2012 Second International Conference on Advanced Computing & Communication Technologies

IMPLEMENTATION OF IPSEC PROTOCOL

Mr. Hitesh dhall1 Ms. Dolly Dhall2 Ms. Sonia Batra3 Ms. Pooja Rani4
Asstt. Prof. , MCA Asstt. Prof. , MCA Asstt. Prof. , MCA Computer Teacher.
Deptt. Deptt. Deptt. Holy Family School
SPGOI SPGOI SPGOI Gohana, India
Rohtak, India Rohtak, India Rohtak, India e-mail:
e-mail: e-mail: e-mail: batra2302sonia@gmail.
Hitesh_dhall001@yaho dollychugh2001@yahoo batra2302sonia@gmail. com
[Link] .[Link] com

Abstract operate in the upper layers of these models. Hence, IPSec

The aim of this paper is to present the implementation of IPSec can be used for protecting any application traffic across the
Protocol. IPSec protocol provides an end user to end user Internet. Applications need not be specifically designed to
traffic with ensuring authenticity and confidentiality of data use IPSec. The use of TLS/SSL, on the other hand, must
packet. IP sec is a successor of the ISO standard Network typically be incorporated into the design of applications.
Layer Security Protocol (NLSP). NLSP was based on the SP3
protocol that was published by NIST, but designed by the The basic services that IPSec provides are:-
Secure Data Network System project of the National Security 1. Access Control How should the load on the visited
Administration (NSA).
Web sites be minimized?
IPSec is officially specified by the Internet Engineering Task
Force (IETF) in a series of Request for Comments addressing
2. Connectionless integrity
various components and extensions, including the official 3. Origin authentication
capitalization style of the [Link] defines encryption, 4. Replay protection
authentication and key management routines for ensuring the 5. Rejection of replayed packet
privacy, integrity and authenticity of data in a VPN as the
information traverses public IP networks. Because IPSec All these services provide greater security to the data
requires each end of the tunnel to have a unique address, communication in any network, that’s why the research
special care must be taken when implementing IPSec VPNs in proposed for secure data communication in ad-hoc network
environments using private IP addressing based on network
by IPSec protocol.
address translation. Fortunately, several vendors offer
solutions to this problem. However, they add more
management complexity. II. IPSEC ARCHITECTURE

Key words: IPSec, ISO, Network Layer Security Protocol This includes various components of IPSec, how they
(NLSP), Internet Engineering Task Force (IETF), National interact with each other, the protocols in the IPSec family,
Security Administration (NSA), Internet Engineering Task and the modes in which they operate. The IP Sec working
Force (IETF), VPN group at the IETF has defined 12 RFCs (Request for
Comments). The RFCs define various aspects of IPSec -
I. INTRODUCTION architecture, key management, base protocols, and the
mandatory transforms to implement for the base protocols.
Internet Protocol Security (IPSec) is a protocol suite for
securing Internet Protocol (IP) communications by THE IPSec ROADMAP
authenticating and encrypting each IP packet of a data
stream. IPSec also includes protocols for establishing The IPSec protocols include - AH, ESP, IKE,
mutual authentication between agents at the beginning of ISAKMP/Oakley, and transforms. In order to understand,
the session and negotiation of cryptographic keys to be used implement, and use IPSec, it is necessary to understand the
during the session[7]. IPSec can be used to protect data flows relationship among these components. The IPSec roadmap
between a pair of hosts, between a pair of security gateways defines how various components of IPSec interact with each
(e.g. routers or firewalls), or between a security gateway and other. This is shown in Figure 1.
a host. IPSec is a dual mode, end-to-end, security scheme
operating at the Internet Layer of the Internet Protocol Suite IP Sec is a suite of protocols and it is important to
or OSI model Layer 3. Some other Internet security systems understand how these protocols interact with each other and
in widespread use, such as Secure Sockets Layer (SSL), how these protocols are tied together to implement the
Transport Layer Security (TLS) and Secure Shell (SSH), capabilities described by the IPSec architecture.

