Chapter 9 IP Secure 1
Network architecture is usually explained as a stack of different layers. Figure 1 explains the OSI (Open System Interconnect) model stack and IP (Internet Protocol) model stack. TCP is Transmission Control Protocol, IP is Internet Protocol, UDP is User Datagram Protocol, data link including Ethernet, PPP, FDDI etc. 2
OSI model Application Presentation Session transport Network Data Link Physical IP model Application TCP/UDP IP Data link Physical Figure 1: Network layer stack 3
We have seen some security protocols in application level (PGP, S/MIME, etc.) and Transport level (SSL, TLS). In this chapter, we investigate IP level security. The method of communication on the network is to send and receive chunks of data called packets. A packet is comprised of small chunks of data that each layer appends onto that packet data it received from the layer directly above it. 4
A TCP/IP packet can be described as follows. Link-H IP-H TCP-H Data Link-T Where H means header of that layer, Link-T is the tail of the link. Usually, when a sending packet is formed, the application data is first generated, then different headers for different layers are added. To secure communications, we need to encrypt the packets. 5
Network security encryption can be classified into two types. End-to-end encryption: The encryption process is carried out at the two end systems. Link encryption: The encryption process is carried in each link. Figure 2 is a simple example of these two types of encryption. 6
Router Router Internet Link encryption End to end encryption Figure 2: Types of Encryption 7
End-to-end encryption is simple, but it cannot perform at a low level of the communication hierarchy. The address of the message cannot be encrypted, otherwise the packet-switching node cannot route the packet. So end-to-end encryption cannot protect against the traffic analysis attack. The link encryption can encrypt most data except the link control protocol header. However, the router has to decrypt the data and then encrypt it again. 8
IPSec considers the security at IP layer. It can be used in a firewall or router. It also can be used for individual users. So IPSec can be used for both end-to-end encryption or link encryption. Since IPSec is below the transport layer, it can be transparent to end users. So there is no need to change the application software or train users on security mechanisms. Before discussing the IPSec, we need some knowledge of IP. An internet protocol (IP) is used for transmit packets across multiple networks. The main internet protocol is IPv4. The IP header of IPv4 is shown in Figure 3 9
0 4 8 16 19 31 version IHL Type of Service Total Length Identification Flags Fragment Offset Time to live Protocol Header Checksum Source Address Destination Address Option + Padding Figure 3: IPv4 header The size of the IPv4 header is a minimum of 20 octets, or 160 bits. The items in IPv4 header are as follows. 10
Version (4 bits): The version of IP, the value is 4. Internet Header Length (IHL) (4 bits): Length of header in 32-bit words. The minimum value is 5. Type of Service (8 bits): Provides guidance to end IP modules and to routers along the packet s path about the packet s relative priority. Total length (16 bits): Total IP packet length, in octets. Identification (16 bits): A sequence number identifies the packet, together with the source address, destination address and user protocol. 11
Flags (3 bits): Indicates whether it is the last fragment of the original packet. Fragment Offset (13 bits): Indicate where in the original packet this fragment belongs, measured in 64-bit units. Time to live (8 bits): Specifies how long a packet is allowed to remain in the internet. Protocol (8 bits): Indicates the next higher level protocol. Header Checksum (16 bits): An error-detecting code (for the header only). Since some header fields may change during transit, this is reverified and recomputed at each router. 12
Source Address (32 bits): Coded to allow a variable allocation of bits to specify the network and the end system attached to the specified network. Destination Address (32 bits): Same characteristics as source address. Options (variable): Encodes the options requested by the sending user, such as security label, source routing, record routing, and timestamping. Padding (variable): Used to ensure that the packet header is a multiple of 32 bits in length. 13
A new version of IP was developed as a standard by IETF (the Internet Engineering Task Force), which is known as IPv6. IPv6 header uses fewer fields than IPv4, that lets the router treat the packet faster. IPv6 provides more space for source and destination addresses, which uses 16 bytes each (128 bits). An IPv6 also includes zero or more extension headers such as hop-by-hop option header, router header, fragment header, authentication header, encapsulating security payload header, destination option header, etc. Separated extension headers may be placed between the IPv6 header and the upper- layer header in a packet. The IP header of IPv6 is shown in Figure 4. 14
0 4 12 16 24 31 Version Traffic class Flow label Payload Length Next header Hop limit Source Address Destination Address Figure 4: IPv6 header 15
IPv6 is still in developing. IP-level security encompasses three functional areas: authentication, confidentiality and key management. 16