Cryptographic Overhead of IPSec Protocol Suite - Research Paper Example

Cryptographic overhead of IPsec Protocol Suit Authors Name/s per 1st Affiliation (Author) line 1 (of Affiliation): dept. name of organization line 2: name of organization, acronyms acceptable line 3: City, Country line 4: e-mail address if desired Authors Name/s per 2nd Affiliation (Author) line 1 (of Affiliation): dept. name of organization line 2: name of organization, acronyms acceptable line 3: City, Country line 4: e-mail address if desired Abstract— At the present time, when the communications over the Internet have turned out to be critical for the businesses as well as governments and individuals, there is need for effective security measures and mechanisms in order to ensure the security of these communications. The most common services of IPSec implementation are VPN (virtual private networking) services that can be used over existing networks e.g. internet, can provide the secure transfer of sensitive data over public networks. Keywords: VPN; IPSec; Cryptography, Encryption, FTP; SAs; I. Introduction Today, the communication between networks, that are being established, have a strong need of good security mechanisms in order to ensure the security, integrity, confidentiality and authenticity between two hosts or two networks. The most common services of IPSec (Internet Protocol Security) implementation are VPN (virtual private networking) services utilized on current networks such as the Internet, can ensure the safe transmission of useful data and information over public infrastructure. The reality that the Internet is deficient in security is still undeniable. So to solve this issue researchers are trying to increase the network security at each layer by designing a range of security protocols. The designed protocols include PGP, S/MIME, and SET which are specifically designed to ensure the security of the application layer. In this scenario, SSL/TLS are used on the transport layer. In this race, IPSec is one of the most important security protocol, which is designed for dealing with the network layer security, ensuring the availability of security services like that data source authentication, access control, data confidentiality and integrity and processing data packages on the IP packet layer [1, 2, 3]. This paper presents a detailed analysis of IPSec and associated aspects. II. Internet Protocol Security (IPSec) IPSec is a complete suite of protocols, which carry out specific tasks. As discussed above, the basic objective of IPSec is to provide a variety of security facilities to traffic transmitting between a source and destination. In this scenario, a source or destination can be a host or a router. In addition, these facilities can be used for all packets sent or received, or simply to a particular kind of transmission such as FTP or telnet. Figure1 demonstrates how IPSec ensures the security of data transmission between a host and a destination [4, 5, 6]: Figure 1IPSec Operation, Image Source: [4] In this diagram a red line is used to demonstrate that IPSec is implemented on the path between the Host B and Router 1. Basically, IPSec provides a variety of security mechanisms for securing transmissions over a network and these mechanisms can be implemented in different ways. Additionally, IPSec can perform operations on particular kind of traffic at the same time as remaining traffic is moved on a defenseless path. This process is clearly mentioned in the figure, in this figure 1 black links are used to demonstrate this kind of communication. A number of separate IPSec protected connections can be established between the two routers and between Host B and Router 1 [4, 6]. III. Implementation of Security Through IPSec In their paper, [1] provides a detailed discussion on the working of IPSec and the way it ensures the surety of transmission over a network. According to their viewpoint, IPSec implements the security in a network by maintaining the security associations (SAs). In this scenario, a security association is used as a basis to identify the security parameters that will be utilized in data transmission to make it protected, for instance IPSec security protocol, encryption algorithm, hash function and encryption key. Additionally, each security association is typically specified by an exclusive set of parameters such as destination IP address, security parameter index and security protocol. In addition, these associations are established after the negotiation between the communicating hosts in the networks. IPSec is also responsible for maintaining a Security Policy Database (SPD). In fact, a network interface that is established using the IPSec, possesses a pair of Security Policy Database and Security Association Database, which help in processing incoming and outgoing IP packets. One entry of Security Association Database is equal to a security association, on the other hand, Security Policy Database entry refers to a security policy. In this scenario, if the packets are sent to the destination host, the corresponding policy in Security Policy Database is retrieved, if the documented act is to “process” the data transfer (as specified in the security policy), then corresponding Security Associations are retrieved according to the Security Association pointer [1, 7]. In case, if the Security Association does not exist in the Security Association Data base, then a new Security Association is created and stored into the database. Once Security Association has been retrieved from the database, the data packets are processed with the authentication encryption algorithm and security protocol presented in the Security Association. Then the processed data packets are sent to the IP of destination host. In the same way, the