The Cryptographic Overhead of IPSec Protocol Suite

By

The Cryptographic Overhead of IPSec Protocol Suite

1. Introduction

Recently, how to ensure security of networking computers are becoming more and more important. As we know already (hopefully!) all had grown incredibly in recent years the Internet - the place is not safe. Wide technology WWW not only becomes less dangerous on the contrary - there are always new types of malware and how to use the "weak points" of computer systems and erroneous acts(Bellare 2011, p. 1-15).

Very interesting possibilities for the protection of data transferred to IP-based networks, provides a family of application protocols and services IPSec (short for IP Security, security protocol IP). The use of complex mechanisms IPSec allows the verification of the integrity of transmitted data (ensures that the data in the transmission has not been changed), confidentiality (encryption of transmitted data in order to protect them from unauthorized viewing), anti-repetition (each transmit IP-packet is unique , intercepted the package cannot be re-send, for example, to gain access to resources) and authenticity (guarantee that a packet is sent to the computer with the shared secret key).

IPSec (IP Security) is a security protocol that provides point to point in IPv4 and IPv6 (IPv6 IPSec support is implemented by default). IPSec is a standard that is slowly accepting the different platforms, in GNU / Linux we have to project FreeS / WAN. This protocol implements encryption IP protocol level, so that all IP protocols over IPSec can be used transparently.

Authentication Header (AH) provides message integrity and origin authentication of the message. The AH provides protection information includes a packet header, such as the source and destination addresses(Wang, 2012, p. 17-36)

Internet Security Association Key Management Protocol (ISAKMP) is used by AH and ESP for key management. ISAKMP itself does not define the key generation algorithm, but which allows the use of different types of algorithms, although the standard calls for a minimum set in implementations. For key exchange protocol is used IKE (Internet Key Exchange), this is done separately for free the key exchange method IPSec protocol. Standardization of IKE allows interoperability between different systems, implementing IKE FreeS / WAN is called Pluto.

AH and ESP protocols are implemented on the IP layer, AH is IP protocol 51 and ESP is IP protocol 50. The ISAKMP protocol uses UDP port 500 for sending and receiving. In the case where a firewall is taken before the security gateway, must take into account these protocols for filtering(Eastlake, 2012, p. 121-125).

1.1. Key limitations and strengths of IPSec

IPSec is effective in providing authentication and confidentiality of messages that carry signaling and media. At the same time, there are limitations that can impact the performance of multimedia communications. The only disadvantage is seen to IPSec for now, is the difficulty of configuration with Windows systems. The Windows 2000 and Windows XP provide tools to configure IPSec tunnels, but its configuration is quite difficult (Microsoft appoints all things differently from the standard), and also has some limitations (such as: ...