IP SECURITY

Dr. RAFAT.ALHANANI
IP SECURITY OVERVIEW

In 1994, the Internet Architecture Board (IAB) issued a report titled “Security in the Internet
Architecture” (RFC 1636). The report identified the need to secure end-user-to-end-user traffic
using authentication and encryption mechanisms.
To provide security, the IAB included authentication and encryption as necessary security features
in the next-generation IP, which has been issued as IPv6. Fortunately, these security capabilities
were designed to be usable both with the current IPv4 and the future IPv6. This means that vendors
can begin offering these features now, and many vendors now do have some IPsec capability in
their products.

IP Security by Dr.Rafat.Alhanani 2
Virtual Private Network (VPN)
Tunneling
It is the process or a method of encapsulating your data into packets that are securely transmitted
between your device (client) and the remote VPN server (over an insecure network, like the internet). This
tunnel (a virtual pathway) ensures that the data being sent over the network is isolated from the public
network.

Here’s how tunneling works:

1. Encapsulation is when your device takes the original data (say a web request, or any data you’re
sending) and wraps it inside a packet with additional information.
This packet, often called the outer packet, is then sent through the tunnel. The outer packet will only
contain the information necessary to route the data through the tunnel (e.g., IP addresses of the client and
VPN server).
2. Transmission: Once encapsulated, the data is sent across the internet in the form of these packets.
The tunnel ensures that the data inside cannot be accessed or tampered with while traveling.
3. Decapsulation: When the data reaches the VPN server, it is stripped of the outer headers
(decapsulation) and delivered to its destination.

IP Security by Dr.Rafat.Alhanani 3
Virtual Private Network (VPN)
Tunneling Protocols
They define the rules and format for this secure communication. These protocols set up the virtual tunnel,
but the key point is that the actual data you're sending is encapsulated in this tunnel.

The roles of Tunneling Protocols:

1. Coordinate the connection.
2. Manage how data is encapsulated and transmitted securely.
Classify the Tunneling Protocols:
1. VPN Tunnel protocols : IPsec, (L2TP over Ipsec), (GRE over Ipsec) and PPTP protocols provide
both tunneling and security features (encryption and authentication). Each one has its own form of
"tunnel header," these headers are specific to the tunneling protocol used to encapsulating original
traffic within an additional layer of information.

2. Non VPN Tunnel protocols : like GRE, and L2TP are generally used to manages how data is
encapsulated and transmitted securely rather than providing full VPN capabilities like encryption,
authentication, and confidentiality. Generic Routing Encapsulation (GRE) provides a tunnel that
can carry packets from various protocols.
IP Security by Dr.Rafat.Alhanani 4
Virtual Private Network (VPN)
PPTP VPN Tunnel Establishment an example:
PPTP relies on GRE to encapsulate data packets (i.e., wrap them in GRE headers) to send them over the
internet.
•Client Connection Request: The client initiates a connection to the VPN server by sending a request to
establish a PPTP tunnel on port 1723. This port is commonly associated with PPTP and can pass through
network firewalls that allow PPTP traffic.
•Control Channel Establishment: PPTP first establishes a control channel using TCP, which enables the
client and server to exchange control messages about the session’s status and settings.
•GRE Tunneling (Encapsulation): This is the process of taking the original data (like a packet from a
network protocol such as PPP) and placing it into a new packet with a new header (in this case, the GRE
header). This new "outer" packet carries the "inner" packet, so it can travel through a network that supports
the GRE protocol (routers and networks that understand GRE).

IP Security by Dr.Rafat.Alhanani 5
Virtual Private Network (VPN)

Outer Header: This is the new IP header added during encapsulation to route the packet across the
VPN tunnel. It carries the IP addresses of the VPN gateways (client and server) rather than the original
source and destination addresses. It allows the packet to travel across the broader network or internet
to reach the other endpoint of the tunnel.

Tunnel Header: This term usually refers to the protocol-specific header that wraps the original packet
and provides information required by the VPN protocol to manage the encapsulated data. This could
be an IPsec ESP header, GRE header, or SSL/TLS headers, depending on the VPN type. The tunnel
header contains details on encryption, integrity, and packet management but is typically distinct from
the outer header.

IP Security by Dr.Rafat.Alhanani 6
 Applications of Ipsec

IPsec provides the capability to secure communications across a LAN, across private and public WANs,
and across the Internet to those end users whose systems are equipped with IP security protocols. Examples
of its use include:
1. Secure branch office connectivity over the Internet
2. Secure remote access over the Internet
3. Establishing extranet and intranet connectivity with partners
4. Enhancing electronic commerce security

IP Security by Dr.Rafat.Alhanani 7
 The principal feature of Ipsec
It supports applications to encrypt and/or authenticate all traffic at the IP level. Thus, all
distributed applications (including remote logon, client/server, email, file transfer, Web access, and
so on) can be secured.

IPsec protocols
For traffic offsite, through some sort of private or public WAN, IPsec protocols are used. These
protocols operate in networking devices, such as a router or firewall, that connect each LAN to
the outside world. The IPsec networking device will typically encrypt all traffic going into the WAN
and decrypt traffic coming from the WAN; these operations are transparent to workstations and
servers (are unaffected and unaware of these operations.) on the LAN.

