Professional Documents
Culture Documents
Introduction..........................................................................................................................2
1. IPSec and Implementation of Security............................................................................3
2. IPSec’s Robustness and Scalability.................................................................................7
3. Limitations of IPSec........................................................................................................8
4. Best Practices of IPSec Configuration and Management................................................9
Conclusion.........................................................................................................................10
Bibliography .....................................................................................................................12
Introduction
Today, the communication between networks, that are being established, have a
strong need of good security mechanisms in order to ensure the security, integrity,
confidentiality and authenticity between two hosts or two networks. The most common
services of IPSec implementation are VPN (virtual private networking) services that can
be used over existing networks e.g. internet, can provide the secure transfer of sensitive
The reality that the Internet is deficient in security is still undeniable. So to solve
this issue researchers are trying to increase the network security at each layer by
designing a range of security protocols. The designed protocols include PGP, S/MIME,
SET which are specifically designed to secure the application layer; SSL/TLS are
designed to work on the transport layer. In this race, IPSec is also a security standard
proposed by the IETF, that concerns with the security on the network layer, processes
data packages on the IP packet layer, makes available security services such as access
control, data source authentication, integrity, data confidentiality etc. (Liangbin Zheng,
(Internet Protocol) level that exists o network layer. This necessitates a higher-level
management protocol, Internet Key Exchange (IKE), to establish security association (the
context and parameters) for choosing cryptographic keys and performing mutual
authentications, making safe data transfer, possible. The data transfer through IPSec uses
one or both of two other protocols. First is, Authentication Header (AH) that provides
Payload (ESP), that provides data confidentiality and authentication. (Heng Yin, Haining
Wang, 2007)
Structure of the report is as follows: 1st section describes the IPSec standard and
implementation of security in the network using IPSec. 2nd section elaborates the
robustness and scalability of IPSec standard with respect to other standards. 3 rd section
describes some of the limitations of IPSec implementation. 4th section highlights some
best practices that have been observed as accelerating network communication and
providing a better security against attacks. And the last section summarizes the
conclusions.
low level mechanism for secure communication between two hosts or networks for use
protocol being used on the Internet and on other private networks such as LANs or
intranets. It was mainly designed for the new IPv6 standard but can optional be used with
protocols to implement the security in network layer. These protocols include: two
and data, but it is not designed to encrypt them as compared to ESP (discussed below)
which can provide encryption and integrity protection for packets but as compared to AH,
ESP cannot make the outermost IP header, secure, as AH can. Though, this protection is
The frequency of the usage of ESP is much more than AH because it facilitates
more encryption capabilities, as well as other operational advantages over AH. For a
VPN, which requires confidential communications, ESP is the natural choice. ESP also
ESP does not provide security for IP packet header. Though, in Tunnel Mode, where the
entire original IP packet is encapsulated with a new packet header added, ESP supports
the protection of the whole inner IP packet which also includes the inner header, at the
authenticate the endpoints to each other and also specifying the security parameters of
IPSec-protected connections. It is used for setting up the encryption keys and managing,
packet payloads before encrypting them. This protocol will increase the overall
packet payloads.
IPSec works in two modes, with each mode providing its own functionality.
These modes are tunnels mode and transport mode (Sheila Frankel et al., 2005, Ralf
Tunnel mode
When working in tunnel mode, security gateways are needed to provide support
for tunnel mode connections. Client machines can use the tunnels provided by the
gateways for routing purpose. The client machines do not require any IPSec processing,
they just have to perform their usual tasks such as routing things to gateways.
Transport mode
To work in transport mode using IPSec implementation Host machines (as
opposed to security gateways) must also support transport mode. In this mode, the host
performs its own IPSec processing and routes some packets by means of IPSec.
works as the basis for IPSec, which determines the security parameters that will be used
Security Associations are materialized in pairs, one in each of the communication peers.
These associations are determined after the negotiation between the communicating hosts
Database (SPD). Every network interface that is secured by IPSec, possesses a pair of
Security Policy Database and Security Association Database, which cooperates with
processing inbound and outbound IP packets. One Security Association Database entry is
equivalent to a Security Association, whereas, one entry in the Security Policy Database
depicts a security policy. When data is sent to the destination host, the corresponding
policy in Security Policy Database is retrieved, if the recorded action is to “apply” the
data transfer (as specified in the security policy), then corresponding Security
Associations are retrieved according to the Security Association pointer. In case, if the
Security Association does not exist in the Security Association Data base, then a new
Security Association is created and stored into the database. Once Security Association
has been retrieved from the database, the data packets are processed with the security
Then the processed data packets are sent to the IP of destination host. The receiver side
discovers the Security Association according to the Security Parameter index parameter
in the datagram, and verifies if retransmission of data is required. Otherwise, the data is
decrypted and authenticated with the protocol specified in the Security Association.
