Network Security Network Layer - Network Security

What is Network Security Network Layer?

Network layer security controls were used regularly for securing communications, particularly over shared networks such as the internet because they can provide protection for many programs at once with out editing them.

In the earlier chapters, we mentioned that many real-time security protocols have advanced for network security ensuring basic tenets of security including privacy, beginning authentication, message integrity, and non-repudiation.

Most of these protocols remained focused on the higher layers of the OSI protocol stack, to compensate for inherent lack of security in popular internet Protocol. although valuable, these techniques cannot be generalized without problems for use with any utility. for example, SSL is advanced specially to cozy packages like HTTP or FTP. but there are numerous other applications which also need secure communications.

This need gave rise to increase a security answer on the IP layer so that all higher-layer protocols should take advantage of it. In 1992, the internet Engineering task force (IETF) started to outline a standard ‘IPsec’.

In this chapter, we are able to speak how security is done at network layer the use of this very popular set of protocol IPsec.

Security in Network Layer

Any scheme this is developed for providing network security needs to be implemented at some layer in protocol stack as depicted inside the diagram below –


Communication Protocols

Security Protocols

Application Layer



Transport Layer



Network Layer



The popular framework developed for ensuring security at network layer is internet Protocol security (IPsec).

Features of IPsec

  • IPsec is not designed to work only with TCP as a transport protocol. it works with UDP as well as any other protocol above IP such as ICMP, OSPF etc.
  • IPsec protects the entire packet provided to IP layer inclusive of higher layer headers.
  • Because higher layer headers are hidden which bring port number, traffic analysis is more tough.
  • IPsec works from one network entity to any other network entity, not from utility technique to application method. hence, security may be followed with out requiring changes to individual person computers/applications.
  • Tough widely used to offer secure communication between network entities, IPsec can offer host-to-host security as well.
  • The most common use of IPsec is to offer a virtual private network (VPN), both between places (gateway-to-gateway) or among a remote user and an enterprise network (host-to-gateway).

Security Functions

The important security functions provided through the IPsec are as follows −

  • Confidentiality
    • Enables communicating nodes to encrypt messages.
    • Prevents eavesdropping by third events.
  • Origin authentication and data integrity.
    • Provides assurance that a obtained packet became actually transmitted through the party recognized because the source in the packet header.
    • Confirms that the packet has not been altered or otherwise.
  • Key management.
    • Allows secure change of keys.
    • Protection against certain forms of security assaults, including replay attacks.

Virtual Private Network

Ideally, any institution could need its personal private network for communication to ensure security. but, it may be very costly to establish and preserve such private network over geographically dispersed area. it would require to control complex infrastructure of communication links, routers, DNS, etc.

IPsec presents an easy mechanism for implementing virtual private network (VPN) for such institutions. VPN technology permits institution’s inter-office traffic to be sent over public internet by means of encrypting traffic before entering the public internet and logically separating it from different traffic. The simplified working of VPN is shown in the following diagram –

Network Security – Network Layer

Overview of IPsec

IPsec is a framework/suite of protocols for providing security on the IP layer.


In early 1990s, internet became utilized by few institutions, generally for academic purposes. but in later decades, the increase of internet became exponential because of expansion of network and numerous organizations using it for communication and other purposes.

With the large growth of internet, combined with the inherent security weaknesses of the TCP/IP protocol, the want became felt for a technology that may offer network protection at the internet. A document entitled "security in the internet architecture” was issued through the internet architecture Board (IAB) in 1994. It identified the key regions for security mechanisms.

The IAB protected authentication and encryption as essential security capabilities in the IPv6, the following-generation IP. fortunately, these security capabilities were defined such that they can be implemented with each the present day IPv4 and futuristic IPv6.

Security framework, IPsec has been described in numerous ‘Requests for comments’ (RFCs). some RFCs specify a few portions of the protocol, while others address the answer as a whole.

Operations within IPsec

The IPsec suite may be considered to have separate operations, when performed in unison, presenting a entire set of security services. those operations are IPsec communication and internet Key change.

  • IPsec communication
    • It is commonly related to standard IPsec functionality. It includes encapsulation, encryption, and hashing the IP datagrams and managing all packet techniques.
    • It is responsible for managing the communication according to the available security associations (SAs) set up between communicating events.
    • It uses security protocols including Authentication Header (AH) and Encapsulated SP (ESP).
    • IPsec communication is not involved in the creation of keys or their control.
    • IPsec communication operation itself is commonly called IPsec.
  • Internet Key exchange (IKE)
    • IKE is the automatic key control protocol used for IPsec.
    • Technically, key control is not essential for IPsec communication and the keys can be manually managed. however, manual key control is not desirable for huge networks.
    • IKE is responsible for introduction of keys for IPsec and presenting authentication during key establishment method. though, IPsec may be used for any other key management protocols, IKE is used by default.
    • IKE defines protocol (Oakley and SKEME) to be used with already defined key control framework internet security association Key management Protocol (ISAKMP).
    • ISAKMP is not IPsec unique, however presents the framework for developing SAs for any protocol.