978-0-7695-4640-7/12 $26.00 © 2012 IEEE 177

176
DOI 10.1109/ACCT.2012.64
The IPSec architecture defines the capabilities the hosts and HOST IMPLEMENTATION
gateways should provide. For example, IPSec architecture
requires the host to provide confidentiality using ESP, and The proper definition of a host in this context is the device
data integrity using either AH or ESP and entirely where the packet is originating. The host implementation
protection. However, the architecture document does not has the following advantages:
specify the header formats for these protocols. The
architecture discusses the semantics of the IPSec protocols • Provides security end to end
and the issues involved in the interaction among the IPSec • Ability to implement all modes of IPSec
protocols and the rest of the TCP/IP protocol suite[4]. The Security
ESP and the AH documents define the protocol, the payload • Provides security on a per flow basis
header format, and the services they provide. In addition • Ability to maintain user context for
these documents define the packet processing rules. Authentication in establishing IPSec
However, they do not specify the transforms that are used to Connections
provide these capabilities. This is because the new
transforms can be defined when the algorithms used by the Host implementations can be classified into:
older transforms are proved to be cryptographically
insecure. However, this does not mandate any change to the a) Implementation integrated with the operating system
base protocols. The transforms define the transformation (OS). We call it host implementation (for lack of a better
applied to the data to secure it. This includes the algorithm, term!).
the key sizes and how they are derived, the transformation b) Implementation that is a shim between the network and
process, and any algorithmic-specific information. It is the data link layer of the protocol stack. This is called the
important to be specific about the necessary information so "Bump in the Stack" implementation.
that different implementations can interoperate. Let us
consider the DES-DBC transform that is defined for ESP. If a) OS Integrated
we do not specify how the Initialization Vector is derived,
the two implementations end up deriving the Initialization In the host implementation, IPSec may be integrated with
Vector in different ways, and they will never be able to the OS. As IPSec is a network layer protocol, it may be
interoperate. implemented as part of the network layer as shown in Figure
2. IPSec layer needs the services of the IP layer to construct
IKE generates keys for the IPSec protocols[6]. IKE is also the IP header. This model is identical to the implementation
used to negotiate keys for other protocols that need keys. of other network layer protocols such as ICMP.
There are other protocols in the Internet that require security
services such as data integrity to protect their data. One such
example is OSPF (Open Shortest Path First) routing There are numerous advantages of integrating the IPSec
protocol. The payload format of IKE is very generic. It can with the OS. A few key advantages are listed below.
be used to negotiate keys for any protocol and not • As IPSec is tightly integrated into the network layer, it
necessarily limit itself for IPSec key negotiation. This can avail the network services such as fragmentation,
segregation is achieved by separating the parameters IKE PMTU, and user context (sockets). This enables the
negotiates from the protocol itself. The parameters that are implementation to be very efficient.
negotiated are documented in a separate document called • It is easier to provide security services per flow (such as
the IPSec Domain of Interpretation. An important a Web transaction) as the key management, the base
component that is not yet a standard is "policy." Policy is a IPSec protocols, and the network layer can be integrated
very important issue because it determines if two entities seamlessly.
will be able to communicate with each other and, if so, what • All IPSec modes are supported.
transforms to use. It is possible, with improperly defined
policies, for two sides to be unable to communicate with b) Bump in the Stack
each other.
For companies providing solutions for VPNs and intranets,
III. IPSec IMPLEMENTATION OS integrated solution has one serious drawback. On the
end hosts, they have to work with the features provided by
IPSec can be implemented and deployed in the end hosts or the OS vendors. This may limit their capabilities to provide
in the gateways/routers or in both. Where in the network advanced solutions. To overcome this limitation, IPSec is
IPSec is deployed depends on the security requirements of implemented as a shim, and inserted between the network
the users. This section discusses the capabilities and and the data link layer as shown in figure 3. This is
implications of implementing IPSec in various network commonly referred to as Bump in the Stack (BITS)
devices (hosts and routers). implementation.

177
178
As you may notice, the major issue in this implementation is not be used in the core of the Internet, the implementations
duplication of effort. It requires implementing most of the should still be concerned about efficiency. The packets that
features of the network layer, such as fragmentation and do not require security should not be affected because of
route tables[5]. Duplicating functionality leads to undesired IPSec. They should still be forwarded at normal rates. Many
complications. It becomes more difficult to handle issues implementations make use of some hardware assists to
such as fragmentation, PMTU, and routing. An advantage of perform public key operations, random number generation,
BITS implementation is the capability of an implementation encryption/decryption, and calculating hashes. There are
to provide a complete solution. Vendors providing specialized chipsets that assist the basic router hardware
integrated solutions such as firewalls prefer to have their with security operations.
own client as the OS vendor and may not have all the Another issue with router implementation is IPSec contexts.
features required providing a complete solution. Memory on the routers is still a scarce commodity, although
this is changing fast with memory prices falling rapidly. As
ROUTER IMPLEMENTATION the router has to store huge routing tables and normally does
not have huge disks for virtual memory support,
The router implementation provides the ability to secure a maintaining too many IPSec contexts is an issue.
packet over a part of a network. For example, an
organization may be paranoid about the Internet and not its IV. WORKING PRINCIPLE OF IPSEC
own private network. In this case, it may want to secure IMPLEMENTATION
only those packets destined to the geographically distributed
branch as these packets traverse the Internet to build its A working principal has been also proposed by this research
VPN or intranet. The IPSec implementation provides for implementing the parameters proposed in the above
security by tunneling the packets[2]. section for both AH and ESP of IPSec implementation[7].

