Updated April 18, 2023
Introduction to IPSec protocol
The IP packet contains the data in plain text form, which means anyone watching the IP packets passes by can actually access them and can read and write their content. In 1995, IETF (Internet Engineering Taskforce) published its security-based mechanism related to IPSec to provide security at the IP level. The goal behind IPSec is to encrypt and seal the transport and application layer data during the transmission. It offers integrity protection to the internet layer. However, the internet header is not encrypted because of which the intermediate routers can deliver encrypted IPSec messages to the intended receiver. To perform this task, IPSec uses various protocol that we will discuss in this article.
Protocols of IPSec
Here is a list of protocols that IPSec is using during the transmission of the data.
1. Authentication header
The authentication header protocol provides features like authentication, integrity, and anti-replay. IPSec authentication header protocol is a header in an IP packet that contains a cryptographic checksum for the concept of packets. It is simply inserted between the IP header and any subsequent packet contents. No changes are done to the content of data; hence the security resides completely in the authentication header’s content. Data integrity service ensures that data that resides in the IP packets are not altered during the transmission of the packet.
It consists of 6 fields, namely the Next header (8-bit field), Payload length (8-bit field), Reserved (16-bit field), Security Parameter Index (32-bit field), Sequence Number (32-bit field), and Authentication data (32-bit field). Authentication header protocol has two modes of operation one is transport mode, and another is tunnel mode. The authentication header is present between the original IP header and the original TCP header in transport mode. The entire original IP packet is authenticated in tunnel mode, and then the Authentication header is inserted between the original IP header and the new IP header.
2. ESP Protocol
ESP is Encapsulating Security Payload protocol which provides the confidentiality features. This protocol defines the new header which needs to be inserted into the IP packets. It also includes the transformation of protected data into an unreasonable and encrypted format. ESP will be inside the authentication header, which means that the encryption process takes place before the authentication process. ESP Protocol has 7 fields, namely Security Parameter Index (32-bit field), the sequence number (32-bit field), Payload data (size depends on the variable length), Padding (has 0-255 bytes), Padding length (8-bit field), Next header (8-bit field) and Authentication data (variable size). It has two modes of transport mode and tunnel mode.
Transport mode is used to encrypt and authenticate the data carried by the IP packet. A tunnel mode is used to encrypt the entire IP packet. When the IP packet is received, which was processed by IPSec, the receiver first attempts the Authentication header, if present. Based on the result, the receiver will decide whether the content of this data packet is correct or not or being altered during the transmission.
3. IKE Protocol
IKE protocol stands for Internet Key Exchange is a protocol used for key management procedures. IKE protocol is used to negotiate the cryptographic algorithms to be later used by authentication header and encapsulating security payload in the actual cryptographic operations. IPSec Protocols are designed to be independent of the actual lower-level cryptographic algorithms; thus, IKE protocol is the initial phase of the IPSec where algorithms and keys are decided. After the IKE phase, authentication header protocol and encapsulating security payload protocols take over.
4. SA Protocol
SA stands for Security Association Protocol, is the output of the IKE phase. It is an agreement between the communicating parties about the factors such as the IPSec protocol version in use mode of operation, cryptographic algorithms, cryptographic keys. Etc. The principal of the IKE protocol is to establish an SA between the communicating parties. Once this connection is established, both protocols of IPSec make use of the SA for their actual operation. If the authentication header and encapsulating security payload are used, each communication party involved requires two sets of SA. One for authentication header and one for encapsulating security payload. A security association is unidirectional; thus, there is a need for two sets of SA per communication party at the second level. One for incoming transmission and one for outgoing transmission.
So if two communicating parties use both Authentication header and encapsulating security payload, each of them requires four sets of SA. Security association Protocol consists of 9 fields, namely Sequence Number counter (32-bit field), Sequence counter overflow, anti-replay window (32-bit field), AH authentication, ESP authentication, ESP encryption, IPSec protocol mode, PMTU (Path Maximum Transfer Unit), and Lifetime.
This is a guide to the IPSec protocol. Here we discussed the basic concepts of IPSec with its protocols along with their functions and various fields. You may also have a look at the following articles to learn more –