This chapter mainly discusses the IPsec communication and related protocol employed to achieve security.

IPsec Communication Modes

IPsec communication has modes of functioning; transport and tunnel modes. these modes may be used in combination or used individually depending upon the form of communication preferred.

Transport Mode

  • IPsec does now not encapsulate a packet received from upper layer.
  • The unique IP header is maintained and the data is forwarded based at the original attributes set through the higher layer protocol.
  • The following diagram indicates the data flow in the protocol stack.

Network Security – Network Layer

  • The problem of transport mode is that no gateway services may be provided. it is reserved for point-to-point communications as depicted in the following image.

Network Security – Network Layer

Tunnel Mode

  • This mode of IPsec presents encapsulation services along with different security services.
  • In tunnel mode operations, the complete packet from upper layer is encapsulated before applying security protocol. New IP header is introduced.
  • The following diagram indicates the information flow in the protocol stack.

Network Security – Network Layer

  • Tunnel mode is generally related to gateway activities. The encapsulation presents the ability to ship several sessions through a single gateway.
  • The typical tunnel mode communication is as depicted within the following diagram.

Network Security – Network Layer

  • As a ways because the endpoints are involved, they have a direct transport layer connection. The datagram from one system forwarded to the gateway is encapsulated and then forwarded to the remote gateway. The remote related gateway de-encapsulates the records and forwards it to the destination endpoint at the internal network.
  • Using IPsec, the tunneling mode may be installed between the gateway and individual end system as well.

Network Security – Network Layer

IPsec Protocols

IPsec uses the security protocols to offer preferred security services. these protocols are the heart of IPsec operations and everything else is designed to help these protocol in IPsec.

Security institutions among the communicating entities are installed and maintained by the security protocol used.

There are security protocols described through IPsec — Authentication Header (AH) and Encapsulating security Payload (ESP).

Authentication Header

The AH protocol presents service of information integrity and origin authentication. It optionally caters for message replay resistance. but, it does no longer offer any form of confidentiality.

AH is a protocol that provides authentication of both all or part of the contents of a datagram through the addition of a header. The header is calculated based on the values in the datagram. What parts of the datagram are used for the calculation, and where to place the header, relies upon at the mode cooperation (tunnel or transport).

The operation of the AH protocol is particularly simple. it can be considered just like the algorithms used to calculate checksums or carry out CRC checks for error detection.

The idea behind AH is the same, except that instead of the use of a simple algorithm, AH uses special hashing algorithm and a secret key recognized only to the communicating events. A security association among devices is set up that specifies these particulars.

The technique of AH goes through the following phases.

  • When IP packet is received from higher protocol stack, IPsec determine the associated security association (SA) from available information inside the packet; for example, IP address (supply and destination).
  • From SA, once it is recognized that security protocol is AH, the parameters of AH header are calculated. The AH header includes the following parameters –

Network Security – Network Layer

  • The header area specifies the protocol of packet following AH header. sequence Parameter Index (SPI) is received from SA current between communicating events.
  • Sequence range is calculated and inserted. those numbers offer optional capability to AH to resist replay assault.
  • Authentication records is calculated differently relying upon the communication mode.
  • In transport mode, the calculation of authentication records and assembling of final IP packet for transmission is depicted inside the following diagram. In unique IP header, change is made only in protocol number as 51 to indicated utility of AH.

Network Security – Network Layer

  • In Tunnel mode, the above process takes place as depicted in the following diagram.

Network Security – Network Layer

Encapsulation security Protocol (ESP)

ESP presents security services including confidentiality, integrity, origin authentication, and optional replay resistance. The set of services provided depends on options selected at the time of security association (SA) establishment.

In ESP, algorithms used for encryption and generating authenticator are decided through the attributes used to create the SA.

The technique of ESP is as follows. the primary steps are similar to technique of AH as stated above.

  • Once it is determined that ESP is concerned, the fields of ESP packet are calculated. The ESP field arrangement is depicted in the following diagram.

Network Security – Network Layer

  • Encryption and authentication system in transport mode is depicted in the following diagram.

Network Security – Network Layer

  • In case of Tunnel mode, the encryption and authentication method is as depicted in the following diagram.

Network Security – Network Layer

Although authentication and confidentiality are the primary services provided by means of ESP, each are optional. Technically, we will use NULL encryption with out authentication. however, in exercise, one of the need to be implemented to apply ESP effectively.

The basic concept is to use ESP when one desires authentication and encryption, and to apply AH when one wants extended authentication with out encryption.

