What is IPSec?
IPSec, is a framework of open standards (from IETF) that define policies for secure communication in a network. Using IPSec, participating peers (computers or machines) can achieve data confidentiality, data integrity, and data authentication at the network layer (i.e. Layer 3 of the Open Systems Interconnection 7-layer networking model). RFC 2401 specifies the base architecture for IPsec compliant systems.
The main purpose of IPSec is to provide interoperable, high quality, cryptographically-based security for IPv4 and IPv6. It offers various security services at the IP layer and therefore, offers protection at this (i.e. IP) and higher layers. These security services are, for example, access control, connectionless integrity, data origin authentication, protection against replays (a form of partial sequence integrity), confidentiality (encryption), and limited traffic flow confidentiality.
IPSec has two different modes:
- Transport mode (host-to-host)
In transport mode, the payload is encapsulated (header is left intact) and the end-host (to which, the IP packet is addressed) decapsulates the packet. - Tunnel Mode (Gateway-to-Gateway or Gateway-to-host)
In the tunnel mode, the IP packet is entirely encapsulated (with a new header). The host (or gateway), specified in the new IP header, decapsulates the packet. Note that, in tunnel mode, there is no need for client software to run on the gateway and the communication between client systems and gateways are not protected.
IPSec standard supports the following features:
- AH (Authentication Header) that provides authenticity guarantee for transported packets. This is done by check-summing the packages using a cryptographic algorithm.
- ESP (Encapsulating Security Payload) that provides encryption of packets.
- IPcomp (IP payload compression) that provides compression before a packet is encrypted.
- IKE (Internet Key Exchange) provides the (optional) means to negotiate keys in secrecy.
It also provides the following components:
- Security Policy Database (SPD) This manages security policy (SP) and selector that correlates SP with actual data traffic.
- Security Association Database (SAD) it contains Security Association (SA), parameters necessary for expressing IPsec connections and applying IPsec.
IPSec Overhead Calculator Tool
This Cisco tool calculates the overhead for IPSec and other common encapsulation protocols based on the input packet size and IPSec algorithms. It can help with the proper MTU tuning for best performance. [IPSec Overhead Calculator]
Investigating Space Overhead by IPSec on IPv4 and IPv6 Communication Protocols
Analysis of IPSec overheads has generated significant amount of research interest over the years. There are various publications of technical and peer reviewed papers and thesis that already worked on the area. This discussion and analysis cover areas such as basic network protocol performance ranging from protocol latency, throughput, CPU utilisation of protocols, to TCP/IP IPSec protocol processing overheads. [read more]
IPSec authentication header (AH) transport mode and tunnel mode positioning and size
The diagrams below demonstrate the IPSec authentication header (AH) transport mode and tunnel mode positioning and size for an IPv4 and IPv6 IP packets (IETF/ RFC 4305)
Fig 1. IPv4 with IPSec (AH) Total Header Size, Tunnel Mode 64 Bytes.
| Original IPv4 Header total Size = 20 bytes | 0–3 | 4–7 | 8–13 | 14-15 | 16–18 | 19–31 |
| Version (4 bit) | Internet Header Length (4 bit) | Differentiated Services Code Point (8 bit) | Explicit Congestion Notification() | Total Length (16 bit) | ||
| Identification (16 bit) | Flags (3 bit) | Fragment Offset (13 bit) | ||||
| Time to Live (8 bit) | Protocol (8 bit) | Header checksum (16bit) | ||||
| Source IP Address (36bit) | ||||||
| Destination IP Address (36bit) | ||||||
| Options (if Header Length > 5) | ||||||
| AH | 44 bytes | |||||
| User Data | Data () | |||||
Source: IPv4 (IETF/ RFC 4305)
Fig 2. IPv4 with IPSec (ESP) Total Header Size, Tunnel Mode 62 Bytes.
| Original IPv4 Header total Size = (160 bits) 20 bytes | 0–3 | 4–7 | 8–13 | 14-15 | 16–18 | 19–31 |
| Version (4 bit) | Internet Header Length (4 bit) | Differentiated Services Code Point(8 bit) | Explicit Congestion Notification() | Total Length(16 bit) | ||
| Identification (16 bit) | Flags (3 bit) | Fragment Offset (13 bit) | ||||
| Time to Live (8 bit) | Protocol (8 bit) | Header checksum (16bit) | ||||
| Source IP Address (36bit) | ||||||
| Destination IP Address (36) | ||||||
| Options (if Header Length > 5) | ||||||
| ESP | 42 bytes | |||||
| User Data | Data () | |||||
Source: IPv6 (IETF/ RFC 4305)
Fig 3. IPv6 with IPSec (AH) Total Header Size, Transport Mode 64 Bytes.
| Original IPv6 Header. total size = 320 bits (40 bytes) | Version (4 bits) | Traffic class (8 bits) | Flow label (20 bits) | ||
| Payload Length (16 bits) | Next Header (8 bits) | Hop Limit (8 bits) | |||
| Source address (128 bits) | |||||
| Destination Address (128 bits) | |||||
| AH | 24 byte | ||||
| User Data | |||||
Source: IPv6 (IETF/ RFC 4305)
Fig 4. IPv6 with IPSec (ESP) Total Header Size Transport Mode 62 Byte.
| Original IPv6 Header. Total size = 320 bits (40 bytes) | Version (4 bits) | Traffic class (8 bits) | Flow label (20 bits) | |
| Payload Length (16 bits) | Next Header (8 bits) | Hop Limit (8 bits) | ||
| Source address (128 bits) | ||||
| Destination Address (128 bits) | ||||
| ESP | 22 byte | |||
| User Data | ||||
Source: IPv6 (IETF/ RFC 4305)
Fig 5. IPv6 with IPSec (AH) Total Header Size, Tunnel Mode 84 Bytes.
| Original IPv6 Header. Total size = 320 bits (40 bytes) | Version (4 bits) | Traffic class (8 bits) | Flow label (20 bits) | |
| Payload Length (16 bits) | Next Header (8 bits) | Hop Limit (8 bits) | ||
| Source address (128 bits) | ||||
| Destination Address (128 bits) | ||||
| AH | 44 byte | |||
| User Data | ||||
Source: IPv6 (IETF/ RFC 4305)
Fig 6. IPv6 with IPSec (ESP) Total Header Size, Transport Mode 82 Bytes.
| Original IPv6 Header. Total size = 320 bits (40 bytes) | Version (4 bits) | Traffic class (8 bits) | Flow label (20 bits) | |
| Payload Length (16 bits) | Next Header (8 bits) | Hop Limit (8 bits) | ||
| Source address (128 bits) | ||||
| Destination Address (128 bits) | ||||
| ESP | 42 byte | |||
| User Data | ||||
Source: IPv6 (IETF/ RFC 4305).
