Implementation

 

IPSec uses two major protocols to carry out its purpose. These two protocols are the Authentication Header (AH) and Encapsulating Security Payload (ESP).

Authentication Header (AH)

The authentication header guarantees integrity, replay protection, and authenticity. It does not guarantee confidentiality.  If a packet is intended to be sent from point A to B and a common key is shared, then we know that the packet came from A and was not created by a third party.  In addition, the packet was not manipulated during transfer.  The flaw of the authentication header is that it does not use encryption algorithms for confidentiality.

Authentication Header Packet

Pad Length -8 Bits Next Header - 8 Bits Reserved - 16 Bits
Security Parameters Index (SPI) - 32 Bits
Sequence Number - 32 Bits
Authentication Data - Variable Length

Pad Length - Specifies Size of Authentication Header

Next Header - Indicates the protocol to follow, such as TCP.

SPI - Indicates Security Parameters used in connection.

Sequence Number - Keeps track of order of packets.

Authentication Data - This is the signature or ID of the packet.

 

Encapsulating Security Payload (ESP)

The Encapsulating Security Payload does use encryption algorithms to ensure confidentiality.  ESP can also provide authentication and integrity, which are necessary for replay protection.

* Each protocol contains its set of particular sequence headers.  IPSec does not provide security algorithms, but instead provides an outlined system for using the security algorithms.

 

Internet Key Exchange (IKE)

IKE is a hybrid protocol which acts as the communicator or negotiator between the hosts or networks such that they both use secure communication methods. Each user agrees on authentication methods, algorithms and keys to use. IKE provides a way for the keys to be handled securely and guarantees that the person you are speaking to is who they say they are.

 

Operation Modes

IPSec operates under two modes:

Transport Mode

Transport mode encrypts the data being sent but leaves the IP headers alone.  If the packet were to be acquired over the link, one could see the source and destination address; however, the original data would not be accessible.  Transport mode can implement the authentication header, encapsulating security payload, or both.

Here is an example of a transport mode AH packet:

IP Header AH TCP Header Data

 

Here is an example of a transport mode AH and ESP packet together.  ESP header cannot authenticate the IP header, therefore AH is needed.

IP Header AH ESP TCP Header Data

 

Tunnel Mode

Tunnel mode is different from transport mode in that it uses the routers instead of the hosts to encrypt the data and headers.  It implements both the authentication header and Encapsulating Security Payload protocols. 

Here is an example of a tunnel mode AH packet:

IP Header AH IP Header 2 TCP Header Data

                                                                                                                                                                           

Here is an example of a tunnel mode AH and ESP packet together:

IP Header AH ESP IP Header 2 TCP Header Data

 

       

       Home               Why is IPSec important?               Purpose                 Implementation                 Advantages & Disadvantages                      Related Links