written 2.8 years ago by | modified 2.8 years ago by |
how is security achieved in transport unnel modes of IPSEC ? Explainrole of AH and ESP
written 2.8 years ago by | modified 2.8 years ago by |
how is security achieved in transport unnel modes of IPSEC ? Explainrole of AH and ESP
written 2.8 years ago by |
• IPSec operates in one of two different modes:
•Transport mode
• Tunnel mode
• IPSec protects what is delivered from the transport layer to the network layer.
• Means, Transport mode protects the payload to be encapsulated in the network layer
Network Layer Security
• At network layer, security can be applied between
• Two hosts
• Two Routers
• A host and a Router
• To provide the security at network layer IETF designed a set of protocol known as IP Security (IPSec). .
• Transport mode does not protect the IP header.
Transport mode does not protect the whole IP packet; it protects only the packet from the transport layer (the IP-layer payload). This mode is used:
• When we need host-to-host (end-to-end) protection.
• TPSec protects the entire IP packet.
• It takes an IP packet, including the header, applies IPSec security methods to the entire packet, and then adds a new IP header.
Normally used between
• two routers
• a host and a router
• a router and a host
• The Authentication Header (AH) Protocol is designed to authenticate the source host and to ensure the integrity of the payload carried in the IP packet
• The protocol uses a hash function and a symmetric (secret) key to create a message digest; the digest is inserted in the authentication header
• The AH is then placed in the appropriate location, based on the mode (transport or tunnel)
Figure shows the fields and the position of the authentication header in transport mode
• When an IP datagram carries an authentication header, the original value in the protocol field of the IP header is replaced by the value 51
• A field inside the authentication header (the next header field) holds the original value of the protocol field (the type of payload being carried by the IP datagram)
• The AH protocol does not provide confidentiality, only source authentication and data integrity
• IPSec later defined an alternative protocol, Encapsulating Security Payload (ESP), that provides source authentication, integrity, and confidentiality ESP adds a header and trailer.
• Note that ESP's authentication data are added at the end of the packet, which makes its calculation easier
• A field inside the ESP trailer (the next-header field) holds the original value of the protocol field (the type of payload being carried by the IP datagram. such as TCP or UDP).
The ESP procedure follows these steps:
1.An ESP trailer is added to the payload
2.The payload and the trailer are encrypted
3.The ESP header is added
4.The ESP header, payload, and ESP trailer are used to create the authentication data
5.The authentication data are added to the end of the ESP trailer
6.The IP header is added after changing the protocol value to 50