IPSec Types & Properties

2 Protocols → Authentication Header (AH)

Original packet:
|IP header | Payload | TCP header | 
|seq# | from_to-idx |
|auth_data |

Authentication Header (AH)

IPSec Services	AH	ESP	ESP w/auth
Access control	✓	✓	✓
Integrity	✓		✓
Data origin auth	✓		✓
Replay protection	✓	✓	✓
Confidentiality		✓	✓

→ Provides data integrity (with MAC) and auth. of IP pkts. → Parties share secret key created by IKE → prevents modification, spoofing, replay attacks.

Encapsulating Security Payload (ESP)

|SPI |
|Seq # |
|Init. val |
|Payload data |
|TRL PAD |
|CV |

→ Provides msg confidentiality (but not traffic flow confidentiality), can provide auth. services (opt.) → Supports AES, 3DES, CBC is most common.

2 Modes → Transport Mode

→ Provides security for upper-layer protocols (Network, Transport, Application)

|IP header | IPSec header | TCP header | Payload |
                encrypted

→ TCP or UDP headers, ICMP pkt are protected for potential eavesdropping → Used for VPNs?

→ Tunnel Mode

|New IP header | IPSec header | IP header | TCP header | Payload |
                         encrypted

→ Provides security for entire IP packet (entire pkt is payload of new outer IP pkt with new header) → No routers can examine/unpack pkt contents including inner IP pkt

Comparison Table

	Transport Mode	Tunnel Mode
Auth. Header (authentication + date integrity)	→ Authenticates IP payload (upper layer protocol data), immutable/predictable headers - source address, dest. address, fields, entire packet. → Uses MAC over immutable fields (except auth data) and mutable fields (which are zero’d). → AH is inserted after the og. IP header, before the IP Payload. [IP header\|AH \|Payload]	→ Authenticates entire inner IP pkt (IP header + IP Payload) - covers entire original pkt. → Uses MAC over og pkt, authenticates except auth data and mutable fields in new IP header. → AH is inserted btwn the og IP header and a new outer IP header. [New IP hdr\|AH\|orig hdr\|Payload]
Encapsulating Security Payload (ESP) (→ encryption → confidentiality) (→ opt. authentication)	→ Encrypts IP payload after ESP header - provided directly btwn 2 hosts (end-to-end) traffic. → For host-to-host (end-to-end) traffic [Og. IP header\|ESP header\|TCP\|Data\|ESP trail\|ESP auth] (encrypted → authenticated)	→ Encrypts entire inner IP pkt. → Add new/outer IP header & intermediate outer protection. → Good for VPNs - gateway-to-gateway security - hides int. net. or abnormal, less keys needed - no traffic information (encrypted) [IP hdr\|ESP(orig hdr\|TCP\|Data\|ESP trail\|ESP auth)] (Authenticates inner IP pkt)

Authenticates IP payload - but not IP header

Authenticates inner IP pkt