System and Network Security

Dr. Ashok Kumar Das

IEEE Senior Member

Web of Science (ClarivateTM ) Highly Cited Researcher 2022, 2023
Professor
Center for Security, Theory and Algorithmic Research
International Institute of Information Technology, Hyderabad
E-mail: ashok.das@iiit.ac.in
URL: http://www.iiit.ac.in/people/faculty/ashok-kumar-das
https://sites.google.com/view/iitkgpakdas/

Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 1 / 24
 Internet Security Protocol (IPSec)
(Part 1)

Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 2 / 24
IPSec

IPSec is a collection of protocols designed by the Internet

Engineering Task Force (IETF) to provide security for a packet at
the network layer.
The network layer in the Internet is often referred to as the Internet
Protocol or IP layer.
IPSec helps to create authenticated and credential packets for the
IP layer.

Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 3 / 24
IPSec

IPSec is useful in several areas:

I It can enhance the security of those client/server programs, such as
electronic mail (e-mail), that uses their own security protocols.
I It can enhance the security of those client/server programs, such as
HTTP, that use the security services provided at the transport layer.
I It can provide security for those client/server programs that do not
use the security services provided at the transport layer.
I It can provide security security for node-to-node communication
programs such as routing protocols.

Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 4 / 24
The Internet Protocol Version 4 (IPv4)
IPv4 is the delivery mechanism used by the TCP/IP protocols.
IPv4 is an unreliable datagram protocol - a “best-effort delivery”
service, that is, it provides no error control or flow control (except
for error detection on the header).
IPv4 is a connection-less protocol for packet-switching network
that uses the datagram approach.
Connectionless protocol: A connectionless protocol is a
communication method that sends data packets without
establishing a connection between devices. It’s similar to sending
an unregistered letter in the post-office, where the recipient might
not be notified if the letter doesn’t arrive.
Connection-oriented protocol: A connection-oriented protocol is
a communication protocol that establishes a connection between
two devices before data is exchanged. This connection is
maintained for the duration of the communication.

Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 5 / 24
Datagram in IPv4
Packets in the IPv4 layer called datagrams.
20−65,536 bytes

20−60 bytes

Header Data

VER HLEN Service Total length

4 bits 4 bits 8 bits 16 bits
Identification Flags Fragmentation offset
16 bits 3 bits 13 bits
Time to live (TTL) Protocol Header checksum
8 bits 8 bits 16 bits

Source IP address (32 bits)

Destination IP address (32 bits)

Option (32 bits)

Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 6 / 24
Datagram in IPv4
Datagram is a variable-length packet consisting of two parts: 1)
header and 2) data.
The header is 20 to 60 bytes in length and contains information
essential to routing and delivery.
Brief description of IP header fields:
I Version (VER): Defines the version of IP protocol. Currently the
version is 4. However, version 6 (or IPng) may totally replace
version 4 in the future.
I Header length (HLEN): Defines the length of the datagram header
in 4-bytes words. When there are NO options, the header length is
20 bytes, and the value of this field is 5 (5 × 4 = 20). When the
option field is at its maximum size, the value of this field is 15
(15 × 4 = 60). Thus, 5 ≤ HLEN ≤ 15.
I Total length: This 16-bit field defines the total length of the IPv4
header. To find the length of the data coming from the upper layer,
we need the following calculation:
length of data = total length - header length, where header length =
HLEN ×5. Max. datagram size = 216 = 65, 536 bytes.
Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 7 / 24
Datagram in IPv4
Brief description of IP header fields (continued...):
I Time to live (TTL): A datagram has a limited lifetime in its travel
through the Internet. This 8-bit field prevents a packet from traveling
a loop. The sender sets a value, that is decremented at each hop. If
it reaches zero, the packet is discarded.
I Protocol: This 8-bit field defines the higher-level protocol that uses
the services of the IPv4 layer.

Table: Protocol values

Value Protocol
1 ICMP (Internet Control Message Protocol)
2 IGMP (Internet Group Management Protocol)
6 TCP (Transmission Control Protocol)
17 UDP ( User Datagram Protocol)
.. ..
. .

Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 8 / 24
Datagram in IPv4

Brief description of IP header fields (continued...):

I Header checksum: This 16-bits field in the IPv4 packet covers
only the header, not the data.
The checksum is computed as follows:
F Header is treated as a sequence of 16-bit integer.
F The integers are all added using 1’s complement arithmetic.
F 1’s complement of the final sum is taken as the checksum.
If there is any mismatch in checksum, then that will cause the
datagram to be discarded.
I Source IP address: This 32-bit field defines the IPv4 address of
the source. This field must remain unchanged during the time the
IPv4 datagram travels from the source host to the destination host.
I Destination IP address: This 32-bit field defines the IPv4 address
of the destination. This field must also remain unchanged during
the time the IPv4 datagram travels from the source host to the
destination host.

Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 9 / 24
Datagram in IPv4
Brief description of IP header fields (continued...):
I Options: The header of the IPv4 datagram is made of two parts: a
fixed part and a variable part. The fixed part is 20 bytes long. The
variable part comprises the options that can be a maximum of 40
bytes. The options are not required for a datagram. They can be
used for network testing and debugging purposes.
I Identification: This 16-bit field identifies a datagram originating
from the source host. The combination of the identification and
source IPv4 address must uniquely define a datagram as it leaves
the source host.
I Flag: This is a 3-bit field, in which the first bit is reversed, the
second bit is called the “do not fragment (D)” bit, and the third bit
the “more fragment (M)” bit.
F If D bit is 1, the machine must not fragment the datagram.
F If D bit is 0, the datagram can be fragmented if necessary.
F If M bit is 1, its meaning is that the datagram is NOT the last
fragment; there are more fragments after this one.
F If M bit is 0, it means that this is the last or only segment.

Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 10 / 24
 Different Modes

Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 11 / 24
Transport mode

In this mode, IPSec protects what is delivered from the transport

layer to the network layer.
In other words, transport mode protects the network layer payload,
the payload to be encapsulated in the network layer.
Note that the tarnsport mode does not protect the IP header.

Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 12 / 24
IPSec in transport mode

Transport layer Transport layer

payload

IPSec layer
IPSec−H IPSec−T

Network layer IP−H IP payload

H: header T: tailer

Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 13 / 24
Transport mode

This mode is normally used when we need host-to-host

(end-to-end) protection of data.
The sending host uses IPSec to authenticate and/or encrypt the
payload delivered from the transport layer.
The receiving host uses IPSec to check the authentication and/or
decrypt the IP packet and deliver it to the transport layer.

Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 14 / 24
Tunnel mode

In this mode, IPSec protects the entire IP packet.

It takes an IP packet, including the header, applies IPSec security
methods to the entire packet, and then adds a new IP header.

Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 15 / 24
IPSec in tunnel mode

Network layer IP payload

IP−H

IPSec layer
IPSec−H IPSec−T

Network layer IP−H New IP payload

new header
H: header T: tailer

Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 16 / 24
Tunnel mode

The new IP header has different information than the original IP

header.
Tunnel mode is normally used between two routers, between a
host and a router, or between a router and a host.
In other words, tunnel mode is used when either the sender or the
receiver is not a host.
The entire original packet is protected from intrusion between the
sender and the receiver, as if the whole packet goes through an
imaginary tunnel.

Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 17 / 24
Transport mode versus Tunnel mode
In transport mode, the IPSec layer comes between the transport
layer and the network layer.
In tunnel mode, the flow is from the network layer to the IPSec
layer and then back to the network layer again.

Application layer Application layer

Transport layer Transport layer

Network layer
IPSec layer

IPSec layer
Network layer

New network layer

(a) Transport mode
(b) Tunnel mode

Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 18 / 24
Two IPSec Security Protocols

Authentication Header (AH)

Encapsulating Security Payload (ESP)
Purpose of these protocols to provide authentication and/or
encryption for packets at the IP level.

Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 19 / 24
 Authentication Header (AH) Protocol

Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 20 / 24
Authentication Header (AH) Protocol

Designed to authenticate the source host and to ensure the

integrity of the payload carried in the IP packet.
Uses a hash function and a symmetric key to create a message
digest; the digest is inserted in the authentication header.
The AH is then placed in the appropriate location based on the
mode (transport or tunnel).
Here we discuss the AH protocol under the transport mode.

Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 21 / 24
Authentication Header (AH) Protocol

Data used in calculation of authentication data

IP header AH Rest of the original packet Padding

8 bits 8 bits 16 bits

Next header Payload length Reserved

Security parameter index

Sequence number

Authentication data (digest)

(variable length)

Figure: AH protocol

Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 22 / 24
Fields for Authentication Header (AH) Protocol
Next header: The 8-bit next header field defines the type of
payload carried by the IP datagram (such as TCP, UDP or ICMP).
Payload length: This 8-bit field does not define the length of the
payload; it defines the length of the authentication header in
4-byte multiples, but it does not include the first 8-bytes.
Sequence number: A 32-bit sequence number provides ordering
information for a sequence of datagrams. The sequence numbers
prevent a playback/replay attack.
I The sequence number is not repeated even if a packet is
retransmitted.
I A sequence number does not wrap around after it reaches 232 ; a
new connection must be established.
Authentication data: The authentication data field is the result of
applying a hash function to the entire IP datagram except for the
fields that are changed during transmit (e.g., time-to-live (TTL)).

Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 23 / 24
Steps in Authentication Header (AH) Protocol

Step 1: An authentication header is added to the payload with the

authentication data field set to 0.
Step 2: Padding may be added to make the total length even for a
particular hashing algorithm.
Step 3: Hashing is based on the total packet. However, only those
fields of the IP header that do not change during transmission are
included in the calculation of the message digest (authentication
data).
Step 4: The authentication data are inserted in the authentication
header.
Step 5: The IP header is added after changing the value of the
protocol field to 51.

Dr. Ashok Kumar Das (IIIT Hyderabad) System and Network Security 24 / 24