March 2001 AN INTRODUCTION TO IPsec (INTERNET sive scanners, and the elimination of ITL Bulletins are published by the PROTOCOL SECURITY) known security holes from operating Information Technology Laboratory systems and application programs. (ITL) of the National Institute of By Sheila Frankel, Computer Security The application-specific solutions are Standards and Technology (NIST). Division, Information Technology applied to specific applications, such Each bulletin presents an in-depth Laboratory, National Institute of Standards discussion of a single topic of significant and Technology as electronic commerce or e-mail, and are agreed upon by some segment of interest to the information systems In its early days, the Internet was the the user population. community. Bulletins are issued on domain of academics and researchers. an as-needed basis and are available Its goal was to maximize communica­ Over time, it became obvious that from ITL Publications, National tion, connectedness and collabora­ these techniques were not general Institute of Standards and Technology, tion, and to minimize barriers that enough and that security services must 100 Bureau Drive, Stop 8901, would detract from the realization of be added to the Internet Protocol (IP) Gaithersburg, MD 20899-8901, those goals. By the late 1980s, it itself. In 1992 the Internet Engineering telephone (301) 975-2832. To be became apparent that some individu­ Task Force (IETF) began such an effort placed on a mailing list to receive als were abusing the capabilities of called IPsec. What differentiates IPsec future bulletins, send your name, the Internet and were reading or from other solutions? IPsec is an organization, and business address to changing information they shouldn’t, attempt to utilize cryptographic tech­ this office. You will be placed on this and even deliberately causing some niques in a more global solution to the mailing list only. Internet services to fail. Security con­ problem of Internet security. Rather Bulletins issued since September 1999 tinues to be a major concern in than requiring each e-mail program or web browser to implement its own today’s Internet. Fundamental changes ❐ Securing Web Servers, September 1999 to improve the security of basic Inter­ security mechanisms, IPsec involves a net services have been slow in their change to the underlying networking ❐ Acquiring and Deploying Intrusion development. In the intervening time, facilities that are used by every appli­ Detection Systems, November 1999 two types of solutions have emerged cation. It also allows network manag­ ❐ Operating System Security: Adding in response to the security hazards ers to apply protection to network to the Arsenal of Security that threaten Internet traffic: localized traffic without involving the end users. Techniques, December 1999 solutions and application-specific What is IPsec used for today? Figure 1 ❐ solutions. The localized solutions are shows two typical scenarios: the “road Guideline for Implementing attempts by computer network warrior” and the Virtual Private Net­ Cryptography in the Federal administrators to isolate or fortify their work (VPN). A road warrior is a busi- Government, February 2000 particular fiefdoms, and take the form ❐ of screening routers, firewalls, defen­ Continued on page 2 Security Implications of Active Content, March 2000 Host H1 ❐ Mitigating Emerging Hacker Threats, June 2000 ❐ Identifying Critical Patches with ICAT, July 2000 INTERNET ❐ Security for Private Branch Network N1 Network N2 Exchange Systems, August 2000 Host H1-2 ❐ XML Technologies, September 2000 Host H1-1 Host H2-1 Host H2-2 ❐ An Overview of the Common Criteria Evaluation and Validation Scheme, October 2000 ❐ A Statistical Test Suite for Random and Pseudorandom Number Gateway Gateway Generators For Cryptographic SG1 SG2 Applications, December 2000 Host H1-3 Host H2-3 ❐ What Is This Thing Called Figure 1: IPsec Usage Scenarios Conformance? January 2001 2 March 2001 ness employee who is working at by the sender, and the receiver may without providing privacy. The Inter­ home or at another location away optionally enable its use. net Key Exchange (IKE) protocol is a from their office and needs to access mechanism that allows for secret keys ■ Confidentiality or privacy: a an office computer. IPsec can ensure and other protection-related parame­ guarantee that, even if the message that those communications are con­ ters to be exchanged prior to a com­ is “read” by an observer, the con­ ducted in a private, tamper-proof munication without the intervention tents are not understandable, manner. Another common use of of the user. The IPsec and IKE proto­ except to the authorized recipient. IPsec is the creation of a VPN. If a cols are being developed