IPsec
- Summary
-
Discussion
- How does IPsec compare with other security techniques that exist at different OSI layers?
- What's the architecture of IPsec protocol suite?
- What are the services offered by IPsec?
- What are the primary applications of IPsec?
- What are the security protocols in the IPsec suite?
- Can you explain the different authentication modes in IPsec?
- How does IPsec implementations vary between IPv4 and IPv6?
- What are the disadvantages of IPsec?
- Milestones
- References
- Further Reading
- Article Stats
- Cite As
IPsec (IP Security) is a suite of security protocols added as an extension to the IP layer in networking. IPsec can ensure a secure connection between two computing devices over unprotected IP networks, such as the Internet. The nature of security threats which IPsec prevents are varied and constantly changing—such as man-in-the-middle attacks, sniffing, replay attacks. IPsec finds application in three security domains: Virtual Private Networks (VPNs), application-level Security and routing security.
IPsec protocols cover the entire communication process – (1) Initial authentication of the two connecting devices (2) Confidentiality of transmitted data during actual communication.
IPsec is a capability built over IP (IPv4 and IPv6) by means of additional headers. It consists of three distinct functions – authentication, confidentiality and key management.
Similar to IP itself, IPsec is an open standard maintained by the Internet Engineering Task Force (IETF).
Discussion
-
How does IPsec compare with other security techniques that exist at different OSI layers? Network server systems protect data in the network by supporting a variety of cryptography-based network security protocols. Key differentiating features of these protocols are:
- IPsec: Supports network-level peer and data origin authentication, data integrity, data encryption, and protection.
- SSL (Secure Sockets Layer): Doesn't require pre-shared key like in IPsec, uses public key cryptography to negotiate handshake and securely exchange encryption keys. Useful for bypassing firewalls and port-based traffic blocking.
- TLS (Transport Layer Security): Cryptographic algorithms based on cipher suite that server and client negotiate. Uses SSL protocol.
- HTTPS: Sets up encrypted link using TLS. Data transfer is encrypted between browser and web server, preventing cyber criminals from reading or altering data.
- SNMP (Simple Network Management Protocol): User-based Security Model (USM) which provides different levels of security based on the user accessing managed information. Uses authentication and data encryption for privacy.
- OSPF (Open Shortest Path First) Authentication: Dynamic routing protocol. Supports message authentication and integrity of OSPF routing messages. Unauthorized IP resource cannot inject messages into network without detection. Ensures integrity of routing tables in the OSPF routing network.
-
What's the architecture of IPsec protocol suite? IPsec specifies procedures, components, their inter-relationship and the general process required to provide security services at IP layer.
IPsec is a suite of three transport-level protocols used for authenticating the origin and content of IP packets and optionally for data payload encryption. Applications can invoke IPsec on IP datagrams that are security enabled in the IPsec global policy file on system-wide or per-socket level.
Key components of IPsec architecture include:
- Security Associations (SA): Specifies security properties recognized by communicating hosts. Hosts require two SAs to communicate securely, one for each direction. Prior to transmission of protected datagrams, they agree upon specific security protections, cryptographic algorithms, secret keys to be applied and specific types of traffic to be protected.
- IPsec Protocols: AH (Authentication Header) and ESP (Encapsulating Security Payload) protocols are for authentication. They contain proof of data source, data integrity and anti-replay protection. The third protocol IKE (Internet Key Exchange) is a hybrid protocol used for peer authentication and key exchange processes before actual data transfer begins.
- IPsec modes: Both protocols (AH & ESP) support two modes - transport mode & tunnel mode.
-
What are the services offered by IPsec? IPsec offers a number of services: access control, connectionless integrity, data origin authentication, rejection of replayed packets, confidentiality (encryption), and limited traffic flow confidentiality.
-
What are the primary applications of IPsec? IPsec enables secure communication over the Internet, independent from the application or higher protocols. It supports network layer security, but it's compatible with schemes providing security at application layer. It provides secure communication across LAN, private/public WAN and the Internet.
(1) An enterprise may establish a secure VPN connection over a public WAN or Internet. IPsec minimises the need for a private network and hence saves costs. Ensures authentication, confidentiality and encryption. Application scenarios include:
- Secure connection between head office and branches (client-server)
- Different branches (peers) of same company
- Workers connect to company intranet remotely
- Intranet or extranet connectivity with partners (partner organizations, payment gateways, third party transactions)
(2) Security for e-commerce applications, mainly B2B. IPsec enhances existing application-level security features. Customer-oriented commerce is primarily web based and uses SSL.
