Introduction to IPSec
IPsec stands for Internet Protocol Security. IP packets that travel through transmission medium contain data in plain text form. It ensures that anyone watching IP packets move through can access IP packets, and read the data. To overcome this problem, and to secure the IP packets, IPsec comes into the picture.
The idea behind IPSec is to encrypt and seal the transport and application Layer data during transmission. It also offers integrity protection for the internet layer. Internet header itself is not encrypted, because of which the intermediate routers can deliver encrypted IPSec message to the intended receiver. IPSec layer lies in between the transport layer and the internet layer.
IP packets consist of two parts one is an IP header, and the second is actual data. These features are implemented in the form of additional IP headers which is called extension headers to the standards, default IP address. This extension IP headers must follow the Standard IP headers. IP security offers two main services one is authentication and another is confidentiality each of these requires its own extension headers. To support this IPSec support two IP extension headers, One for authentication and another for confidentiality.
1. Authentication header protocol
The authentication header protocol provides integrity, authentication, and anti-replay service. The IPSec authentication header is a header in the IP packet, which contains a cryptographic checksum for the contents of the packet. This authentication header is inserted in between the IP header and any subsequent packet contents. There is no need of changes in data contents of the packet, therefore security resides completely in the contents of the authentication header.
2. ESP protocol
ESP protocol stands for Encapsulating Security Payload Protocol. It provides data confidentiality. Encapsulating Security Payload Protocol also defines the new header that needs to be inserted into the IP packet. ESP protocol also converts the protected data into encrypted format i.e. unreadable format. Under normal circumstances, the Encapsulating Security Payload Protocol will be inside the Authentication header. That means that it first performs encryption and authenticate.
When the receiver geta the IP packet processed by IPSec, the receiver first processes the Authentication header, if it is present. Based on the outcome of this, the receiver decides whether the contents of the packet are right or not, whether the data is modified or not during transmission. If the receiver finds the contents acceptable, it extracts the key and algorithms associated with Encapsulating Security Payload and decrypt the contents.
Modes of Operation
Both the authentication header and Encapsulating Security Payload can be used in one of two nodes. Two nodes are – Tunnel mode and Transport mode
1. Tunnel Mode
In tunnel mode, an encrypted tunnel is established between two hosts. Suppose A and B are two hosts and want to communicate with each other using IPsec tunnel mode. First, they identify the corresponding proxies, say Pro1 and Pro2 and the logical encrypted tunnel is established between these two proxies. A sends its message to Pro1 and the tunnel carries this message to Pro2. Pro2 forwards this message sent by A to B. In tunnel mode, it protects the entire IP datagram. It adds the IPSec header and trailer to the Iap datagram and encrypts the whole. Then it adds a new IP header to this encrypted datagram.
2. Transport Mode
In transport mode, source addresses and destination addresses are not hidden during transmission. They are in plain text form i.e. anyone can read it. In transport mode, it takes transport-layer payload, and adds IPSec header and trailer and then encrypt them as a whole. After that it adds IP header, Thus IP header is not encrypted.
Applications of IPSec
Given below are some applications of IPSec:
1.Secure remote internet access: With IP security, we can make a call to our IPS(Internet Service Provider) so as to connect to our organization network in a secure manner. We can also access corporate network facilities or remote servers/desktops.
2. To Set up communication with other organizations: As IP security allows connection between various branches of the organization, it can also be used to connect the networks of various organizations in a secure manner.
3. Secure branch office connectivity: It allows an organization to set an IPSec enabled the network to securely connect all its branches over the internet. This feature reduces the expense of the organization that needs for connecting the organization branches across the cities or countries.
The advantages are as explained below.
- It allows fast traveling to have secure access to the corporate network.
- It allows interconnectivity between branches of the organization in a Secure and inexpensive manner.
- It works at the network layer, therefore there is no need for changes in the upper layers i.e application layer and transport layer.
- It is transparent to end-users. There is no need for user training, key issuance, and revocation.
- It is also used in a firewall to protect the incoming and outgoing traffic.
- When IP security is configured to work with the firewall, it becomes only an entry-exit point for all traffic to make it extra secure.
This has been a guide to IPSec. Here we discuss the basic concept, modes of operation, protocols, applications, and advantages of IPSec. You may also have a look at the following articles to learn more –