receiver side discovers the Security Association consistent with the Security Parameter Index parameter in the datagram, and verifies if retransmission of packets is required. Otherwise, the data is decrypted and authenticated with the protocol specified in the Security Association [1, 7]. IV. Benefits of IPSec The research has pointed out some of the major features of IPSec, which make this protocol more robust as compared to other security standards. IPSec allows for transparency as One of IPSec’s noticeable strong points lies in the integration of encryption and authentication methods with robust and full-featured key exchange Algorithms and protocol negotiation features to provide security against vulnerabilities on network layer. IPSec is complete package including both, a tunneling technology and a security technology. It enhances robustness as using tunneling without encryption facilitates no security against many forms of attack [1, 8, 6, 9]. Tunneling for an organization may not be just concerned with securing external routers from dealing with internal addresses. It may also be adopted for hiding those addresses from attackers beyond the firewall. Now days, because of many powerful attacker tools, security mechanisms that perform no authentication of the source and destination of every IP packet may provide worst results than no authentication at all. IPSec real strength lies in the fact the as compared to other standards, it combines tunneling, authentication, and encryption in a package that provide the organizations with a secure route between private networks, or into a network from a trusted host, while traveling right through a public network such as internet. IPSec is a scalable security standard and also promises for interoperability i.e. its spans all the vendors and platform same as IP does [1, 8, 6, 9]. V. Limitations of IPSec Some of the key challenges with the IPSec infrastructure are outlined below [9, 10]: IPSec does not ensure identical endwise security for the systems that are functioning at higher levels. Though, with IPSec IP connections can be encrypted between two machines, but it is not applicable for higher level security such as encrypting messages between users or between applications. The research has shown that IPSec is not effective in dealing with a number of security attacks such as DoS attacks. IPSec does not provide effective support against analyzing the unencrypted headers of encrypted packets like that source and target’s gateway addresses and packet size etc. This information can be acquired by attackers with some intelligent tools. VI. Conclusion This paper has presented a detailed discussion on IPSec and its capabilities in ensuring the secure communication in the network. IPSec is not a single protocol, however it is a complete suite of protocols and contains a variety of protocols in which each protocol is responsible for performing specific tasks. Some of the important protocols that IPSec contains include Encapsulating Security Payload, Authentication Header, Internet key exchange and IP Payload Compression Protocol, which is used optionally. Each protocol plays its part in improving the security, integrity and confidentiality of communication by using different algorithms for encryption and authentication. IPSec is usually implemented by maintaining security associations which are stored in security association database and are retrieved according to the actions specified in the security policies that are stored in security policy database. Though IPSec provides a better, scalable and robust mechanism for ensuring the security in communications, as compared to other standards, but it also has some limitations as it cannot resist DoS attacks. However, there are some strategies that have been proposed and are being followed to improve the effectiveness of IPSec standard. REFERENCES [1] L. Zheng and Y. Zhang, "An Enhanced IPSec Security Strategy," 2009 International Forum on Information Technology and Applications, ifita, vol. 2, no. 1, pp. 499-502, 2009. [2] J. Meng, X. Chen, Z. Chen, C. Lin, B. Mu and L. Ruan, "Towards high-performance IPsec on cavium OCTEON platform," Berlin, Heidelberg, 2010. [3] B.-H. Kang and M. O. Balitanas, "Vulnerabilities of VPN using IPSec and Defensive Measures," International Journal of Advanced Science and Technology, vol. 8, no. 7, pp. 9-18, 2009. [4] D. Clark, "Vulnerability’s of IPSEC: A discussion of possible weaknesses in IPSEC implementation and protocols," SANS Institute, 2002. [5] M. S. Parmar and A. D. Meniya, "Imperatives and Issues of IPSEC Based VPN," International Journal of Science and Modern Engineering (IJISME), vol. 1, no. 2, pp. 38-41, 2013. [6] P. K. Singh and P. P. Singh, "A Novel Approach for the Analysis & Issues of IPsec VPN," International Journal of Science and Research (IJSR), vol. 2, no. 7, pp. 187-189, 2013. [7] J. P. Degabriele and K. G. Paterson, "On the (in)security of IPsec in MAC-then-encrypt configurations," New York, 2010. [8] M.-Y. Wang and C.-W. Wu, "A mesh-structured scalable IPsec processor," IEEE Transactions on Very Large Scale Integration (VLSI) Systems, vol. 18, no. 5, pp. 725-731, 2010. [9] H. Wang, G. Bai and H. Chen, "A Gbps IPSec SSL Security Processor Design and Implementation in an FPGA Prototyping Platform," Journal of Signal Processing Systems, vol. 58, no. 3, pp. 311-324, 2010. [10] C. Cremers, "Key exchange in IPsec revisited: formal analysis of IKEv1 and IKEv2," Berlin, Heidelberg, 2011. [11] M. Rossberg, G. Schaefer and T. Strufe, "Distributed Automatic Configuration of Complex IPsec-Infrastructures," Journal of Network and Systems Management, vol. 18, no. 3, pp. 300-326, 2010. [12] J. Arkko and P. Nikander, "Limitations of IPsec policy mechanisms," Berlin, Heidelberg, 2005. Read More