(3) Network diagnostics for debugging connections. A tunnel is initiated with a ping from the remote device.
(4) IPsec usage in a 4G network, simple end-to-end implementation between the mobile device and the services network peer (security gateway, server or another peer).
-
What are the security protocols in the IPsec suite? IPsec protocol suite mainly consists of these protocols:
- Authentication Header (AH): AH is an extension header to provide data integrity, authentication and anti-replay but it doesn't provide encryption. Anti-replay protection ensures partial sequence integrity and protects against unauthorized transmission of packets. Implements strong hashing algorithms to provide data integrity. AH doesn't provide data confidentiality.
- Encapsulating Security Payload (ESP): ESP consists of an encapsulating header and trailer. Provides all that AH offers (data integrity, encryption, authentication and anti-replay). It additionally provides authentication for payload data using symmetric key encryption. Uses encryption algorithms such as GCM, DES, 3DES, and AES. Set of services provided depends on options selected at the time of Security Association (SA) establishment and location of the implementation in a network topology.
- Internet Key Exchange (IKE): IETF-specific key managing protocol for exchanging and negotiating security policies. Supports manual or dynamic association of management in cryptographic keys. Can be used outside IPsec as well.
-
Can you explain the different authentication modes in IPsec? For authentication, both AH and ESP support two modes of use: transport and tunnel mode. Authentication can be applied to the entire original packet (tunnel mode) or to the packet contents except the IP header (transport mode).
- Transport Mode: Client to client. Covers most of the original packet. Original IP packet is used with ESP and AH Headers, then original IP Header is reused in front of ESP and AH Headers. This mode doesn't change the IP packet header. Only IP protocol field is changed to 51 (AH) or 50 (ESP), and checksum of IP packet header is recalculated. This mode is used when we have end-to-end control of the network, so that there will be no packet manipulation through the network.
- Tunnel Mode: Covers entire original packet. Inserts the original packet in a new IP packet, a new IP Header is added in front of the ESP and AH Headers. Original IP packet header is hidden. This mode is used in communications between VPN gateways or between a host and a VPN gateway. Tunnel Mode is the default option.
-
How does IPsec implementations vary between IPv4 and IPv6? Security concerns were raised over IPv4. As a result, IPsec was first developed for the newest version of Internet Protocol (IPv6), then retrospectively added for IPv4. It was included as a mandatory feature in the IPv6 standards whereas it's optional and must be supported externally in IPv4.
By design, IPv6 is more secure from IP address scanning attacks, as its address space is huge. So IP scanning techniques in networks may not work to find possible computers with security vulnerabilities, as it could take years.
IPsec in IPv4 is widely used for VPNs. These are terminated at the edge of networks. In IPv4, IPsec is generally not used to secure end-to-end traffic because of the widespread use of Network Address Translation in IPv4, called NAT44. NAT mangles the IPv4 headers and breaks IPsec. This restriction doesn't exist in IPv6, so that using IPsec end-to-end becomes more practical.
-
What are the disadvantages of IPsec? - Over-reliance on public keys: If a network has poor key management or the integrity of the keys is compromised then the IPsec security factor is lost.
- Performance overhead: High CPU usage because all data that passes through the server has to be encrypted and decrypted. When data packet size is small, network performance suffers due to large IPsec overhead. May need to use hardware appliances such as VPN Concentrators.
- Wide access range of privileges: Giving access to a single device in IPsec-based network can give access privileges for other devices too. So if any device in a home network is compromised, it might affect the corporate network that is connected from the home network (through the IPsec tunnel).
- Implementation complexity: IPsec contains many options and high flexibility, which makes it popular. But also adds to its complexity.
- Network compatibility issues: When we are connected to an IPsec-based VPN, we can't connect to another network due to restrictions in firewalls. Also, IPsec doesn't provide support for multi-protocol and IP multicast traffic.
Milestones
IETF publishes IPv6 specification to overcome the limitations of IPv4. IETF initiated the design and development of IPv6 back in 1994. Also in 1998, IPsec protocol definitions are superseded by RFC 2401 and RFC 2412. The mutual authentication and key exchange protocol Internet Key Exchange (IKE) is added to IPsec to create and manage Security Associations.
