History And Standard Of Ip Security

Published Date: 02 Nov 2017

Internet security problems play an important role, in today's world. Data can be sent over the Internet through most areas without encryption or safety. IP security or IPSec IETF security protocol is designed for authentication and encryption on the internet. The IPSec in the network layer (layer 3) and fixed for the entire application, the transport layer (layer 4 above) and the operation. IPv4 and IPv6 are IP security, and quickly became the standard in the Internet virtual private network VPN. It also has been one of the most powerful and most promising tools, secure communication over the internet. It also provides security separate application of. The IP security may be basically accepted standards, as far as possible in terms of safety of IP level and significantly this paper wants to discuss the IP security, as well as the related concepts, the existing problems and its construction and the development direction in the future.

1. Introduction

Now, data modify the disruptions are rising, so it is very difficult to protect that the data on the network. At the same time, the global Internet speed has raised nearly rate index. Lack of sustained growth in security deployment, the main obstacle of the internet. To provide confidentiality, integrity and authenticity is the main problem of network security.

The combination of these attributes is the pillar of security protocols. However, it is important to consider how to combine them. If we use strong encryption key through weak authentication algorithm, it could allow an attacker to destroy data. Similarly, the use of weak encryption and authentication algorithm key and powerful could allow an attacker to decrypt the data. Through the use of authentication and encryption algorithm to protect the data, but it will reduce the transmission rate and can be induced by CPU depletion. This is why, this is very complicated, in order to provide the best protection, the maximum throughput and minimum cost. With the recent development of the security tools, there are a large number of protocols and powerful tools have been introduced, but the most famous and widely deployed IP security. In this paper, some securities related terms can be used.

2. History and Standard of IP security

IP security or IPSec IETF security protocol is designed for authentication and encryption on the internet. IPSec also includes the meeting began between the agents, and to encrypt key agreement is used to build up mutual authentication protocol during the meeting. The IPSec in the network layer (layer 3) and fixed for the entire application, the transport layer (layer fourth above) and the operation. IPv4 and IPv6 are IP security, and quickly became the standard in the Internet virtual private network VPN.

IPv4, the first mechanism, know IP authentication header is not secret and IPv6 provides authentication and integrity of the encryption, the second mechanism, called IP encapsulating security payload, provides confidentiality, but also may through integrity using encryption. A separate agreement IPSec, security solutions instead of an IP network, provides a set of services and protocol integrity.

Wait for the depletion of the IPv4 address space, which is its biggest problem occurred according to the development of the Internet version of IPv4 is beyond all expectations of rapid expansion. When the IPv4 is not balanced, how the Internet is in the past and now and how IP has become the main problem, because of its lack of permanent Security in IP network. Today, the Internet is massive, absolutely open, even if is small and private, in the past some time, so we should consider its safety, because it has grown. At start, over the years, have many ways to solve the safety. Most people are concentrated in the highest level of the OSI protocol stack, such as the secure socket layer (SSL) and file transfer protocol (FTP), in order to provide IP lack a sense of security. These solutions are valid in certain circumstances, but they cannot lump together, certainly, because they are specific to the various application.

In order to overcome this problem, allowing the security in IP layer may be more high-level protocol in the solution of TCP / IP, because it can make use of it. Not only to solve the problem, in IPv4 and lack of security, IP (IPv6) of the new version introduces a new security techniques in mind. Because the IPv6 has taken many years to develop and launch, demand for security is now the solution is designed for IPv4 and IPv6. Bring the secure communication of IP technique, known as the "IP security".

IP security initially with the IPv6 approach, but after careful design, providing security for IPv4 and IPv6 networks, and in the two version of the operation is similar to that of the. For AH and ESP datagram format, there are some differences. These differences depends on whether you use IPv4 or IPv6 IP security, because the two versions have different message format and addressing. To establish an IP connection, it needs two stages,

Phase 1 (ISAKMP SA)

Phase 2 (IPSec SA)

Table 1: IPSec Mode

Phase

Key Exchange Mode

Msg. Exchanged

Phase 1

Main Mode

6

Aggressive Mode

3

Phase 2

Quick Mode

3

2.1 Phase 1

This phase performs mutual authentication, and the need to protect the second phase generated encryption key. It has two modes, the main mode and aggressive mode. The difference between the two models is the number of messages exchanged, and can be referred to as ID protection from Tables 1 and 2.

Table 2: ID protection

Mode

Authentication Method

ID protection

Main

PSK

Yes

RSA/DSA Digital Sig.

Yes

Public key

Yes

Aggressive

PSK

No

RSA/DSA Digital Sig.

No

Public key

Yes

Responder

Initiator2.1.1 Main mode

HDR, SA

HDR, SA

HDR, KE, Ni

HDR, KE, Nr

HDR*, ID_I, (CERT), SIG_I

HDR*, ID_R, (CERT), SIG_R

Figure 1: IP Sec Main mode

Initiator

Responder2.1.2 Aggressive mode

HDR, SA, KE, Ni, ID_I

HDR, SA, KE, Nr, ID_R, (CERT), SIG_R

HDR, (CERT), SIG_R

Figure 2: IP Sec Aggressive mode

2.2 Phase 2

Responder

Initiator The process of negotiation, the encryption and authentication algorithm, need to protect trade. The second stage is called quick mode only one model.