According to (Ole Martin Dahl, 2004), IPSec is really a robust and scalable
standard for providing network security. it is basically designed for IPv6 but also scalable
with IPv4. IPSec offers security directly on the IP network layer and secure everything
that is put on top of the IP network layer. IPSec protocol has also been established as an
Internet standard for quite some time and has been confirmed to be a safe and trusted
networks. IPSec also allows us for the use of nested tunnels i.e. if a user must move
across two or more secure gateways the tunnels can be double encrypted.
IPSec, that make this protocol more robust as compared to other security standards. IPSec
allows for transparency as One of IPSec’s noticeable strong points lies in the integration
of encryption and authentication methods with robust and full-featured key exchange
facilitates no security against many forms of attack. Tunneling for an organization may
not be just concerned with securing external routers from dealing with internal addresses.
It may also be adopted for hiding those addresses from attackers beyond the firewall.
Now days, because of many powerful attacker tools, security mechanisms that perform
no authentication of the source and destination of every IP packet may provide worst
results than no authentication at all. IPSec real strength lies in the fact the as compared to
provide the organizations with a secure route between private networks, or into a network
from a trusted host, while traveling right through a public network such as internet. IPSec
is a scalable security standard and also promises for interoperability i.e. its spans all the
3. Limitations of IPSec
Despite of IPSec’s strengths over other security standards, it also has some
limitations that may degrade the performance of network, implementing the IPSec
standard. (HP Networking, 2001) define some limitations that, specifically, IPSec/9000-
• When an IPSec/9000 system stops working and the system had already created
Accusations with peer IPSec systems, the peers will not be capable of using any
existing ISAKMP and IPSec Security Accusations to start communication with
peers, the peer system can not initiate any communication with the restarted
system which is using same IPSec Security Associations. But existing Security
In addition, IPSec security standard have some limitations in general. These are:
• IPSec is not able to provide the same end-to-end security for the systems that are
between two machines, but it is not applicable for higher level security such as
• IPSec does not provide support for the stoppage of Denial of Service attacks.
• IPSec does not provide protection against analyzing the unencrypted headers of
encrypted packets such as source and destination’s gateway addresses and packet
size etc. This information can be acquired by attackers with some intelligent tools.
within and between the networks. Researchers have put great efforts to use this standard
in the most efficient manner to make the communications more secure and safe.
(Yunhe Zhang et al., 2009) have proposed a strategy to configure the IPSec
standard for achieving best communication performance. Their strategy is based on IPSec
Thumbnail Protocol (ITP) to speed up IPSec communication. According to them,
packet and constructing ITP Thumbnail packet to transfer. They have also shown the
platform and have evaluated it in the test environment. The experimental results have
(Liangbin Zheng et al., 2009) have proposed to use a dynamic pre-shared key
generation mechanism that may keep the system away from the harm due to the crack of
the pre-shared key in IKE protocol . The new practice involves the method that generates
the pre-shared key dynamically before deciding the security associations. So the new pre-
shared key will be generated every time when the security association is created.
Generating the pre-shared key dynamically before the security association creation,
allows for two way authentication. If the authentication through the shared key is not
Standard in this way can effectively defend against the DoS attacks.
Conclusion
This report presents a brief introduction of a security standard, called, IPSec and its
capabilities in ensuring the secure communication in the network. IPSec basically uses a
Payload (ESP), Internet key exchange (IKE) and IP Payload Compression Protocol
(IPComp), which is used optionally. Each protocol plays its part in improving the
associations which are stored in security association database and are retrieved according
to the actions specified in the security policies that are stored in security policy database.
Though IPSec provides a better, scalable and robust mechanism for ensuring the security
can not resist DoS attacks. However, there are some strategies that have been proposed
and are being followed to improve the effectiveness of IPSec standard. These practices
Heng Yin, Haining Wang, 2007. Building an Application- Aware IPSec Policy System,
IEEE/ ACM Transactions on Networking, volume 15.
Yunhe Zhang, Zhitang Li, Song Mei, Ling Xiao, Meizhen Wang, 2009. A new Approach
for Accelerating IPSec Communication, in the proceedings of International Conference
on Multimedia Information Networking and Security, pp. 482-485.
William Stallings, 1995, Network and Internet Security: Principles and Practice, IEEE
Computer Press, ISBN 0-02-425483-0.
Sheila Frankel, Karen Kent, Ryan Lewkowski, Angela D. Orebaugh, Ronald W. Ritchey,
Steven R. Sharma, 2005. Guide to IPSec VPNs [online] available at:
csrc.nist.gov/publications/nistpubs/800-77/sp800-77.pdf [accessed: 9th November 2010]
Ole Martin Dahl, 2004. Limitations and Differences of using IPSec, TLS/SSL or SSH as
VPN- Solution [online] available at: olemartin.com/projects/VPNsolutions.pdf [accessed:
9th November 2010]
GTE Internetworking, 1999. IPSec VPNs with Digital Certificates: The Most Secure and
Scalable Approach to Implementing VPNs [online] available at:
www.firstnetsecurity.com/library/gte/GTE%202.pdf [accessed: 10th November 2010]