IPsec


In computing, Internet Protocol Security is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks.
IPsec includes protocols for establishing mutual authentication between agents at the beginning of a session and negotiation of cryptographic keys to use during the session. IPsec can protect data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.
IPsec uses cryptographic security services to protect communications over Internet Protocol networks. It supports network-level peer authentication, data origin authentication, data integrity, data confidentiality, and protection from replay attacks.
The protocol was designed by a committee instead of being designed via a competition. Some experts criticized it, stating that it is complex and with a lot of options, which has a devastating effect on a security standard. There is alleged interference of the NSA to weaken its security features.

History

Starting in the early 1970s, the Advanced Research Projects Agency sponsored a series of experimental ARPANET encryption devices, at first for native ARPANET packet encryption and subsequently for TCP/IP packet encryption; some of these were certified and fielded. From 1986 to 1991, the NSA sponsored the development of security protocols for the Internet under its Secure Data Network Systems program. This brought together various vendors including Motorola who produced a network encryption device in 1988. The work was openly published from about 1988 by NIST and, of these, Security Protocol at Layer 3 would eventually morph into the ISO standard Network Layer Security Protocol.
In 1992, the US Naval Research Laboratory was funded by DARPA CSTO to implement IPv6 and to research and implement IP encryption in 4.4 BSD, supporting both SPARC and x86 CPU architectures. DARPA made its implementation freely available via MIT. Under NRL's DARPA-funded research effort, NRL developed the IETF standards-track specifications for IPsec. NRL's IPsec implementation was described in their paper in the 1996 USENIX Conference Proceedings. NRL's open-source IPsec implementation was made available online by MIT and became the basis for most initial commercial implementations.
The Internet Engineering Task Force formed the IP Security Working Group in 1992 to standardize openly specified security extensions to IP, called IPsec. The NRL developed standards were published by the IETF as RFC 1825 through RFC 1827.

Security architecture

The initial IPv4 suite was developed with few security provisions. As a part of the IPv4 enhancement, IPsec is a layer 3 OSI model or internet layer end-to-end security scheme. In contrast, while some other Internet security systems in widespread use operate above the network layer, such as Transport Layer Security that operates above the transport layer and Secure Shell that operates at the application layer, IPsec can automatically secure applications at the internet layer.
IPsec is an open standard as a part of the IPv4 suite and uses the following protocols to perform various functions:
  • Authentication Header provides connectionless data integrity and data origin authentication for IP datagrams and provides protection against IP header modification attacks and replay attacks.
  • Encapsulating Security Payload provides confidentiality, connectionless data integrity, data origin authentication, an anti-replay service, and limited traffic-flow confidentiality.
  • Internet Security Association and Key Management Protocol provides a framework for authentication and key exchange, with actual authenticated keying material provided either by manual configuration with pre-shared keys, Internet Key Exchange, Kerberized Internet Negotiation of Keys, or IPSECKEY DNS records. The purpose is to generate the security associations with the bundle of algorithms and parameters necessary for AH and/or [|ESP] operations.

    Authentication Header

The Security Authentication Header was developed at the US Naval Research Laboratory in the early 1990s and is derived in part from previous IETF standards' work for authentication of the Simple Network Management Protocol version 2. Authentication Header is a member of the IPsec protocol suite. AH ensures connectionless integrity by using a hash function and a secret shared key in the AH algorithm. AH also guarantees the data origin by authenticating IP packets. Optionally a sequence number can protect the IPsec packet's contents against replay attacks, using the sliding window technique and discarding old packets.
  • In IPv4, AH prevents option-insertion attacks. In IPv6, AH protects both against header insertion attacks and option insertion attacks.
  • In IPv4, the AH protects the IP payload and all header fields of an IP datagram except for mutable fields, and also IP options such as the IP Security Option. Mutable IPv4 header fields are DSCP/ToS, ECN, Flags, Fragment Offset, TTL and Header Checksum.
  • In IPv6, the AH protects most of the IPv6 base header, AH itself, non-mutable extension headers after the AH, and the IP payload. Protection for the IPv6 header excludes the mutable fields: DSCP, ECN, Flow Label, and Hop Limit.
AH operates directly on top of IP, using IP protocol number.
The following AH packet diagram shows how an AH packet is constructed and interpreted:

Encapsulating Security Payload

The IP Encapsulating Security Payload was developed at the Naval Research Laboratory starting in 1992 as part of a DARPA-sponsored research project, and was openly published by IETF SIPP Working Group drafted in December 1993 as a security extension for SIPP. This ESP was originally derived from the US Department of Defense SP3D protocol, rather than being derived from the ISO Network-Layer Security Protocol. The SP3D protocol specification was published by NIST in the late 1980s, but designed by the Secure Data Network System project of the US Department of Defense.
Encapsulating Security Payload is a member of the IPsec protocol suite. It provides origin authenticity through source authentication, data integrity through hash functions and confidentiality through encryption protection for IP packets. ESP also supports encryption-only and authentication-only configurations, but using encryption without authentication is strongly discouraged because it is insecure.
Unlike Authentication Header, ESP in transport mode does not provide integrity and authentication for the entire IP packet. However, in tunnel mode, where the entire original IP packet is encapsulated with a new packet header added, ESP protection is afforded to the whole inner IP packet while the outer header remains unprotected.
ESP operates directly on top of IP, using IP protocol number 50.
The following ESP packet diagram shows how an ESP packet is constructed and interpreted:

Security association

The IPsec protocols use a security association, where the communicating parties establish shared security attributes such as algorithms and keys. As such, IPsec provides a range of options once it has been determined whether AH or ESP is used. Before exchanging data, the two hosts agree on which symmetric encryption algorithm is used to encrypt the IP packet, for example AES or ChaCha20, and which hash function is used to ensure the integrity of the data, such as BLAKE2 or SHA256. These parameters are agreed for the particular session, for which a lifetime must be agreed and a session key.
The algorithm for authentication is also agreed before the data transfer takes place and IPsec supports a range of methods. Authentication is possible through pre-shared key, where a symmetric key is already in the possession of both hosts, and the hosts send each other hashes of the shared key to prove that they are in possession of the same key. IPsec also supports public key encryption, where each host has a public and a private key, they exchange their public keys and each host sends the other a nonce encrypted with the other host's public key. Alternatively if both hosts hold a public key certificate from a certificate authority, this can be used for IPsec authentication.
The security associations of IPsec are established using the Internet Security Association and Key Management Protocol. ISAKMP is implemented by manual configuration with pre-shared secrets, Internet Key Exchange, Kerberized Internet Negotiation of Keys, and the use of IPSECKEY DNS records. RFC 5386 defines Better-Than-Nothing Security as an unauthenticated mode of IPsec using an extended IKE protocol. C. Meadows, C. Cremers, and others have used formal methods to identify various anomalies which exist in IKEv1 and also in IKEv2.
In order to decide what protection is to be provided for an outgoing packet, IPsec uses the Security Parameter Index, an index to the security association database, along with the destination address in a packet header, which together uniquely identifies a security association for that packet. A similar procedure is performed for an incoming packet, where IPsec gathers decryption and verification keys from the security association database.
For IP multicast a security association is provided for the group, and is duplicated across all authorized receivers of the group. There may be more than one security association for a group, using different SPIs, thereby allowing multiple levels and sets of security within a group. Indeed, each sender can have multiple security associations, allowing authentication, since a receiver can only know that someone knowing the keys sent the data. Note that the relevant standard does not describe how the association is chosen and duplicated across the group; it is assumed that a responsible party will have made the choice.