DM 426

Computers and
Information Security
Fall 2023/2024
Lecture # 10
Security at the
Network Layer
1
 OBJECTIVES:

❑ To introduce the idea of Internet security at the network layer and the IPSec
protocol that implements that idea in two modes: transport and tunnel.
❑ To discuss two protocols in IPSec, AH and ESP, and explain the security
services each provide.
❑ To introduce security association and its implementation in IPSec.
❑ To introduce virtual private networks (VPN) as an application of IPSec in the
tunnel mode.

2
 NETWORK LAYER SECURITY

IP Security (IPSec) is a collection of protocols designed by the Internet

Engineering Task Force (IETF) to provide security for a packet at the
network level. IPSec helps create authenticated and confidential packets for
the IP layer.

3
Topics Discussed in the Lecture

✓ Two Modes
✓ Two Security Protocols
✓ Services Provided by IPSec
✓ Security Association
✓ Internet Key Exchange (IKE)
✓ Virtual Private Network (VPN)

4
 IPSec
• general IP Security mechanisms

• provides
• authentication

• confidentiality

• key management

• applicable to use over LANs, across public & private WANs, & for the Internet
IPSec Uses
 Benefits of IPSec

• in a firewall/router provides strong security to all traffic crossing the

perimeter
• in a firewall/router is resistant to bypass
• is below transport layer, hence transparent to applications
• can be transparent to end users
• can provide security for individual users
• secures routing architecture
 IP Sec
• provides datagram-level encryption, authentication, integrity
• for both user traffic and control traffic (e.g., BGP, DNS messages)
• two “modes”: payload

payload

payload

tunnel mode:
transport mode: ▪ entire datagram is encrypted,
authenticated
▪ only datagram payload is ▪ encrypted datagram encapsulated
encrypted, authenticated in new datagram with new IP
header, tunneled to destination
Security: 8- 8
 IPSec in transport mode

Transport mode provides protection primarily for upper-layer protocol

payloads, by inserting the AH after the original IP header and before the IP
payload. Typically, transport mode is used for end-to-end communication
between two hosts.
9
Note

IPSec in transport mode does not protect

the IP header;
it only protects the information coming from
the transport layer.

10
Transport mode in Action

11
 IPSEC Tunnel Mode

• Tunnel mode provides protection to the entire IP, after the AH or ESP fields are added to the IP packet, the entire
packet plus security fields is treated as the payload of new “outer”IP packet with a new outer IP header.
• Tunnel mode is used when one or both ends of an SA are a security gateway, such as a firewall or router that
implements IPSec.
IPSec in tunnel mode

13
Tunnel-mode in action

Tunnel

14
Note

IPSec in tunnel mode protects the original

IP header.

15
Transport mode versus tunnel mode

16
Authentication Header (AH) protocol

17
Note

The AH protocol provides source

authentication and data integrity,
but not privacy.

18
Encapsulating Security Payload (ESP)

19
Note

ESP provides source authentication, data

integrity, and privacy.

20
 Security Associations

• a one-way relationship between sender & receiver that affords security

for traffic flow
• defined by 3 parameters:
• Security Parameters Index (SPI)
• IP Destination Address
• Security Protocol Identifier
• has a number of other parameters
• seq no, AH & EH info, lifetime etc
• have a database of Security Associations
Simple SA

22
Note

IKE creates SAs for IPSec.

23
IKE components

24
 Virtual private network
From From
From R1 to R2 R1 to R2 From
100 to 200 100 to 200

Instead of deploying and maintaining a private network, many institutions today create VPNs
over the existing public Internet. With a VPN, the institution’s inter-office traffic is sent over
the public Internet rather than over a physically independent network. But to provide
confidentiality, the inter-office traffic is encrypted before it enters the public Internet.

25