Next: List of Figures
Up: 8.4 Internet TCP/IP security
Previous: 8.4.1 TCP level security
IPSEC
is
designed
to
provide
interoperable,
high
quality,
cryptographically-based
security
for
IPv4
and
IPv68.3.
IPSEC
provides
lower-level
encryption,
covering
not
only
TCP
packets,
but
also
UDP
datagrams,
ICMP
packets
and
routing
control
protocols.
The
downside
of
protection
at
the
lower
level
is
that
all
traffic
is
protected,
giving
possible
cause
to
performance
hits
(especially
for
routing
devices).
Two
nodes
wishing
to
communicate
under
IPSEC
will
initially
use
a
key
management
protocol
(ISAKMP
based
on
Diffie-Hellman8.4 to
negotiate
which
services,
algorithms
and
keys
are
to
be
used.
IP
is
by
default
stateless
(connectionless);
however,
in
order
to
support
certain
security
features
the
concept
of
state
is
required.
To
capture
this
state,
security
associations
have
to
be
set
up.
Comparable
with
NLSP,
IPSEC
has
two
main
modes
of
use:
- 1.
- transport
mode
between
two
end-nodes
- 2.
- tunnel
mode
between
two
security
gateways
(firewalls
or
border
routers).
Tunnel
mode
is
useful
for
gateway-to-gateway
encryption
and
is
valuable
for
building
virtual
private
networks
(VPNs)
across
an
untrusted
backbone
such
as
the
Internet
([ATK95]).
Depending
on
the
encapsulation
process
used,
AH
(Authenticated
Header)
or
ESP
(Encapsulating
Security
Payload),
the
set
of
security
services
offered
can
include:
- connectionless
integrity
(AH;
ESP)
- data
origin
authentication
(for
header:
AH;
for
payload:
ESP)
- partial
sequence
integrity
(against
replay
attacks
-
AH)
- confidentiality
(encryption
-
ESP)
- limited
traffic
flow
confidentiality
(ESP).
The
type
of
encapsulation
used
(AH,
ESP,
AH+ESP)
will
depend
on
the
security
requirements
and
communications
bandwith.
Security
associations
are
specific
to
both
AH
and
ESP
and
each
require
2
SAs.
The
type
of
encryption
used
(MD5,
SHA-1,
DES)
will
be
influenced
by
the
available
processing
power.
Choices
made
will
consequently
be
reflected
in
the
cost
of
letting
nodes
communicate
securely.
Note
that
Internet
IP
does
not
provide
traffic
padding
functionality.
Traffic
flow
confidentiality
has
to
provided
through
some
form
of
link
encryption
(cf. supra).
Footnotes
- ...
IPv68.3
-
IPSEC
source
code
implementations
are
currently
available
from
US
Naval
Research
Laboratory's
Network
Security
Research
Section.
- ...
Diffie-Hellman8.4
-
Also
provides
protection
against
denial-of-service
attacks.
Next: List of Figures
Up: 8.4 Internet TCP/IP security
Previous: 8.4.1 TCP level security
(c) 1998, Filip Schepers