A Brief Foray into IP Security

A Brief Foray into IP Security

"Internet Control Message Protocol (ICMP)" covered IPv4 in some detail, containing the services it provides and how those services are implemented. While reading through that section, you may have noticed that there was no mention of any security services. In fact, IPv4 was designed in an era (the 1970s) when the Internet was mainly used among mutually-trusted networking researchers. Creating a computer network that integrated a multitude of link-layer technologies was already challenging enough, without having to worry about security.

But, with security being a major concern today, Internet researchers have moved on to design new network-layer protocols that provide a variety of security services. One of these protocols is IPsec, one of the more popular secure network-layer protocols and also widely deployed in Virtual Private Networks (VPNs). Although IPsec and its cryptographic underpinnings will be covered in some detail in "Security in Computer Networks", we provide a brief, high-level introduction into lPsec services in this section.

IPsec has been designed to be backward compatible with IPv4 and lPv6. Particularly, in order to reap the benefits of IPsec, we don't need to replace the protocol stacks in all the routers and hosts in the Internet. For instance, using the transport mode (one of two IPsec "modes"), if two hosts want to securely communicate, IPsec needs to be available only in those two hosts. All other routers and hosts can continue to run vanilla IPv4.

For concreteness, we'll focus on IPsec's transport mode here. In this mode, two hosts first establish an IPsec session between themselves. (Thus IPsec is connection-oriented) With the session in place, all TCP and UDP segments sent between the two hosts enjoy the security services provided by IPsec. On the sending side, the transport layer passes a segment to IPsec. lPsec then encrypts the segment, appends additional security fields to the segment, and encapsulates the resulting payload in an ordinary IP datagram. (It's actually a little more complicated than this, as we'll see in "Security in Computer Networks") The sending host then sends the datagram into the Internet, which transports it to the destination host. There, lPsec decrypts the segment and passes the unencrypted segment to the transport layer.

The services provided by an IPsec session contain:

● Cryptographic agreement, Mechanisms that allow the two communicating hosts to agree on cryptographic algorithms and keys.

● Encryption of IP datagram payloads. When the sending host receives a segment from the transport layer, IPsec encrypts the payload. The payload can only be decrypted by IPsec in the receiving host.

● Data integrity. IPsec allows the receiving host to verify that the datagram's header fields and encrypted payload were not customized while the datagram was en route from source to destination.

● Origin authentication. When a host receives an IPsec datagram from a trusted source (with a trusted key), the host is assured that the source IP address in the datagram is the actual source of the datagram.

When two hosts have an IPsec session established between them, all TCP and UDP segments sent between them will be encrypted and authenticated. IPsec therefore provides blanket coverage, securing all communication between the two hosts for all network applications.

A company can use lPsec to communicate securely in the nonsecure public Internet. For illustrative purposes, we'll just look at a simple example here. Think about a company that has a large number of traveling salespeople, each possessing a company Laptop computer. Assume the salespeople need to frequently consult sensitive company information (for instance, pricing and product information) that is stored on a server in the company's headquarters. Further assume that the salespeople also need to send sensitive documents to each other. How can this be done with IPsec? As you might guess, we install IPsec in the server and in all of the salespeople's laptops. With IPsec installed in these hosts, whenever a salesperson needs to communicate with the server or with another salesperson, the communication session will be secure.


computer network, virtual private networks, routers, hosts, cryptographic algorithms

Copy Right

The contents available on this website are copyrighted by TechPlus unless otherwise indicated. All rights are reserved by TechPlus, and content may not be reproduced, published, or transferred in any form or by any means, except with the prior written permission of TechPlus.