IPSec Architecture

IPSec (IP Security) architecture uses two protocols to secure the traffic or

data flow. These protocols are ESP (Encapsulation Security Payload) and AH

(Authentication Header). IPSec Architecture includes protocols, algorithms,

DOI, and Key Management. All these components are very important in order

to provide the three main services:

● Confidentiality

● Authentication

● Integrity
IP Security Architecture:

1. Architecture: Architecture or IP Security Architecture covers the general

concepts, definitions, protocols, algorithms, and security requirements of IP

Security technology.

2. ESP Protocol: ESP(Encapsulation Security Payload) provides a

confidentiality service. Encapsulation Security Payload is implemented in

either two ways:

● ESP with optional Authentication.

 ● ESP with Authentication.

Packet Format:

● Security Parameter Index(SPI): This parameter is used by Security

Association. It is used to give a unique number to the connection

built between the Client and Server.

● Sequence Number: Unique Sequence numbers are allotted to every

packet so that on the receiver side packets can be arranged properly.

● Payload Data: Payload data means the actual data or the actual

message. The Payload data is in an encrypted format to achieve

confidentiality.
 ● Padding: Extra bits of space are added to the original message in

order to ensure confidentiality. Padding length is the size of the

added bits of space in the original message.

● Next Header: Next header means the next payload or next actual

data.

● Authentication Data This field is optional in ESP protocol packet

format.

3. Encryption algorithm: The encryption algorithm is the document that

describes various encryption algorithms used for Encapsulation Security

Payload.

4. AH Protocol: AH (Authentication Header) Protocol provides both

Authentication and Integrity service. Authentication Header is implemented

in one way only: Authentication along with Integrity.

Authentication Header covers the packet format and general issues related to

the use of AH for packet authentication and integrity.

5. Authentication Algorithm: The authentication Algorithm contains the set

of documents that describe the authentication algorithm used for AH and for

the authentication option of ESP.

6. DOI (Domain of Interpretation): DOI is the identifier that supports both

AH and ESP protocols. It contains values needed for documentation related

to each other.

7. Key Management: Key Management contains the document that describes

how the keys are exchanged between sender and receiver.

Internet Protocol Authentication Header
What is an Authentication Header?

The Authentication Header (AH) is a security protocol used within the IPsec

suite. Its primary function is to ensure that the message remains unmodified

during transmission from the source and it confirms that the data originates

from the expected source. Authentication Header achieves this by adding a

header to IP packets, containing a checksum and a digital signature. Its main

functions are:

● Message Integrity – It means, the message is not modified while

coming from the source.

● Source Authentication – It means, the source is exactly the source

from whom we were expecting data.

When a packet is sent from source A to Destination B, it consists of data that

we need to send and a header that consists of packet information. The

Authentication Header verifies the origin of data and also the payload to

confirm if there has been modification done in between, during transmission

between source and destination. However, in transit, values of some IP

header fields might change (like- Hop count, options, extension headers). So,

the values of such fields cannot be protected from Authentication header.

Authentication header cannot protect every field of IP header. It provides

protection to fields which are essential to be protected.

Authentication Header Format

● Next Header – Next Header is 8-bit field that identifies type of

header present after Authentication Header. In case of TCP, UDP or

destination header or some other extension header it will store

correspondence IP protocol number . Like, number 4 in this field will

indicate IPv4, number 41 will indicate IPv6 and number 6 will

indicate TCP.

● Payload Length – Payload length is length of Authentication header

and here we use scaling factor of 4. Whatever be size of header,

divide it by 4 and then subtract by 2. We are subtracting by 2

because we’re not counting first 8 bytes of Authentication header,

which is first two row of picture given above. It means we are not

including Next Header, Payload length, Reserved and Security

Parameter index in calculating payload length. Like, say if payload

length is given to be X. Then (X+2)*4 will be original Authentication

header length.
● Reserved – This is 16-bit field which is set to “zero” by sender as

this field is reserved for future use.

