Secure network con­nec­tions with IPsec

IP packages, the basic elements of internet data com­mu­nic­a­tion, are made up of two parts: user data like speech, text, or images, and header data con­tain­ing, among others elements, the addresses of the sender and recipient. The biggest issue with these data packages, as they pass through various routers on their way to the recipient, is the fact that Internet Protocol doesn’t have en­cryp­tion or au­then­tic­a­tion mech­an­isms. This means that data is trans­ferred un­en­cryp­ted from router to router and can be read or tampered with. And the three pillars of in­form­a­tion security – con­fid­en­ti­al­ity, au­then­ti­city, and integrity – are not guar­an­teed.

For this reason, the protocol suite Internet Protocol security, or IPsec for short, was developed in order to give the Internet Protocol vastly increased safety pro­tec­tion. Together, the two combine to ensure reliable security during data package transfers over open networks, which is why IPsec is an important building block for many VPN con­nec­tions (virtual private network).

IPsec is a protocol suite, the ar­chi­tec­ture of which was suggested as a standard by the Internet En­gin­eer­ing Task Force (IETF). The IETF is an or­gan­isa­tion concerned with the technical ad­vance­ment of the internet. IPsec was developed for the newest version of Internet Protocol (IPv6) and ret­ro­spect­ively also for IPv4. It can be divided into the following three function groups:

• Transfer protocols: Au­then­tic­a­tion Header (AH), En­cap­su­lat­ing Security Payload (ESP)

• Key man­age­ment: Internet Security As­so­ci­ation and Key Man­age­ment Protocol (ISAKMP), Internet Key Exchange (IKE)

• Database: Security As­so­ci­ation Database (SAD), Security Policy Database (SPD)

Through the two transfer protocols, AH and ESP, IPsec guar­an­tees the au­then­ti­city and integrity of sent data, ensuring that content from the sender reaches the recipient without being altered. For this purpose, AH offers both data origin au­then­tic­a­tion, to confirm its le­git­im­acy, and pro­tec­tion for the package during transfer. Ad­di­tion­ally, the AH protocol assigns a sequence number to the header, pro­tect­ing packages from potential repeated transfer.

The ESP protocol provides ad­di­tion­al en­cryp­tion for the data package alongside identity and integrity pro­tec­tion. But ESP au­then­tic­a­tion differs from that of the AH protocol in that it does not take the outer IP header into account. By using an ad­di­tion­al en­cap­su­la­tion, however, the ESP content can be securely delivered across networks with address trans­la­tion (NAT), which are typically used in private DSL con­nec­tions. The IKE protocol is primarily re­spons­ible for managing ESP en­cryp­tion. It ne­go­ti­ates the security as­so­ci­ations between sender and recipient, uses the Diffie-Hellman algorithm for secure key exchange, and tech­nic­ally im­ple­ments the defin­i­tions for the ISAKMP framework.

The necessary in­form­a­tion for package transfer using IPsec is stored in the two local databases, SPD and SAD. The entries in the SPD, security policy database, determine which trans­mis­sion protocol – AH, ESP, or both – is to be used for the secure con­nec­tion. The SAD, security as­so­ci­ation database, manages the specific security as­so­ci­ation entries provided by the IKE protocol; giving the sender the en­cryp­tion key and the receiver the cor­res­pond­ing de­cryp­tion key.

Transport mode

The following occurs when IPsec is used in transport mode: the header of the trans­mis­sion protocol is inserted between the IP header of the data package, which remains untouched, and the user data. Pro­tec­tion begins from the sender and remains through­out the transfer until the target computer is reached. Only after the package has been received is the original user data released and made available to the recipient. This means that the cryp­to­graph­ic and com­mu­nic­at­ive terminal points are identical. Transport mode has the advantage of a very quick pro­cessing time, but only secures the user data, while the source and target addresses remain un­pro­tec­ted. In practical use, this mode is common for host-to-host or host-to-router con­nec­tions, e.g. for network man­age­ment.

Tunnel mode

In tunnel mode, the data package receives a com­pletely new IP header in which both the source and target address are hidden together with the user data. The header of the transfer protocol is also im­ple­men­ted – just as in transport mode. So it can be said that the original package is en­cap­su­lated as well. The new, outer IP header defines the cryp­to­graph­ic terminal point, which isn’t identical to the actual com­mu­nic­a­tions point stored in the inner IP header. Only once the package reaches this cryp­to­graph­ic end point, known as a security gateway, can it then be decrypted and forwarded on to the intended recipient. Data transfer in tunnel mode is typically carried out from gateway to gateway; host-to-gateway and host-to-host con­nec­tions are also possible.

When using VPNs, which are the most common ap­plic­a­tion area of the protocol suite, IPsec has a decisive advantage over al­tern­at­ives like SSL: it can be used in­de­pend­ently from any ap­plic­a­tion at network level. Once the con­nec­tion is made, different forms of data, like e-mail, file transfer, or IP telephony can be sent without the need to install program-specific tools. This makes the protocol stack the most cost-effective solution for VPN con­nec­tions. In turn, the use of IPsec for remote access requires special software that must be installed, set up, and main­tained on each client in­di­vidu­ally. The ap­plic­a­tion in­de­pend­ence can also quickly lead to un­au­thor­ised access issues if not protected by a central firewall, as a breach would put all ap­plic­a­tions at risk.

But what’s un­deni­able is the per­form­ance and re­li­ab­il­ity of IPsec: if problems occur, another gateway can be opened ef­fort­lessly on a clustered system, while thousands of users are sim­ul­tan­eously supplied with data package. Lastly, thanks to its high security, IPsec is seen as the best solution for all sensitive data and for internal company traffic systems that don’t permit anonymous users.