This chapter provides a very brief introduction to TCP/IP protocol for readers not familiar with the concepts of TCP/IP.[1] We then go on to discuss the advantages and disadvantages of implementing security at various layers in the stack. This is necessary to understand the reasons to implement security at various layers. This also provides the framework to discuss IP security in the following chapters.
In this section, we briefly discuss the protocols used in the TCP/IP stack, the addressing architecture, the Domain Name System (DNS), and the socket interface.
In the early 1960s, DARPA (Defense Advanced Research Project Agency) funded a project that connected universities and research agencies through a network called ARPANET. In 1983, the TCP/IP protocols replaced the original ARPANET NCP (Network Control Protocols). The TCP/IP protocols running this network were open, simple, and easy to use. This network has grown considerably into what is called “Internet.” The Internet is a collection of networks running TCP/IP protocol suite.
In the '80s there were other networking protocol architectures—ISOs OSI, IBMs SNA, and Digital's DECNET to name a few. However, none of these protocols were as simple and open as the TCP/IP protocol suite. This led to wide deployment, development, and support for the TCP/IP protocol suite.
The networking protocol architecture consists of various components:
Protocol stack—. This comprises various layers that communicate among themselves to efficiently transmit the packet.[2]
Addressing—. The capability to uniquely identify a destination. In order to communicate with a global entity, it is necessary to uniquely identify the entity.
Routing—. The capability to efficiently determine the path a particular packet is to traverse to reach a destination.
The TCP/IP protocol stack consists of 4 layers as shown in Figure 2.1. Each layer in the stack has well-defined functions and capabilities. Each layer exports well-defined interfaces that the layers above and below it can use to communicate with it. The layered architecture has many advantages. In addition to simplifying the design of the protocol stack, it also simplifies its usage. The design is simplified as each layer interacts only with the layer immediately above and below it. Once the service the layer provides and its interfaces are identified, each layer can be designed independently. The usage is simplified as the complexities of the networking stack are hidden from the applications using the networking stack.
The functionality of each layer is described below. The protocols that implement these services are described later.
Application Layer: The application layer provides the services for an application to send and receive data over the network. It also provides services such as name resolution (refer to DNS). Applications such as World Wide Web (WWW) browsers or e-mail clients use the services provided by the application layer to communicate with its peers, WWW servers and e-mail servers respectively. The application layer also defines the interface to the transport layer. This interface is operating-system dependent. The most popular interface is the socket interface. The socket interface is provided in all flavors of the UNIX operating system and on the Microsoft platforms.
Transport Layer: The transport layer is responsible for providing services to the application layer. In the TCP/IP protocol suite the transport layer provides the following services:
Connection-oriented or connectionless transport: In a connection-oriented transport, once a connection is established between two applications, the connection stays until one of the applications gives up the connection voluntarily. The application specifies the destination only once, during the establishment of the connection. The best analogy for this is the telephone service. Once a call is established, it stays connected until one speaker disconnects. In connectionless transport, the application has to specify a destination for every single packet it sends.
Reliable or unreliable transport: In case of reliable connection, if a packet is lost in the network for some reason (network overload, or some node going down), it is retransmitted by the transport layer. The transport layer is guaranteeing the reliable delivery of the packet to the destination. In the unreliable connection, the transport layer does not take up the responsibility of retransmission. It is up to applications to handle cases where a packet does not reach its destination because it was dropped in the network.
Security: This service is new compared to other services offered by the transport layer. Security services such as authenticity, integrity, and confidentiality are not widely supported. However, in the future, security will be tightly integrated with the stack and will be available widely.
An application has to choose the services it requires from the transport layer. There are advantages and disadvantages in choosing different services. In addition, there may be limitations in the combination of services one can choose. Presently, it is invalid to choose connectionless reliable transport as TCP/IP does not implement such a protocol. The discussion of these is beyond the scope of this book.
Network Layer: The network layer provides connectionless service. The network layer is responsible for routing packets. Routing can be described as the process that determines the path a packet has to traverse to reach the destination. The devices that decide how to route a packet are called “routers”[3] . In order to route the packet, the network layer needs to identify each destination unambiguously. The network layer defines an addressing mechanism. The hosts should conform to the addressing mechanisms to make use of the services offered by the network layer. This is discussed in greater detail in the addressing section (see section on Addressing below).