● Security Parameter Index (SPI) – It is arbitrary 32-bit field. It is very

important field which identifies all packets which belongs to present

connection. If we’re sending data from Source A to Destination B.

Both A and B will already know algorithm and key they are going to

use. So for Authentication, hashing function and key will be required

which only source and destination will know about. Secret key
 between A and B is exchanged by method of Diffie Hellman

algorithm. So Hashing algorithm and secret key for Security

parameter index of connection will be fixed. Before data transfer

starts security association needs to be established. In Security

Association, both parties needs to communicate prior to data

exchange. Security association tells what is security parameter

index, hashing algorithm and secret key that are being used.

● Sequence Number – This unsigned 32-bit field contains counter

value that increases by one for each packet sent. Every packet will
need sequence number. It will start from 0 and will go till

and there will be no wrap around. Say, if all sequence

numbers are over and none of it is left but we cannot wrap around
as it is not allowed. So, we will end connection and re-establish
connection again to resume transfer of remaining data from
sequence number 0. Basically sequence numbers are used to stop
replay attack. In Replay attack, if same message is sent twice or
more, receiver won’t be able to know if both messages are sent from
a single source or not. Say, I am requesting 100$ from receiver and
Intruder in between asked for another 100$. Receiver won’t be able
to know that there is intruder in between.
● Authentication Data (Integrity Check Value) – Authentication data

is variable length field that contains Integrity Check Value (ICV) for

packet. Using hashing algorithm and secret key, sender will create

message digest which will be sent to receiver. Receiver on other

hand will use same hashing algorithm and secret key. If both
 message digest matches then receiver will accept data. Otherwise,

receiver will discard it by saying that message has been modified in

between. So basically, authentication data is used to verify integrity

of transmission. Also length of Authentication data depends upon

hashing algorithm you choose.

What is VPN and How It Works?

VPN is a mechanism of employing encryption, authentication, and integrity

protection so that we can use a public network as if it is a private network. It

offers a high amount of security and allows users to remotely access private

networks. In this article, we will cover every point about virtual private

networks.

What is a VPN?

A virtual private network (VPN) is a technology that creates a safe and

encrypted connection over a less secure network, such as the Internet. A

Virtual Private Network is a way to extend a private network using a public

network such as the Internet. The name only suggests that it is a “Virtual

Private Network”, i.e. user can be part of a local network sitting at a remote

location. It makes use of tuneling protocols to establish a secure connection.

Need for VPN

It could easily be said that VPNs are a necessity since privacy, security, and

free internet access should be everybody’s right. First, they establish secure

access to the corporate networks for remote users; then, they secure the data

during the transmission and, finally, they help users to avoid geo-blocking

and censorship. VPNs are highly useful for protecting data on open Wi-Fi, for

privacy, and preventing one’s ISP from throttling one’s internet connection.

How Does a VPN Work?

Let us understand VPN with an example think of a situation where the

corporate office of a bank is situated in Washington, USA. This office has a

local network consisting of say 100 computers. Suppose other branches of

the bank are in Mumbai, India, and Tokyo, Japan. The traditional method of

establishing a secure connection between the head office and the branch was

to have a leased line between the branches and head office which was a very

costly as well as troublesome job. VPN lets us effectively overcome this

issue.

The situation is described below

● All 100 hundred computers of the corporate office in Washington

are connected to the VPN server(which is a well-configured server

 containing a public IP address and a switch to connect all computers

present in the local network i.e. in the US head office).

● The person sitting in the Mumbai office connects to The VPN server

using a dial-up window and the VPN server returns an IP address

that belongs to the series of IP addresses belonging to a local

network of the corporate office.

● Thus person from the Mumbai branch becomes local to the head

office and information can be shared securely over the public

internet.

● So this is the intuitive way of extending the local network even

across the geographical borders of the country.

VPN is well Exploited all Across the Globe

We will explain to you with an example. Suppose we are using smartphones

regularly. Spotify Swedish music app that is not active in India But we are

making full use of it sitting in India. So how ?? VPN can be used to

camouflage our geolocation.

