Beruflich Dokumente
Kultur Dokumente
AH and ESP
Matt Norris
IPSec Standards and Protocols
AH and ESP
IPSec is one of several VPN standards that have allowed secure, low-cost connectivity
and data transport between locations over unsecured communication lines. Although
IPSec is most commonly used for the Internet, its use has been extended to secure
communications within local area networks between client and server and server to
server.
When designing and implementing a VPN solution, it is important to understand that
IPSec is not a single protocol but is comprised of many protocols that can be combined to
provide varying levels of protection. The premise of choosing and combining different
protocols makes IPSec extremely flexible and manageable if the implementer
understands the primary protocols and connection modes used in the IPSec standard.
The two protocols that, individually or in tandem, form the backbone of IPSec are
Authentication Header AH) and Encapsulating Security Payload (ESP). The two modes
that an IPSec connection, known as Security Association (SA), can operate in are Tunnel
Mode or Transport Mode.
ESP is a format protocol defined in RFC 2406 that provides data confidentiality (through
encryption) and is typically what we think of when deploying a “secure” VPN solution.
ESP can optionally provide integrity and data origin authentication through the use of a
hash and can provide replay attack protection. ESP adds security to the communication
stream by encrypting the data payload when in Transport Mode or by encrypting and
encapsulating the entire IP packet when in Tunnel Mode as described in the following.
ESP supports the use of symmetric encryption algorithms, including DES, 3DES, and
AES, for confidentiality and the use of MD5 HMAC and SHA1 HMAC for data
authentication and integrity. Similar to AH authentication and integrity, ESP creates a
hash at the point of origination that can be compared at the destination. But unlike AH,
ESP cannot protect the unencrypted IP header--which is why ESP and AH are commonly
combined to add another level of protection.
IPSec Connection Modes: Transport and Tunnel
Transport Mode: Protection is provided for the data in the IP packet through encryption
but not for the IP header information, which remains unchanged. Transport Mode adds
only a few bytes of information to each IP packet, in the form of an IPSec header, and it
allows for quality-of-service (QoS) management on the network. Transport Mode is
typically used when end-to-end encryption is required and supported by the peers and is
deployed between or within locations.
Tunnel Mode: Protection is provided for the entire IP packet, which is encrypted and
then encapsulated in a new IP packet including a new IP header and an IPSec header.
Tunnel Mode is typically used on IPSec gateway devices such as firewalls, routers, and
VPN appliances connecting remote locations such as branch offices. The gateway acts as
an IPSec proxy for the clients that are located behind the device. Clients forward IP
packets to the gateway in the clear. The gateway device then encrypts the packet and
forwards it to an IPSec peer, which in turn decrypts the packet and forwards it to the
destination client.
After the protocols (AH and ESP) and the modes of transportation (Transport or Tunnel)
are understood, designing a secure communication stream can become a more
manageable task. Of course, these steps are only a few in the overall process and the
architect of the secure communication design should continue to understand all phases
and processes involved in VPN creation and its ongoing maintenance.