The router implementation has the following advantages: WORKING PRINCIPLE OF AH

• Ability to secure packets flowing between two networks After sending data packet with AH header, data packet will
over a public network such as the Internet. be processed only by the destination node. Intermediate
• Ability to authenticate and authorize users entering the nodes will not authenticate the data because security
private network. This is the capability that many association is established host to host basis from source to
organizations use to allow their employees to destination. If any intermediate malicious node changes the
telecommute over the Internet to build its VPN or data packet then the authentication data will certainly
intranet. Previously, this was possible only over dial-ups change. But the node will not be able to generate the same
(dialing through modem directly into the organization). Message Authentication Code or MAC because it doesn’t
have the shared secret key of source and destination[1]. Upon
There are two types of router implementation: receiving the data packet destination node will regenerate
the MAC and will compare it with the MAC supplied with
a) Native implementation: This is analogous to the OS the Authentication data of AH header and if it matches then
integrated implementation on the hosts. In this case, IPSec the destination will send an ACK packet to acknowledge
is integrated with the router software. that authentication and integrity of data has not been
violated. Otherwise it drops the packet and does not send the
b) Bump in the Wire (BITW): This is analogous to BITS ACK packet. Without receiving the ACK source will re
implementation. In this case, IPSec is implemented in a transmit data again.
device that is attached to the physical interface of the
router. This device normally does not run any routing WORKING PRINCIPLE OF ESP
algorithm but is used only to secure packets. BITW is not
a long-term solution as it is not viable to have a device ESP header will also be processed in the destination node
attached to every interface of the router. similar to AH header. Intermediate nodes will not be able to
see the encapsulated data packet as it is encrypted with the
The network architectures for these implementations are shared key between source and destination and SA is
shown in figure 4.1 and figure 4.2. established host to host basis from source to destination. If
any intermediate malicious node wishes to change the data
The IPSec implementation on routers has many implications packet then it will not be able to do because new IP header,
on the packet-forwarding capabilities of the router. The which is outside the encapsulated packet, is only visible to
routers are expected to forward packets as fast as possible. the malicious node. Both the original IP header and data
In fact, we are already seeing core routers that can forward packet is encapsulated using the shared key between source
up to 30 million packets per second! Although IPSec may and destination. Upon receiving the packet the destination

178
179
node will de-encapsulate using the shared key. After Retransmit same data packet
successfully decrypting the packet destination will send an
ACK packet to acknowledge that the confidentiality, 6. End
integrity and authenticity has not been broken. On the
contrary if source do not receive any ACK from destination
then it will retransmit the packet again. VI. COMPARISON OF AH AND ESP
IMPLEMENTED PROTOCOLS
V. ALGORITHM OF THE PROPOSED IPSEC
IMPLEMENTATION Table 1 shows, time difference with AH implemented and
without AH implemented data packet for variable no of
After details working principles for implementing both AH nodes. It shows when number of nodes increases then the
and ESP, the research is now proposed an algorithm for time difference also increases. For total number of nodes
secure data communication in ad-hoc network with between 3 to 11 the time difference range is less than 0.5 but
combining both AH and ESP. when total number of nodes increased from 11 to 15 then
time difference rate increase at a rate more than double
1. Route Discovery by SAODV[3] compares to total no of node in range 3 to 11. Again total no
of node above 15 time differences rate of increase is
SAODV route Discovery: SourceÆ Destination negligible. Figure 5 shows the time difference rate increase
[Shared key of both source and destination will be dramatically from 11 nodes to 15 nodes then again increases
exchanged during this phase] at a steady rate. So AH implemented data packet in ad-hoc
networks consume more time to transmit data from source
2. Establishment of SA to destination compare to without AH implemented data
packet.
Data_Message= ((Sequence Number Counter +AH
Information/ESP Time difference found by this research is from 0.39 ms to
Information) EKS-priv) EKD-pub: Source Æ Destination maximum 2.1 ms. but for this extra time, all users in the
(With First UDP Packet) network can get authentication service for all data packet in
[AH information: authentication algorithm, shared secret ad-hoc networks.
key, key lifetime] On the contrary, the research plots the table 2 for the time
[ESP information: encryption algorithm, shared secret key, difference between ESP implemented packet and without
key lifetime] ESP implemented packet. The data shows variation of time
difference among difference number of nodes. From total no
3. Data Transmission of nodes 7 to 9 the difference is 0.6 ms then the time
difference is decrease from total no of nodes 9 to 11 nodes
IF (AH implemented packet) by 0.1 ms. From total no of nodes 13 to 15, the time
Packet with AH header: Source Æ Destination and difference is maximum 2.4 ms. Again it increase slightly
Destination Æ Source from total number of node more than 15. Figure 6 shows the
ELSE IF (ESP implemented packet) graph with time difference between ESP implemented
Packet with AH header: Source ÆDestination and packet and with out ESP implemented packet. Here time
Destination Æ Source difference start from 0.5 ms to maximum 2.4 ms.