● Suppose the IP address is 101.22.23.3 which belongs to India.

That’s why our device is not able to access the Spotify music app.
 ● But the magic began when we used the Psiphon app which is an

Android app used to change the device IP address to the IP address

of the location we want(say US where Spotify works seamlessly).

● The IP address is changed using VPN technology. Basically what

happens is that your device will connect to a VPN server of the

respective country that you have entered in your location textbox of

the Psiphon app and now you will inherit a new IP from this server.

Now we typed “What is my IP address”? Amazingly the IP address changed

to 45.79.66.125 which belongs to the USA And since Spotify works well in

the US, we can use it now being in India (virtually in the USA). Is not that

good? obviously, it is very useful.

 ● VPN also ensures security by providing an encrypted tunnel

between the client and the VPN server.

● VPN is used to bypass many blocked sites.

● VPN facilitates Anonymous browsing by hiding your IP address.

● Also, the most appropriate Search engine optimization (SEO) is done

by analyzing the data from VPN providers which provide

country-wise statics of browsing a particular product.

● VPNs encrypt your internet traffic, safeguarding your online

activities from potential eavesdropping and cyber threats, thereby

enhancing your privacy and data protection.

Characteristics of VPN

● Encryption: VPNs employ several encryption standards to maintain

the confidentiality of the transmitted data and, even if intercepted,

can’t be understood.

● Anonymity: Thus, VPN effectively hides the users IP address, thus

offering anonymity and making tracking by websites or other third

parties impossible.

● Remote Access: VPNs provide the means for secure remote

connection to business’ networks thus fostering employee

productivity through remote working.

 ● Geo-Spoofing: The user can also change the IP address to another

country using the VPN hence breaking the regional restrictions of

some sites.

● Data Integrity: VPNs make sure that the data communicated in the

network in the exact form and not manipulated in any way.

Types of VPN

There are several types of VPN and these are vary from specific requirement

in computer network. Some of the VPN are as follows:

● Remote Access VPN

● Site to Site VPN

● Cloud VPN

● Mobile VPN

● SSL VPN

For more details you can refer Types of VPN published article.

VPN Protocols

● OpenVPN: A cryptographic protocol that prioritises security is called

OpenVPN. OpenVPN is compatible protocol that provides a variety

of setup choices.
 ● Point-To-Point Tunneling Protocol(PPTP): PPTP is not utilized

because there are many other secure choices with higher and more

advanced encryption that protect data.

● WireGuard: Wireguard is a good choice that indicates capability in

terms of performance.

● Secure Socket Tunneling Protocol(SSTP): SSTP is developed for

Windows users by Microsoft. It is not widely used due to the lack of

connectivity.

● Layer 2 Tunneling Protocol(L2TP) It connects a user to the VPN

server but lacks encryption hence it is frequently used with IPSec to

offer connection, encryption, and security simultaneously.

Why Should Use VPN?

● For Unlimited Streaming: Love streaming your favourite shows and

sports games? A VPN is your ultimate companion for unlocking

streaming services.

● For elevating your Gaming Experience: Unleash your gaming

potential with the added layer of security and convenience provided

by a VPN. Defend yourself against vengeful competitors aiming to

disrupt your gameplay while improving your ping for smoother,

lag-free sessions. Additionally, gain access to exclusive games that

 may be restricted in your region, opening up a world of endless

gaming possibilities.

● For Anonymous Torrenting: When it comes to downloading

copyrighted content through torrenting, it’s essential to keep your IP

address hidden. A VPN can mask your identity and avoid potential

exposure, ensuring a safe and private torrenting experience.

● For supercharging your Internet Speed: Are you tired of your

Internet speed slowing down when downloading large files? Your

Internet Service Provider (ISP) might be intentionally throttling your

bandwidth. Thankfully, a VPN can rescue you by keeping your online

activities anonymous, effectively preventing ISP throttling. Say

goodbye to sluggish connections and embrace blazing-fast speeds.

