

MCA 206: Advanced Computer Networks

IP Security (IPSec)

1. Introduction

1. IPSEC, as the architecture is called, is really a framework for providing all the security
services. As an architecture, IPSEC provides three degrees of freedom.
2. It is highly modular, allowing users (or more likely, system administrators) to select from
a variety of encryption algorithms and specialized security protocols.
3. IPSEC allows users to select from a large menu of security services, including access
control, integrity, authentication, protection against replay, and confidentiality (privacy).
4. IPSEC allows users to control the granularity with which the security services are
applied. For example, IPSEC can be used to protect both “narrow” streams (e.g., packets
belonging to a particular TCP connection being sent between a pair of hosts) or “wide”
streams (e.g., all packets flowing between a pair of gateways).
IPSEC consists of two pieces. The first piece is a pair of protocols that implement the available
security services. They are the Authentication Header (AH), which provides access control,
connectionless message integrity, authentication, and anti-replay protection, and the
Encapsulating Security Payload (ESP), which supports these same services, plus confidentiality.
The second piece is support for key management, which fits under an umbrella protocol known
as ISAKMP: Internet Security Association and Key Management Protocol.

2. Security Association

The abstraction that binds these two pieces together is the security association (SA). An SA is a
simplex (one-way) “connection” that is protected by one or more of the available security
services. Security associations may be established between a pair of hosts, between a host and a
security gateway (a router that supports IPSEC), or between a pair of security gateways. For
example, an SA might be established to ensure the integrity of every packet sent from one
security gateway to another; these packets are in effect tunneled between the security gateways.
Securing a bidirectional communication between a pair of hosts—corresponding to a TCP
connection, for example—requires two security associations, one in each direction. From the
local host’s perspective, a given SA contains all the information required to execute the security
services of AH and ESP. When created, an SA is assigned a security parameters index (SPI) by
the receiving machine. A combination of this SPI and the destination IP addresses uniquely
identifies a security association.
Both AH and ESP put the SPI in their header. The receiving host then uses this information to
determine which SA an incoming packet belongs to, and hence, what algorithms to apply to the
packet. ISAKMP’s role is to define procedures and packet formats to establish, negotiate,
modify, and delete security associations. It defines packet formats for exchanging key generation
and authentication data. These formats aren’t terribly interesting because they provide a
framework only—the exact form of the keys and authentication data depends on the key
generation technique, the encryption algorithm, and the authentication mechanism that is used.
Moreover, ISAKMP does not specify a particular key exchange protocol, although it does
suggest the Internet Key Exchange (IKE) as one possibility.

3. Authentication Header (AH)

The Authentication Header provides connectionless integrity and data origin authentication for
IP datagrams. It also optionally provides protection against replays. It either follows the IPv4
header or is an IPv6 extension header, depending on which version of IP it is used with. The
NextHdr field identifies the type of the next payload after the Authentication Header. The
PayloadLength field specifies the length of the AH in 32-bit words (4-byte units) minus 2.5 The
Reserved field is reserved for future use; it is set to 0 for now. The SPI field is an arbitrary 32-bit
value that, in combination with the destination IP address, uniquely identifies the security
association for this datagram. All IPv6 extension headers encode the “Hdr Ext Len” field by first
subtracting 1 (64-bit word) from the header length (measured in 64-bit words). AH is an IPv6
extension header, but since its length is measured in 32-bit words, the payload length is
calculated by subtracting 2 (32-bit words).

NextHdr Payload Length Reserved

Security Parameter Index (SPI)

Sequence Number

Authentication Data

Figure: IPSEC’s Authentication Header

The SeqNum field contains a monotonically increasing counter, or sequence number. This field
is used to protect against replay, but it is present even if the receiver does not elect to enable the
anti-replay service for a specific SA. The sender’s counter and the receiver’s counter are
initialized to 0 when an SA is established. If anti-replay is enabled, which is the default, the
transmitted sequence number must never be allowed to cycle. Thus, the sender’s counter and the
receiver’s counter must be reset by establishing a new SA—and thus a new key—prior to
transmitting the 232nd packet on an SA. Finally, AuthenticationData is a variable-length field
that contains the message integrity code for this packet. The field must be an integral multiple of
32 bits in length.

4. Encapsulating Security Payload (ESP)

The Encapsulating Security Payload header is designed to provide a mix of security services in
IPv4 and IPv6. ESP may be applied alone, or in combination with the AH. The ESP header is
inserted after the IP header and before the upper-layer protocol header (when used between a
pair of hosts), or before an encapsulated IP header when used to tunnel between a pair of security
gateways. ESP provides confidentiality, data origin authentication, connectionless integrity, and
an antireplay service. The set of services provided depends on options selected at the time the SA
is established. Confidentiality may be selected independent of all other services, but it is
expected that confidentiality is supported in conjunction with integrity/authentication, either in
ESP or separately in AH. Data origin authentication and connectionless integrity are joint
services and are offered as an option in conjunction with (optional) confidentiality. The
antireplay service may be selected only if data origin authentication is selected, and its election is
solely at the discretion of the receiver. Note that although both confidentiality and authentication
are optional, at least one of them must be selected.

Security Parameter Index (SPI)

Sequence Number

PayloadData

Padding (0–255 bytes)

PadLength NextHdr

Authentication Data

Figure: IPSEC’s ESP header

Like AH, the ESP header either follows the IPv4 header or is an IPv6 extension header. Its
format is shown in Figure. The SPI field has the same function as in the AH: It helps the
receiving host identify the security association to which the packet belongs. Similarly, the
SeqNum field protects against replay attacks. The packet’s PayloadData contains the data
described by the NextHdr field. If confidentiality is selected, then the data is encrypted by
whatever encryption algorithm was associated with the SA. Padding is sometimes necessary, for
example, because the encryption algorithm requires the plaintext to be a multiple of some
number of bytes, or to ensure that the resulting ciphertext terminates on a 4-byte boundary. The
PadLength field records how much padding was added to the data. Finally, the
AuthenticationData carries the MIC, just as in AH. This field is present because ESP is general
enough to support message integrity and authentication, in addition to privacy. One of the most
popular ways to use the ESP is to build an “IPSEC tunnel” between two routers. For example, a
corporation wanting to link two sites using the Internet could configure a tunnel from a router at
one site to a router at the other site.