Security Associations in IPsec

Security association (SA) is the foundation of an IPsec communication. The features of SA are −

  • Before sending information, a virtual connection is installed between the sending entity and the receiving entity, referred to as “security association (SA)”.
  • IPsec gives many options for performing network encryption and authentication. every IPsec connection can offer encryption, integrity, authenticity, or all three services. while the security carrier is decided, the two IPsec peer entities must determine precisely which algorithms to use (for example, DES or 3DES for encryption; MD5 or SHA-1 for integrity). After selecting the algorithms, the two devices have to share session keys.
  • SA is a set of above communication parameters that offers a relationship among two or more structures to build an IPsec session.
  • SA is simple in nature and consequently SAs are required for bi-directional communications.
  • SAs are identified by way of a security Parameter Index (SPI) range that exists in the security protocol header.
  • Both sending and receiving entities keep state data about the SA. it is similar to TCP endpoints which also keep state information. IPsec is connection-oriented like TCP.

Parameters of SA

Any SA is uniquely recognized through the subsequent three parameters −

  • Security Parameters Index (SPI).
    • It is a 32-bit value assigned to SA. it is used to distinguish among unique SAs terminating on the equal destination and using the same IPsec protocol.
    • Every packet of IPsec includes a header containing SPI subject. The SPI is furnished to map the incoming packet to an SA.
    • The SPI is a random number generated by means of the sender to identify the SA to the recipient.
  • Destination IP address −It may be IP address of end router.
  • Security Protocol Identifier − It indicates whether the association is an AH or ESP SA.

Example of SA among router involved in IPsec communication is shown in the following diagram.

Network Security – Network Layer

Security Administrative Databases

In IPsec, there are two databases that manage the processing of IPsec datagram. One is the security association Database (sad) and the other is the security policy Database (SPD). every communicating endpoint using IPsec need to have a logically separate sad and SPD.

Security Association Database

In IPsec communication, endpoint holds SA state in security association Database (sad). each SA access in sad database carries nine parameters as proven inside the following table –


Parameters & Description


Sequence Number Counter

For outbound communications. This is the 32-bit sequence number provided in the AH or ESP headers.


Sequence Number Overflow Counter

Sets an option flag to prevent further communications utilizing the specific SA


32-bit anti-replay window

Used to determine whether an inbound AH or ESP packet is a replay


Lifetime of the SA

Time till SA remain active


Algorithm - AH

Used in the AH and the associated key


Algorithm - ESP Auth

Used in the authenticating portion of the ESP header


Algorithm - ESP Encryption

Used in the encryption of the ESP and its associated key information


IPsec mode of operation

Transport or tunnel mode



Any observed path maximum transmission unit (to avoid fragmentation)

All SA entries within the sad are indexed through the three SA parameters: destination IP address, security Protocol Identifier, and SPI.

Security policy Database

SPD is used for processing outgoing packets. It helps in deciding what sad entries must be used. If no sad entry exists, SPD is used to create new ones.

Any SPD entry would include −

  • Pointer to active SA held in sad.
  • Selector fields – field in incoming packet from top layer used to decide application of IPsec. Selectors can include source and destination address, port numbers if applicable, utility IDs, protocols, etc.

Outgoing IP datagrams go from the SPD access to the specific SA, to get encoding parameters. Incoming IPsec datagram get to the best SA directly the usage of the SPI/DEST IP/Protocol triple, and from there extracts the related sad entry.

SPD can also specify traffic that need to bypass IPsec. SPD may be considered as a packet filter in which the actions decided upon are the activation of SA techniques.


IPsec is a collection of protocols for securing network connections. it is rather a complex mechanism, because in preference to giving straightforward definition of a specific encryption algorithm and authentication function, it presents a framework that allows an implementation of anything that each communicating ends agree upon.

Authentication Header (AH) and Encapsulating security Payload (ESP) are the two main communication protocols used by IPsec. while AH only authenticate, ESP can encrypt and authenticate the data transmitted over the connection.

Transport Mode presents a secure connection between two endpoints with out changing the IP header. Tunnel Mode encapsulates the entire payload IP packet. It adds new IP header. The latter is used to form a traditional VPN, as it presents a digital secure tunnel across an untrusted internet.

Setting up an IPsec connection involves all kinds of crypto choices. Authentication is usually built on top of a cryptographic hash including MD5 or SHA-1. Encryption algorithms are DES, 3DES, Blowfish, and AES being common. different algorithms are possible too.

Both communicating endpoints need to realize the secret values used in hashing or encryption. manual keys require manual entry of the secret values on both ends, presumably conveyed by a few out-of-band mechanism, and IKE (net Key exchange) is a sophisticated mechanism for doing this online.

All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd Protection Status

Network Security Topics