● Securing Public Wi-Fi: VPNs are essential for maintaining security

when using public Wi-Fi networks, such as those in coffee shops,

airports, or hotels. These networks are often vulnerable to

cyberattacks, and using a VPN encrypts your internet connection,

protecting your data from potential hackers and eavesdroppers

when you connect to untrusted Wi-Fi hotspots.

Tunnelling Protocols for VPN

● OpenVPN: An open source protocol with very good security and the

ability to set up the functionality to use. Secure Sockets Layer /

 Transport Layer Security is for the key exchange; it can go through

firewalls and network address translators (NATs).

● Point-To-Point Tunneling Protocol (PPTP): Another outdated VPN

protocol is PPTP as it is one of the oldest VPN protocols that are

quite easy to configure but provides the weaker security than most

contemporary VPN protocols.

● WireGuard: A relatively new protocol that has been widely

recommended because of its relative ease of use and high

performance. It incorporates modern techniques of encryption and it

is perhaps easier to implement and to audit.

● Secure Socket Tunnelling Protocol (SSTP): SSTP is a Microsoft

developed protocol; it is compatible with the Windows operating

systems and uses SSL/TLS for encryption which is rather secure.

● Layer 2 Tunnelling Protocol (L2TP): L2TP is frequently combined

with IPsec for encryption; however, L2TP does not have encryption

integrated into it but does build a secure tunnel for data.

Authentication Mechanisms in VPN

● Pre-Shared Key (PSK): Is a secret key that is used for authenticating

the two parties, that is, the client and the VPN server. It is easy to

integrate but is also considered insecure when not administered

properly.
 ● Digital Certificates: Based on certificates given by a reliable

certificate authority, it is effective in identifying the identity of users

and devices with a sense of security.

● Username and Password: Usually known in user authentication in

which users submit their credentials for them to access the VPNs.

This method is sometimes supported by other security measures

such as MFA (multi-factor authentication).

● Two-Factor Authentication (2FA): Provides another level of

protection by including a second factor of identification in the

manner of a number received via one’s cellular telephone along with

a user identification and password.

Security Concerns in VPN

● Data Leakage: VPNs also can some time not hide IP address and

thus cause leakages of data collected. This can happen via DNS

leaks or when the VPN connection is severed prematurely or when

switches between servers.

● Weak Encryption: Even the security of a VPN can be affected by

weak encryption standards as well as outdated encryption

algorithms. In this case, it is essential to implement sound

encryption/decryption methods.
 ● Trust in VPN Providers: VPN provider can only guarantee that they

will secure the user’s data and refrain from abusing it if the user

themselves trusts their service provider. Some providers may keep

records of the use of the resource by a user and this can infringe on

the privacy of a consumer.

● Man-in-the-Middle Attacks (MitM): If VPN setting is not safe, the

attacker gets the chance to intervene and modify information

exchanged between client and server.

● Performance Trade-offs: VPN security often affects internet

connection since the encryption and routing through VPN servers

cause slower connection. For security and performance are always

equally important for the choice of the measures.

Benefits of VPN

● When you use VPN it is possible to switch IP.

● The internet connection is safe and encrypted with VPN

● Sharing files is confidential and secure.

● Your privacy is protected when using the internet.

● There is no longer a bandwidth restriction.

● It facilitates cost savings for internet shopping.

Limitations of VPN
 ● VPN may decrease your internet speed.

● Premium VPNs are not cheap.

● VPN usage may be banned in some nations.

What is an IPsec Tunnel?

IPsec might be a gaggle of protocols that square measure used along to line

up encrypted connections between devices. It helps keep knowledge sent

over public networks securely. IPsec is typically accustomed-based VPNs,

and it works by encrypting scientific discipline packets, at the side of

authenticating the supply wherever the packets return from.