HDR*, HASH1, SA, Ni, (KE), (ID_I), (ID_R)

Figure 3: IP Sec Quick mode

HDR*, HASH3

HDR*, HASH2, SA, Nr, (KE), (ID_I), (ID_R)

The notation used for the figure 1, 2 and 3 are,

HDR: ISAKMP header

SA: Security Association

KE: Deffie-Hellman public key

Ni, Nr: the Nonce

ID_I: the initiator

ID_R: the responder

CERT: the certificate

SIG_I: the signature for the initiator

SIG_R: the signature for the responder

(X): X is optional

*: encryption must begin after the header

3. Security Architecture

IP security suite is an open standard, it is freely, use the associated with it, may also have different attributes, it is how to design (open course). IP security using the following protocol to perform various functions.

Internet key exchange (IKE and IKEv2) negotiations key or Kerberos Internet (KINK) set up a security association (SA) protocol and algorithm for negotiation, and through the generated encryption and authentication key using the IP

The authentication header (AH) provide connectionless integrity of IP datagram, data source authentication, and provides protection, to prevent replay attacks.

Encapsulating security payload (ESP) provide confidentiality, data source authentication, connectionless integrity, anti-replay service (partial sequence integrity form), limited traffic flow confidentiality.

3.1.1 IKE (Internet key exchange)

Internet key exchange (IKE or IKEv2) is the establishment of a security association (SA) used in IP security protocol suite of protocols. Most of the IP security implementation including the IKE daemon runs in user space and kernel processing IP packets in the IP section of the actual stack. IKE protocol uses the UDP message, usually in the 500 port, general 2-3 turnover time requires the 4-6 package, the establishment of SA. IKE consists of two stages: the first stage and second stage, because it mentioned.

3.1.2 (KINK) Kerberized Internet Negotiation of Keys

KINK is a protocol, in RFC 4430, which is similar to the Internet key exchange (IKE), for the establishment of IPSec Security Association (SA) definition of peers and management of security strategy and using Kerberos protocol to allow trusted third party to handle authentication in a centralized fashion. It is a command / response protocol, it can create, delete and maintenance of IPSec SAs. Each command or response contains the payload of a common head with a group of type - length - value. Type a command or response limits exchange in the payload to send mail. KINK uses the Kerberos mechanism, provides mutual authentication and replay protection. The establishment of SAS, the Kerberos AP-REQ payload payload kink followed the provide confidentiality.

3.1.3 Security Association (SA)

The concept of IP security architecture using a security association for the foundation, build the IP security function. Security Association (SA) is used to establish the safety functions sharing support secure communication between two network entities. , SA may include attributes, such as: encryption algorithm and the pattern; traffic network data encryption key and parameters by connecting transmission. The concept of IP security mechanisms are used to the same security alliance. In IP, the SA typically includes a key, key survival, security parameter index (SPI), by using the algorithm, the algorithm used by the model, authentication, encryption, or whether the two were used for the SPI is an identifier of opaque to check for specific SA in use of the packet.

3.2 Authentication Header

The authentication header (AH) is a member of the IPSec protocol family. It provides connectionless integrity, data origin authentication of IP data packet. It provides authentication, by adding a header is calculated based on the data reported in the data reported and in all or part of the content. Header placed depends on the mode (tunnel or transportation) and IP Version (IPv4 or IPv6). Provides IPv6 and exports are not secure password authentication and IPv6 authentication.

Transferability, this mechanism is very important, because it helps to ensure that the security will be available to all users of the internet. By adding a few potential threat in the encryption and authentication of IP layer, can reduce or remove. The AH operation is surprisingly simple, especially for any protocol independent security and network. Simplicity is similar, used to calculate the checksum algorithm or implementation of cyclic redundancy check (CRC) error detection. It also allows the encryption algorithm and authentication data with different length. The presence of AH head allows us to verify the message integrity, but not encrypted. In addition, the AH provides authentication, privacy and useful, today the empty encryption encapsulating security payload (ESP). Figure 1 shows the IP header based authentication header, TCP header and TCP data and is shown in Figure 2, the relevant authentication header format.

IP Header

Authentication Header

TCP header

TCP data

Fig 1: Relationship of Authentication Header to IP diagram

Next Header

Payload length

RESERVED

Security Parameter Index

Authentication Data

Fig 2: Format of Authentication Header Authentication Data (continued)

3.3 Encapsulating Security Payload (ESP)

Encapsulating security payload is also a member of the IPSec protocol family. In the security of IP, it provides confidentiality origin, integrity and authenticity. Not likely, Authentication header does not protect the IP header. However, the intermediate device must not only protect against changes to data reported, but also prevent them, in this case, AH is not enough, you must use the ESP protocol. ESP running directly on top of IP, use the IP protocol 50.

