This preview shows page 254 - 256 out of 342 pages.
protection. With ESP, both communicating systems use a shared key for encrypting and decrypting the data they exchange.In general, this is a protocol that provides confidentiality, data origin authentication, connectionless integrity and protection against replay. Limited traffic flow confidentiality can also be provided. ESP is not limited to specific algorithms. Two ways of using ESPYou can apply ESP in two ways, these are:Transport modeTunnel mode. Transport modeIn transport mode ESP header follows the IP header of the original IP datagram. If the datagram already has an IPSec header, then the ESP header goes before it. The ESP trailer and the optional authentication data follow the payload.Transport mode does not authenticate or encrypt the IP header, which might expose your addressing information to potential attackers while the datagram is in transit.Transport mode requires less processing overhead than tunnel mode, but does not provide as much security. In most cases, hosts use ESP in transport mode.Tunnel modeTunnel modecreates a new IP header and uses it as the outermost IP header of the datagram, followed by the ESP header and then the original datagram (both the IP header and the original payload). The ESP trailer and the optional authentication data are appended to the payload. Whenyou use both encryption and authentication, ESP completely protects the original datagram because it is now the payload data for the new ESP packet. ESP, however, does not protect the new IP header. Gateways must use ESP in tunnel mode. IPSec Scenarios
IPSec can be deployed in three network scenarios. The first is between two hosts or computers who want to have a private communication channel for secure communication. The second is between gateways. Gateways are network devices like routers and firewalls and IPSec protocols can be used to secure the transmission of data between these network devices. The third scenario is between a computer and a gateway. Overview of IPSec Services and FunctionsIPSec is not a single protocol, but rather a set of services and protocols that provide a complete security solution for an IP network. These services and protocols combine to provide various types of protection. Since IPSec works at the IP layer, it can provide these protections for any higher layer TCP/IP application or protocol without the need for additional security methods, which is a major strength. Some of the kinds of protection services offered by IPSec include:Encryption of user data for privacy. Authentication of the integrity of a message to ensure that it is not changed en route. Protection against certain types of security attacks, such as replay attacks. The ability for devices to negotiate the security algorithms and keys required to meet their security needs. Two security modes, tunnel and transport, to meet different network needs. .Modes of operationThere are 2 modes of operation available in IPSec:Transport mode Tunnel modeTransport ModeWith transport mode, each IP packet's payload is encrypted but the headers are left intact.