IPsec encrypts the complete outgoing packet. this is often generally enforced

on a secure entryway employing a firewall or a router port. as an example,

workers from the associate enterprise branches will firmly connect with

systems within the business office via secure gateways. The IPsec tunnel is

established between 2 entryway hosts.

IP stands for “Internet Protocol” and sec for “secure”. IPsec is secure because

of its encryption and authentication process. An Encryption is a method of

concealing info by mathematically neutering knowledge so it seems random.

In easier terms, secret writing is the use of a “secret code” that solely

approved parties will interpret.

How does IPsec Tunnel work?

IPsec connections consist of the following steps:

1. Key exchange: Keys are necessary for encryption; a key is a string of

random characters that will be accustomed to “lock” (encrypt) and

“unlock” (decrypt) messages. IPsec sets up keys with key swapping

between the connected devices, in order that every device will

decipher the opposite device’s messages.

2. Packet headers and trailers: All knowledge that’s sent over a

network is countermined into smaller items referred to as packets.

Packets contain each a payload, or the particular knowledge being

sent, and headers, or data that knowledge in order that computers

receiving the packets recognize what to try to do with them. IPsec

adds many headers to knowledge packets containing validation and

coding data. IPsec additionally adds trailers, that chase every

packet’s payload rather than before.

3. Authentication: IPsec provides authentication for every packet, sort

of a stamp of credibility on a collectable item. This ensures that

packets are from a trustworthy supply and not an assaulter.

4. Encryption: IPsec encrypts the payloads at intervals for every

packet and every packet’s IP header. This keeps information sent

over IPsec secure and personal.

5. Transmission: Encrypted IPsec packets travel across one or a lot of

networks to their destination employing a transport protocol. At this

 stage, IPsec traffic differs from regular IP traffic therein it most

frequently uses UDP as its transport protocol, instead of TCP. TCP,

the Transmission Control Protocol, sets up dedicated connections

between devices and ensures that every packet arrives. UDP, the

User Datagram Protocol, doesn’t found out these dedicated

connections. IPsec uses UDP as a result of this enables IPsec

packets to induce through firewalls.

6. Decryption: At the opposite finish of the communication, the

packets are decrypted, and applications will currently use the

delivered knowledge.

Protocols used in IPsec:

In networking, a protocol may be a designated means of formatting

information in order that any networked pc will interpret the information.

IPsec isn’t one protocol, however a collection of protocols. the subsequent

protocols structure the IPsec suite:

● Authentication Header (AH): The AH protocol ensures that

information packets are from a sure supply which the info has not

been tampered with, sort of a tamper-proof seal on a shopper

product. These headers don’t offer any encryption; they do not help

to conceal information from attackers.

 ● Encapsulating Security Protocol (ESP): ESP encrypts the IP header

and also the payload for every packet — unless transport mode is

employed, within a case, it only encrypts the payload. ESP adds its

self header and a trailer to each information packet.

● Security Association (SA): SA refers to a number variety of

protocols used for negotiating encoding keys and algorithms. Every

of the foremost common SA, protocols are Internet Key Exchange

(IKE).

Although IP(Internet Protocol) is not part of the IPsec suite, it directly runs on

top of IP.

Advantages of IPsec:

● IPSec operates at layer three, the network layer. As a result, the

high network layer is not crashed. The biggest advantage of IPsec is

transparency to applications.

● IPsec provides privacy. When the information is exchanged IPsec

insure to use of public keys for privacy. so it is not possible to find

information packets.

● IPsec only needs modification to the operating system That’s why

IPsec doesn’t care about the type of application.

Disadvantages of IPsec:

● One of the considerable disadvantages of IPSec is its wide access

range. Giving access to one device in an IPSec-based network will

offer access privileges for different devices too.

● Secondly, IPSec brings in a number of compatibility problems with

software too. This happens when software developers don’t stick to

the standards of IPSec.

● Unfortunately, IPSec is acknowledged for its high central processor

usage. It needs quite a little bit of process power to cipher and

decode all the info that passes through the server.