The main function in ESP is to provide privacy, aimed at the IP datagram. It also supports authentication scheme, they are encrypted, and provide the confidentiality and integrity of the IP datagram optional. The mechanism was designed to be independent of the algorithm, however, specify a default encryption algorithm and transformation, in order to ensure interoperability across the internet. In addition, ESP supports encryption and authentication configuration, to ensure it, we must avoid the use of untested encryption. It has several similar areas, such as AH, but other ways of packing field. It can be divided into three fields, ESP header, ESP trailer and the ESP authentication data. Figure 3 and Figure 4 shows the ESP throughout the IP datagram, omit optional header definition and IP ESP format respectively.

Figure 3: Relationship of ESP to IP datagramIP Header

Encapsulating Security Payload

Security Parameter Index

Protected data

Figure 4: Format of IP ESP

In order to allow the text field to clear all the certification, usually with two security mechanisms will be part of the IP datagram clear text authentication head. This combination may be useful, if ESP should use unauthorized or integrity of encryption security.

IP Header

Authentication Header

Encapsulating Security Payload

Figure: IP datagram containing ESP and IP Authentication Header

4. Modes of IP Security

IPSec can achieve two specific mode of operation, transport mode and tunnel mode. They are closely related to the two protocol, authentication header (AH) and the encapsulating security payload (ESP), these two protocols provide protection function, by increasing the security information heard and other field data report.

4.1 Mode of Transport

In this mode, only the IP packet payload encryption and authentication protocol to protect the information passed down to the IP transport layer. By processing the AH and ESP packet, transmission header and adding proper head in front of the (UDP or TCP header). The head of the IP, the IP and then join in the front. In order to modified in any way, transport and application layer always secured hash. When using the IPSec transmission mode, IP payload is only applicable to IPSec Baotou, instead of the IP head. Between AH and ESP head appears primitive, single IP header and IP payload. This type of transmission mode is used for communication host to host.

4.2 Mode of Tunnel

In this mode, the IP packet encryption and authentication. Then a new IP data packet package into new IP Baotou. The use of IPSec protection, a fully encapsulated packets on the IP head has been applied to. IPSec first appeared in front of the original IP header, and then add a new IP head in front of the IPSec header, so the original IP packet is encapsulated in the mortgage, then another IP datagram. To establish a virtual private network (VPN), using the tunnel mode. This model also supports the network address translation (NAT) through. Tunnel mode to protect the primitive IP data as a whole, head and all at the same time transmission mode is not.

5. IP Security Application

AH and ESP head can be used in different ways to protect the IP communication. In this section, we will discuss some of the most interesting applications, such as virtual private network (VPN), the application level security and referring to the corresponding vulnerabilities in IP router security IPSec.

5.1 Virtual Private Network (VPN)

Nowadays, the technical and economic reasons, is to promote the implementation of extensive business network, mobile public shared ownership dedicated links and open network architecture solutions and network technology. This can be achieved by many benefits, but it has a serious drawback at present, because of the inherent safety system, according to the use of the shared rapidly reduce channel and equipment. In this solution, the establishment of VPN, by using the IP tunnel technology. VPN can create, or by the use of AH and ESP header, or both. If using VPN to realize the AH head, then the hacker or an attacker can not change the transmission of data packets, nor channel inserted forged packets. ESP header is used, the payload to prevent leakage. In addition, the use of simple AH and ESP can not fully protect the communication, in order to provide a partial solution by using the optional anti-replay service in IP layer, provided by the AH and ESP.

5.2 Application Level Security

On top of the IP protocol stack including the applications running on the IPSec network may require the use of a communication channel with specific characteristics. It is useful, can transport layer security channel specified, in order to avoid duplication of functional attributes. However, this will not be a perfect solution, the application layer security, because only partial protection. AH provide host-based authentication, but applications usually require user authentication based on. In addition, AH and ESP protection data, only in the transmission through the channel. As long as they received data, they are no longer protected, so it may be irrelevant, if the receiving host is a safe. To sum up, the security feature of IPSec does not exclude this may be better placed in the necessity of other security mechanism at the application level.

5.3 Routing Security

The commercial application of the Internet's growing demand, the need for a reliable and secure network infrastructure. This is a very desirable, they can be applied to message switching router, because IPSec provides network security services at different levels, through a combination of ESP header AH advertising appropriate. The logical architecture of routing protocol IPSec protected can prevent the attack by the network. For example, security routing protocol in the IPv6 domain dependent on by default, AH and ESP supports IPv6 routers.

6. Future Development Direction

Safety is the most rapid moves to one of the field of computer network, because it is essential, in order to protect the data and computing resources, and through the electronic commerce, promote the economic exploitation. IP security is not an exception to the rule, because the new extension IKE and the recently defined ISAKMP authentication mode, in response to the remote access security, and introduces some technology, using IPSec authentication level. At the same time, IPSec is a policy based network integration. Application of IPSec in the common management of static network configuration and network (VPNs and intranets.). The new mechanism of strategy management problems make IP secure, scalable deployed widely and may help in the Internet Security technology. All in all, there are a lot of applications can be guaranteed, such as remote login, client / server, e-mail, file transfer, Web access using IPSec. In addition, we do not need to cultivate the user through the use of IPSec mechanism, it can be transparent to the end user.