Internet Protocol Security (IPSec)
- is a network layer, routed protocol is implemented between IP and TCP
- this suite that authenticates and encrypts the packets of data sent over a network
- includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to use during the session
IPsec can protect data flows between:
- a pair of hosts (host-to-host)
- a pair of security gateways (network-to-network)
- a security gateway and a host (network-to-host)
IPSec is often used in tandem with Layer 2 Tunneling Protocol (L2TP) for Virtual Private Network (VPN)
IPSec Components
first, establish mutual authentication and generate a session-key to create a Security Association (SA):
- Internet Key Exchange (IKE) - provides mutual authentication between 2 parties and establishes a session-key
second, use the created Security Association (SA) to carry out cryptographically protected communication, we do this by choosing 1 of the following IP header extensions:
- Authentication Header (AH) - provides integrity of IP packets only
- Encapsulating Security Payload (ESP) - provides both encryption and integrity of IP packets
IPSec Protocol Modes
- transport mode - host applies IPSec to the transport layer packet
- tunnel mode - gateway applies IPSec to the IP packet of the host from the network (IP-in-IP tunneling)
IPSec Packet Processing
outbound packets
- check in security policy database
- use packet header info to match a suitable Security Association (SA) in the SA db
- retrieve SPI and SA parameters from the SA database
- apply IPsec protection to the packet and pass it to IP
inbound packets
- use SPI in the IPSec header in the packet, find the corresponding SA in SA db for this packet
- use SA parameters to perform IPsec auth/decryption on the packet
- pass the packet to the upper-layer protocol