Protocols of IPSEC :
IPSEC defines two protocols
a. the Authentication Header (AH)
b. Encapsulation Security Payload (ESP)
to provide authentication and for encryption for the packets at the IP level.
1.Authentication Header (AH) (provide source authentication & data integrity but not privacy)
AH protocol is designed to authenticate the source host & to ensure the integrity of the payload carried in the IP packet.
This protocol uses a hash function & a symmetric key to create a message digest; the digest is inserted via the authentication header.
The AH is then placed on the appropriate location , based on the mode i .e transport or tunnel.
When an IP datagram carries an authentication header, the original value in the protocol of the IP header is replaced by the value 51.
The addition of an authentication header follows following steps :
An AH is added to the payload with authentication data field set to 0.
Padding may be added to make the total length ever for a particular hashing algorithm.
Hashing is based on the total packet. However only those fields of the IP header that do not change during transmission are included in the calculation of the message digest i.e authentication data.
The authentication data are inserted in the authentication header.
The IP header is added after changing the value of the protocol filed to 51.
Description of every field of AH protocol
1.Next header : The 8 bit header field defines the type of payload carried by the IP datagrams (such as TCP , UDP, ICMP ). The process copies the value of the protocol field in the IP datagram to this field. The value of the protocol field in the new IP datagram is now set to 51 to show that the packet carried an AH.
2.Payload length : It defined the length of the AH in 4 -byte multiples, but it does not include the first 8 bytes.
3.Security Parameter index : The 32 but SPI field plays the role of a virtual circuit identifier & is the same for all packets sent during a connection called Security Association.
4.Sequence Number : A 32 bit sequence number provides ordering information for a sequence of datagrams. It prevents a playback. Sequence number is not repeated even if a packet is retransmitted.
5.Authentication data : This field is the result of applying a hash function to the entire IP datagram except for the fields that are changed during transit.
2. Encapsulating Security Protocol (ESP) (privacy achieved here)
As AH protocol does not provide privacy , IPSEC comes up with ESP protocol.
It provides source authentication , integrity & privacy.
It adds a header & trailer.
ESP's authentication data are added at the the end of the packet which makes its calculation easier.
When an IP datagram carries an ESP header & trailer, the value of the protocol field in the IP header is 50.
A field inside the ESP trailer ( next header field) holds the original value of the protocol field ( the type of payload being carried by the IP datagram such as TCP or UDP ).
ESP procedure follows the following steps :
- An ESP trailer is added to the payload.
- The payload & the trailer are encrypted.
- The ESP header is added.
- The ESP header, payload & ESP trailer are used to create the authentication data.
- The authentication data are added to the end of the ESP trailer.
- The IP header is added after changing the protoco value of 50.
Description for the fields of ESP are as follow :
a. Security parameter index : - The 32 bit security parameter index field is similar to that defined for the AH protocol.
b. Sequence number : - 32 bit sequence number is also similar to AH protocol. This variable lenth field (0 to 25 bytes) of 0s.
c.Padding : Serves as padding.
d.Pad length : The 8 bit pad length field defines the number of padding bytes, the value is between 0 & 255, the max value is rare.
e. Next header : - The 8 bit next header field is similar to that defined in AH protocol. It serves the same purpose as the protocol field in the IP header before encapsulation.
f.Authentication data: Finally authentication data field is the result of applying an Authentication scheme to parts of the datagram. In AH part of IP header is included in the calculation of the authentication data whereas in ESP it is not.