What Does IPSec Provide?

IPSec provides for everything you need to create a secure connection over a public medium. Privacy or confidentiality is achieved via encryption algorithms. Integrity is achieved via hash algorithms, and origin authentication is achieved via digital signatures. IPSec also provides antireplay services to be sure that packets can be used only once and can never be replayed later in a session.

IPSec provides the following security services: data integrity, origin authentication, antireplay protection, and confidentiality.

Data Integrity

When we send data from source to destination, whether it is plaintext or encrypted, we want to be sure that the data has not been modified in transit. How can we accomplish this task? In the real world, we use fingerprints to identity who we are, but how can we identify a fingerprint of data? And wouldn't it change for all pieces of data? The answer is yes, we can fingerprint data, and yes, every different piece of data would have a different fingerprint. If we could condense data into an unmistakable fingerprint, this process would accomplish our goal. That is where hash algorithms come into play. Hash algorithms take some data and feed it into an algorithm; the output is a small fingerprint of the data that was entered. If the same data was placed back into the algorithm, the same fingerprint would be output. But change even one bit of the data and feed it into the algorithm, and the resulting fingerprint would not be the same. This process is how we can validate that data has not been modified. We run the data we want to send through this hash algorithm, take the fingerprint, append it to the original data, and then send it to the receiver. The receiver separates the fingerprint from the data and then runs the data through the same algorithm. If the output and the received fingerprint are the same, the receiver can be sure that the data has not been modified in transit.

Origin Authentication

Origin authentication wants to be sure that the receiver is indeed communicating to an entity and that entity is who it claims to be. During initial communication, this process must be completed because we want to be sure who we are talking to as soon as possible. The first component of IPSec to realize communication between two entities is IKE. IKE uses an algorithm called Diffie-Hellman (D-H) to come to agreement over a public network. We discuss D-H later in the chapter, but suffice it to say that D-H is susceptible to man-in-the-middle attacks. We can mitigate this type of attack by authenticating each end. IPSec can kill two birds with one stone. If we can authenticate D-H, we also perform origin authentication at the same time. Origin authentication (D-H authentication) can be achieved using one of three methods : preshared keys, encrypted nonces , or digital signatures.

Antireplay Protection

You need antireplay protection to be sure that if an attacker sniffs a packet on the wire, she will not be able to replay the same packet later either in the same session or during a completely different session. The optional antireplay function performs this function by using a sequence field in the IPSec header combined with integrity checks.

Confidentiality

Confidentiality or privacy ensures that data, if sniffed, cannot be easily recognized. Encryption turns plaintext into ciphertext. Ciphertext is completely unintelligible until reassembled into its original form. Decryption is the process of taking ciphertext and transforming it back to its original plaintext format.

Confidentiality is provided by encryption algorithms such as DES, 3DES, and AES.