IPsec-IPsec Core Layer 3 Protocols: ESP and AH

IPsec

IPsec’s capital architecture goals are to accommodate the chase functionality:

 Abstracts acquaintance Abstracts is encrypted afore actuality transmitted, so

nobody except the communicating parties can apprehend it.

 Abstracts candor Each associate can actuate if a accustomed packet was

changed during transit.

 Abstracts agent affidavit As an added affection of abstracts integrity

service, the receiver can additionally assay the character of a packet’s sender.

 Antireplay The receiver can ascertain and adios replayed packets,

protecting it from bluffing and man-in-the-middle attacks.

IPsec Core Layer 3 Protocols: ESP and AH

As mentioned previously, IPsec was advised to accommodate acquaintance and

integrity of transmitted information, affidavit of accommodating parties, and

protection adjoin cartage replay.Two capital arrangement protocols, ESP and AH, are

used to accomplish this goal. All added genitalia of the IPsec accepted are alone means

of finer implementing these protocols and configuring the appropriate technical

parameters. Applying AH or ESP to an IP packet agency that the abstracts allotment of

the packet capacity may be modified, although not always, and an added attack is

inserted amid the IP attack and the packet contents. See Figures 7.1 and 7.2

for illustrations of how these transformations are performed.

Configuring Virtual Private Networking • Chapter 7 335

336 Chapter 7 • Configuring Virtual Private Networking

Authentication Header

The AH, which is accurate as IP 51, is acclimated to ensure the following:

 Abstracts candor This is accomplished by artful a assortment of the absolute IP

packet, including the aboriginal IP attack (not including capricious fields

such as the TTL), the abstracts allotment of the packet, and the authentication

header (excluding the acreage that will accommodate the affected assortment value).

This assortment is alleged an candor assay amount (ICV), and it can be either

Message Affidavit Code (MAC) or a agenda signature. MACs are

more accepted than agenda signatures. Hashing algorithms accommodate MD5

and SHA-1, and both are accepted as keyed hashes, acceptation that they use

an added amount to account the hash, which is accepted alone to the participating

parties.When the packet is received, its content, excluding some

fields, is hashed by the receiver and the aftereffect is compared with the ICV.

If they are the same, the packet is declared authentic.

 Abstracts agent affidavit As allotment of the candor feature, AH also

provides antecedent IP authentication. Back the antecedent IP is included in the

data, its candor is guaranteed.

www.syngress.com

Figure 7.1 AH Encapsulation

IP Attack Data

(new) IP

Header

AH Attack Data

Original

Packet

Encapsulated

Packet

Figure 7.2 ESP Encapsulation

IP Attack Data

(new) IP

Header

Data

ESP

Header

ESP

Trailer

Original

Packet

Encapsulated

Packet

ESP

Authentication

Configuring Virtual Private Networking • Chapter 7 337

 Epitomize aegis AH additionally includes an IPsec arrangement number, which

provides aegis adjoin epitomize attacks because this cardinal is also

included in accurate abstracts and can be arrested by the accepting party.

AH provides no acquaintance because no encryption is used.

NOTE

Pure AH is consistently burst by NAT. For example, back an authenticated

packet goes through an address-translation device, the IP abode in its

header changes and the MAC affected by the receiver on a new packet

will be incorrect, so the packet will be rejected. It is not accessible for a

translating aperture to recalculate the new MAC and admit it into the

packet, because alone the endpoints of a manual apperceive the hashing

keys. This is a accepted botheration with IPsec—trying to use AH back there

is a NAT accessory about in the path. It will artlessly not work. Use ESP

with its own affidavit (it is accessible to about-face on encryption if you

want), or do not use NAT if you appetite to break with AH.

Encapsulating Security Payload

ESP, which is accurate as IP 50, provides the afterward features:

 Padding of a packet’s capacity in adjustment to anticipate cartage analysis, encryption

of the aftereffect application ciphers such as DES, 3DES,AES, or Blowfish.

 Optional affidavit application the aforementioned algorithms as the AH protocol.

IP attack advice is not included in the accurate data, which

allows ESP-protected packets to canyon through NAT accessories without

problems.When a packet is created, affidavit abstracts is affected after

encryption.This allows the receiver to assay the packet’s authenticity

before starting the computationally accelerated assignment of decryption.

 Optional antireplay features.

The aboriginal ESP analogue did not accommodate the aftermost two features. It was

assumed that the sender and receiver would use either one or both protocols at

the aforementioned time if they bare acquaintance and authentication. Now, back ESP

can additionally accomplish best of AH’s features, AH is rarely used. Because ESP works on

encapsulation principles, it has a altered format: All abstracts is encrypted and then

placed amid a attack and a trailer.This differentiates it from AH, area alone a

header is created.