References
- Bischoff, Paul. 2019. "VPN encryption explained: IPSec vs SSL." Blog, Comparitech, February 2. Accessed 2021-01-19.
- Cloudfare. 2020. "What is IPsec? | How IPsec VPNs work." Cloudflare Inc. Accessed 2020-11-30.
- George, Sijin. 2019. "Advantages and Disadvantages of IPSec – A quick view." Blog, Bobcares, February 13. Accessed 2021-01-19.
- Hoffman, Jason. 2021. "IPv4 vs IPv6 Security: Know the Difference." WisdomPlexus. Accessed 2021-01-19.
- Holder, David. 2019. "Common misconceptions about IPv6 security." Blog, APNIC, March 18. Accessed 2021-01-19.
- Huawei. 2021. "NE40E V800R010C10SPC500 Feature Description - Security 01." Accessed 2021-01-19.
- IBM. 2021. "Network security protocols." IBM z/OS V2R4.0 Docs, IBM Knowledge Center, IBM. Accessed 2021-01-19.
- IONOS. 2016. "Secure network connections with IPsec." Know-how, IONOS Digital Guide, 1&1, August 03. Accessed 2021-01-19.
- IPv4MarketGroup. 2021. "A Brief History of IPv4." IPv4MarketGroup. Accessed 2021-01-19.
- Jisc. 2021. "IP security: overview and architecture." Jisc community. Accessed 2021-01-19.
- Kent, S. and K. Seo. 2005. "Security Architecture for the Internet Protocol." RFC 4301, IETF, December. Accessed 2021-01-19.
- Kosem, Gokhan. 2018. "IPSec VPN Overview." IPCisco. Accessed 2021-01-19.
- Loshin, Peter. 2019. "IPsec vs. SSL VPN: Comparing speed, security risks and technology." TechTarget, June. Accessed 2021-01-19.
- Oracle. 2010. "IP Security Architecture (Overview)." Chapter 1 in: IPsec and IKE Administration Guide, Oracle Corporation. Accessed 2021-01-19.
- Organero, Mario Muñoz. 2010. "Applications: IPSEC." Chapter 6 in: Coding Techniques, Open Course Ware, Universidad Carlos III de Madrid, July. Accessed 2021-01-19.
- Perle. 2021. "IPSEC VPN Gateway." Perle. Accessed 2021-01-19.
- Roomi, Abdullah. 2018. "IP Security." Hebron University, August 5. Accessed 2020-11-30.
- Stallings, William. 2011. "Network Security Essentials: Applications and Standards." Fourth edition, Pearson Education Inc. publishing as Prentice Hall. Accessed 2020-11-30.
- Thomas, John and Adam Elbirt. 2004. "How IPsec works, why we need it, and its biggest drawbacks." CSO from IDG, January 06. Accessed 2021-01-19.
- Turnbull, James. 2005. "The pros and cons of IPsec." TechTarget, October 28. Accessed 2021-01-19.
- Vintilă, Cristina-Elena. 2012. "Potential Applications of IPsec in Next Generation Networks." Chapter 11 in: Sen, Jaydip (ed), Cryptography and Security in Computing, IntechOpen, March 07. Accessed 2021-01-19.
- W3Schools. 2021. "Network Protocols and its Security." W3Schools. Accessed 2021-01-19.
- Wikipedia. 2021. "IPsec." Wikipedia, December 23. Accessed 2021-01-19.
- Worthman, Ernest. 2015. "IPsec Security In IPv6." Semiconductor Engineering, April 02. Accessed 2021-01-19.
Further Reading
- Stallings, William. 2011. "Network Security Essentials: Applications and Standards." Fourth edition, Pearson Education Inc. publishing as Prentice Hall. Accessed 2020-11-30.
- Organero, Mario Muñoz. 2010. "Applications: IPSEC." Chapter 6 in: Coding Techniques, Open Course Ware, Universidad Carlos III de Madrid, July. Accessed 2021-01-19.
- Kent, S. and K. Seo. 2005. "Security Architecture for the Internet Protocol." RFC 4301, IETF, December. Accessed 2021-01-19.
Article Stats
Cite As
See Also
- Domain Name System
- Internet Engineering Task Force
- Virtual Private Network
- Internet Protocol
- Transport Layer Security
- IPv4 vs IPv6
Article Warnings
- Readability score of this article is below 50 (41.7). Use shorter sentences. Use simpler words.