4. ACK_PKT The research adds 20 bytes for including different SA

parameters for implementing AH in existence data packet of
IF (Check (Authentication) = = true)) ad-hoc networks. Time overhead increase maximum 2.12
Send ACK_PKT ms for total 21 nodes. The extra time is expected
ELSE IF ((De encapsulate (Packet) & & check theoretically by this research, which matches with the
(Authentication)) = = true) simulation result. This extra time can incur for providing
Send ACK_PKT authentication service for data packet in ad-hoc networks.
ELSE The research also adds 13 bytes for including difference SA
Drop PKT parameters for implementing ESP in data packet. Here
another 9.89 ms added for considering encryption and
5. Receive ACK_PKT decryption time with ESP implemented packet. So, total
overhead added by this research for ESP implementation in
If sender Receive (ACK_PCK) = = true) data packet is 13 bytes time and 9.89 ms for handling
Send next packet encryption and decryption of data packet.
Else

179
180
Compare to AH, timing overhead is more in ESP REFERENCES
implemented packet. Time difference between ESP
implemented packet and with out ESP implemented packet [1] Charles P. fleeger, Shari Lawerence Pfleeger (2003), Security in
Computing, Pearson Education, Singapore.
is always more than 9.89 ms except total number of node
13. Time difference between ESP implemented data packet [2] Crawley, E., Nair, R. Rajagopalan, B., and Sandick, H. (Aug. 1998),
is higher than AH implemented, which the research except A Framework for QoS-Based Routing in the Internet, Internet IETF
theoretically. The nature of time difference with change of RFC2386.
variable no of node is almost similarly for both AH
[3] Manel Guerrero Zapata (2001), Secure Ad hoc On-demand Distance
implemented packet and ESP implemented packet. But the Vector (SAODV) Routing draft-guerrero-manet-saodv, Nokia
service provided with ESP implemented packet is more than research center, Internet Draft.
AH implemented packet.
[4] A. Tanenbaum, Computer Networks (2003), (4th ed.), New Jersey,
Prentice Hall PTR.
CONCLUSION
[5] William stalling, Network Security Essentials, Application and
The proposed IPSec implementation attempts to ensure data standard.
communication security. Sending and receiving data packets
[6] William stalling, Cryptography & Network security, Principles &
with IPSec needs more time as compared to sending data practice, (3 rd ed.).
packets without IPSec. Between AH implemented and ESP .
implemented data packets, ESP implemented data packets [7] Bhajandeep Singh, Future of Internet Security –IPSec,
[Link]
consume more time due to handling encryption. The
simulation result of this research also shows the similar
result that the research expects theoretically. If an
application needs only authentication, then this research
proposes to use only AH-implemented data packets with
minimum time overhead. The research encourages
implementing IPSec with ESP for all security services with
moderate time overhead.

FIGURES AND TABLES

Figure 1: IPSec Roadmap Figure 3: BITS IPSec stack layering

Figure 2: IPSec stack layering Figure 4.1: Native Implementation deployment

architecture

180
181
 Figure 4.2: BITW deployment architecture
Table 1: Time_difference with AH and Without AH

Figure 5: Time difference Graph with AH and Without

AH
Table 2: Time difference with ESP and Without ESP

Figure 6: Time difference Graph with ESP and Without

ESP

181
182