COMMON VPN TUNNELING TEC HNOLOGIES
The following tunnelling technologies are commonly used in VPN:
IPSEC (INTERNET PROTOCOL SECURITY)
IPsec was developed by IETF (the Internet Engineering Task Force) for secure transfer of
information at the OSI layer three across a public unprotected IP network, such as the
Internet. IPsec enables a system to select and negotiate the required security protocols,
algorithm(s) and secret keys to be used for the services requested. IPsec provides basic
authentication, data integrity and encrypti
on services to protect unauthorised viewing and
modification of data. It makes use of two security protocols, AH (Authentication header)
and ESP (Encapsulated Security Payload), for required services. However, IPsec is limited to only sending IP packets.
Security Protocols for Traffic Security
IPsec makes use of the AH and ESP protocols to provide security services:
1.
AH (Authentication Header) protocol provides source authentication, and
integrity of IP packets, but it does not have encryption. An AH header added
to the IP packet contains a hash of the data, a sequence number etc., and
information that can be used to verify the sender, ensure data integrity and
prevent replay attacks.
2.
ESP (Encapsulated Security Payload) protocol provides data confidentiality,
in addition to source authentication and integrity. ESP uses symmetric
encryption algorithms, such as 3DES, to provide data privacy. The algorithm
needs to be the same on both communicating peers. ESP can also support
encryption only or authentication only configurations. However, research in
2007 showed that any RFC
compliant implementations of IPsec that make
use of encryption only ESP can be broken
Modes of Operation
Each security protocol supports two modes of operation: a tunnel mode and a t
ransport
mode. Tunnel mode encrypts and/or authenticates the header and the data of each packet
while transport mode only encrypts and/or authenticates the data itself.
1.
Tunnel mode (end to end)
Here the entire packet is protected. The original IP packet, with original
destination address, is inserted into a new IP packet and the AH and ESP are
applied to the new packet. The new IP header points to the end point of the
tunnel. Upon receipt of the packet, the tunnel end point will decrypt the content and the
original packet is further routed to its final destination in the target network.
2.Transport mode (host to host)
Here the AH and ESP headers are applied to the data of the original IP
packet. The mode encrypts and / or authenticates the data but not the IP
header. The overhead added is less than that required in tunnel mode.
However, the final destination and source addresses could be sniffed.
Attackers can perform traffic analysis based on header information in this
type of header. It is generally only used for host to host connections.