IP Security by Dr.Rafat.Alhanani 8
 An IPSec VPN Scenario

IP Security by Dr.Rafat.Alhanani 9
Benefits of IPsec
Some of the benefits of IPsec:
• When IPsec is implemented in a firewall or router, it provides strong security that can be applied to all
traffic crossing the perimeter.
• IPsec in a firewall is resistant to bypass if all traffic from the outside must use IP and the firewall is the
only means of entrance from the Internet into the organization.
• IPsec is below the transport layer (TCP, UDP) and so is transparent to applications.
• IPsec assures that a router advertisement (a new router advertises its presence) comes from an
authorized router.
• IPsec assure that a neighbor advertisement (a router seeks to establish or maintain a neighbor
relationship with a router in another routing domain) comes from an authorized router.
• IPsec assures that a routing update is not forged.
• Routing protocols such as Open Shortest Path First (OSPF) should be run on top of security
associations between routers that are defined by IPsec.
IP Security by Dr.Rafat.Alhanani 10
IPsec Services
IPsec provides security services at the IP layer by the following three requirements:
1. selecting the required security protocols,
2. determine the algorithm(s),
3. and put in place any cryptographic keys required to provide the requested services.

The services provided by IPSec are:

■ Access control
■ Connectionless integrity
■ Data origin authentication
■ Rejection of replayed packets (a form of partial sequence integrity)
■ Confidentiality (encryption)
■ Limited traffic flow confidentiality

IP Security by Dr.Rafat.Alhanani 11
IPsec Protocols
Two protocols are used to provide security:
1. Authentication Header (AH)
2. Encapsulating Security Payload (ESP) which is a combined encryption/authentication
protocol.
Transport and Tunnel Modes
Both AH and ESP support two modes of use:

IP Security by Dr.Rafat.Alhanani 12
IPsec authenticates (Authentication Header (AH) Protocol)

In the context of IPsec, authentication means verifying the identity of the sender and ensuring that the
data has not been altered during transmission. IPsec achieves this by using cryptographic hash
functions within the Authentication Header (AH). Here’s what happens when IPsec authenticates data:

1. Data Integrity: IPsec uses cryptographic hashes (like SHA-1 or SHA-256) to create a unique
“fingerprint” (called a hash or message digest) of the data being sent. When the recipient
receives this data, they can compute the hash again and compare it to the sender’s hash. If both
hashes match, the data has not been tampered with.
2. Securely authenticate data: IPsec uses an HMAC function, which combines the hash function (SHA-
1, SHA-256) with a shared secret key. This key is known only to the sender and receiver, ensuring
that only those who know the key can generate or verify the HMAC. HMACs thus offer both
authentication (verifying sender identity) and integrity (ensuring data hasn’t been tampered
with).
3. Authentication Header (AH) does not provide confidentiality (does not offer encryption), meaning
the data remains visible.

IP Security by Dr.Rafat.Alhanani 13
The fields in the AH header:
1.Next Header (8 bits): Identifies the type of the next header following the AH header, typically a higher-layer protocol (like
TCP, UDP) or another encapsulated IP header.
2.Payload Length (8 bits): Specifies the length of the AH header in 32-bit words, minus two. This length helps the receiver
determine where the next header begins.
3.Reserved (16 bits): This field is reserved for future use and is usually set to zero. It may contain flags if needed in future
versions of the protocol.
4.Security Parameters Index (SPI) (32 bits): Identifies the Security Association (SA) that applies to this packet. It acts like a
tag that helps the receiving party know which algorithms, keys, and settings to use for validation.
5.Sequence Number (32 bits): Used to prevent replay attacks. Each packet is given a unique number within an SA. The
receiver checks this sequence number to ensure packets are processed in order and not reused by an attacker.
6.Integrity Check Value (ICV) (variable length): This field holds the result of a cryptographic hash function (e.g., HMAC-
SHA1 or HMAC-SHA256). It’s computed over the IP packet and the AH header, providing authentication and integrity. The
length of the ICV depends on the specific algorithm used.

IP Security by Dr.Rafat.Alhanani 14
AH Transport Mode AH Tunnel Mode
IPsec only encrypts and authenticates the data In Tunnel Mode, IPsec encapsulates the entire original
portion (payload) of the IP packet, not the entire IP packet (header + payload) within a new IP packet.
packet. The original IP header remains unchanged, This mode is commonly used in VPNs where data is
which is useful when the two endpoints are in direct being sent between networks over the internet.
communication, such as between two servers New IP Header (Outer Header): The packet’s source
within the same network. and destination appear as the IP addresses of the
Original IP Header: The original source and IPsec gateways (e.g., firewall or VPN device).
destination IP addresses are visible. AH Header: Ensures the integrity and authenticity of
AH Header: Contains authentication data, ensuring the entire encapsulated packet.
data integrity and authenticity. Original IP Header + Payload: The original data
Payload: The data that is being transmitted, packet, which is now encapsulated and authenticated.
authenticated by the AH header but not encrypted.

IP Security by Dr.Rafat.Alhanani 15