within the company needs to conduct secure ■ Traffic analysis protection: an IPsec working group under the communications among scattered assurance that an eavesdropper umbrella of the Internet Engineering locations, a private network can be cannot determine who is communi­ Task Force (IETF). constructed by leasing or stringing cating with whom or determine the private communication lines. A less frequency and volume of communi­ The Authentication Header expensive and more flexible alterna­ cations between specific entities. (AH) and the Encapsulating tive is a VPN that uses the Internet as Security Payload (ESP) the communications medium and IPsec Context and employs IPsec to ensure that these Components Header communications are indeed private. AH uses a keyed message authentica­ IPsec is a protocol that operates Although the VPN’s traffic crosses the tion algorithm (MAC) to provide con­ within the Internet Protocol (IP). IP in public Internet, IPsec protection pre­ nectionless integrity and data origin turn is one part of a layered suite of vents unauthorized outsiders from authentication protection. This protec­ communication protocols known as reading or modifying the traffic. In tion covers the packet’s data portions, TCP/IP. The upper layers, the trans­ Figure 1, the road warrior’s host, H1, as well as certain portions of the IP port and application layers, rely on provides its own IPsec protection; header: those IP header fields that the Internet layer protocol, IP, for the networks N1 and N2 obtain their cannot change in an unpredictable following: IPsec protection from the VPN con­ manner as the packet traverses the necting security gateways SG1 and ■ transmitting messages (generally Internet. The ESP header can also SG2, respectively. called packets in this context) from provide integrity and authentication one host to another protection through the use of a keyed Security Protections MAC. In addition to, or in place of, ■ routing the messages so that they Provided by IPsec these types of protection, the ESP arrive at the desired destination header can use an encryption algo­ IPsec can provide some or all of the ■ if the messages are too large to be rithm to provide confidentiality. The following types of protection. transmitted by one or more of the ESP’s protections cover the packet’s ■ Connectionless Integrity: a guar­ network links encountered along data, but not the IP header. Both AH antee that the message that is the way, breaking the messages and ESP can provide replay protec­ received is the exact one that was into smaller fragments and, at the tion. Each header identifies the types sent, and no tampering has other end, re-assembling the frag­ occurred. Why “connectionless”? ments to reconstruct the original This is because communications at message Who we are the Internet layer follow a Post IP accomplishes these tasks through The Information Technology Office model (as opposed to a the use of the IP header, which is Laboratory (ITL) is a major research Phone Company model). Messages inserted at the beginning of each mes­ component of the National Institute are sent from the sender to the sage and contains all of the informa­ of Standards and Technology (NIST) receiver, but no attempt is made to tion (source and destination of the Technology Administration, ensure that they are received in addresses, etc.) required for the mes­ U.S. Department of Commerce. We order, or that any (or all) were in sage to traverse the Internet and develop tests and measurement fact received. That task is left to arrive at its destination. methods, reference data, proof-of­ one of the upper layer protocols. The IPsec protocols are additions to concept implementations, and ■ Data Origin Authentication: a IP that enable the sending and receiv­ technical analyses that help to guarantee that the message actually ing of cryptographically protected advance the development and use was sent by the apparent originator messages. This is accomplished of new information technology. We of the message, and not by another through the use of two special IPsec seek to overcome barriers to the user masquerading as the supposed headers, inserted immediately after efficient use of information message originator. the IP header in each message. The technology, and to make systems ■ Replay Protection: assurance that Encapsulating Security Protocol (ESP) more interoperable, easily usable, the same message is not delivered Header provides privacy and protects scalable, and secure than they are multiple times and that messages are against malicious modification, and today. Our Web site is not delivered grossly out of order. the Authentication Header (AH) pro­ http://www.itl.nist.gov/. This capability must be implemented tects against