Data Link Layer: The data link layer is responsible for packet transmission on the physical media. The transmission is between two devices that are physically connected. Examples of data-link layers are Ethernet, Token Ring, and Asynchronous Transfer Mode (ATM).
As described above, each layer in the protocol stack is tasked with a specific function and the layering must be preserved. The application layer cannot talk to the network layer directly. It has to talk through the transport layer. Layering is also preserved between hosts as shown in Figure 2.2.
The data flow from source to destination is as shown in Figure 2.3.
For the purposes of the discussion, let us assume that the transport protocol is TCP and the network protocol is IP.
An application on the source host sends the data that needs to be transmitted to the destination over the socket interface to the transport layer. The application identifies the destination it wishes to communicate with. The destination includes the host and an application on the host.
The transport layer, in this case TCP, gets this data and appends a transport header, in this case a TCP header, to the payload, the data, and sends this down to the network layer. The fields in the TCP header help in providing the services requested by the application.
The network layer receives the payload from the transport layer. This consists of the data and the TCP header. It appends an IP header to this payload. It then sends the payload plus IP header down to the data link layer. In addition, the network layer also identifies the neighbor the packet needs to be sent to en route to the destination.
The data link layer then appends a data link header to the payload from the network layer. The data link layer identifies the physical address of the next hop the packet should be sent to and sends the packet.
The data link layer on the next hop receives the packet, strips the data link header from the packet and sends the packet up to the network layer.
The network layer looks at the network header and decides the next hop the packet needs to be sent to en route to the destination and invokes the data link layer.
The data link layer appends the data link header to the payload and transmits the packet to the next hop.
Procedures 6 and 7 are repeated till the packet reaches the destination.
Upon reaching the destination, the data link layer strips the data link header from the packet and sends it up to the network layer.
The network layer then strips the network header from the packet and sends it up to the transport layer.
The transport layer then checks the transport header to guarantee that the application is being serviced properly, strips the transport header, identifies the application to which this packet is destined, and sends it up to the application.
The application on the destination receives the data that was sent to it by the application on the source.
In the TCP/IP protocol suite, there are two network protocols—IPv4 and IPv6. These protocols are discussed to an extent that provides good context to understand IP Security.
Addressing is one of the important components of a network layer protocol. IPv4 identifies each host[4] by a 32-bit address. This address is normally represented in the form A.B.C.D. This notation is commonly referred to as dotted decimal notation where each symbol is a byte (8 bits). An example of an IPv4 address is 128.127.126.125. This representation is chosen instead of a flat number space because it imparts hierarchy to addressing and also is easier to perceive.
An IP address has two parts—a network ID and a host ID. The network ID logically groups a set of IP addresses together. The grouping is required to provide efficient routing and other services, such as IP broadcast.[5] The network ID part of an IP address is obtained by logical AND of the IP address with the network mask. The network mask is always a contiguous bit of 1s. Examples of network masks are 255.255.255.0, 255.255.0.0, and 255.254.0.0. In these examples the leftmost (starting from the most significant bit) 24, 16, and 15 bits are 1's respectively. The network ID for the IP address 128.127.126.125 with the example network masks is 128.127.126, 128.127, and 128.126 respectively. This is obtained by logical AND of the network masks with the IP address as shown in Figure 2.4. An IP address is always represented along with its network mask.There are two representations: 128.127.126.125/255.255.255.0 or 128.127.126.125/24. Both representations have the same meaning, i.e., the network ID are 24 most-significant bits of the IP address.
To realize the importance of network mask, let us consider an analogy of how telephone numbers are allocated and maintained. The telephone numbers in the United States have a well-known structure (xxx)-yyy-zzzz where xxx represents the area code, yyy represents the city code, and zzzz identifies the line within that city. It is important to provide the structure for the purposes of routing and telephone number allocation. Imagine what would happen if there was no such structure. How will one know if a number is already allocated or not? Moreover, if someone wants to call a number from California, how does the switch in California know how to reach all the telephones in the U.S., which is 1010! IP address allocation is no different. It allows logical grouping of addresses to ease the task of address allocation, routing, and providing other services.
An organization that gets a network ID can define subnets recursively. Let us go back to the telephone address allocation. For the purpose of illustration, let us say that the top 3 digits (xxx) are allocated to a state. It is up to the state to use the lower 7 bits. The state uses 3 out of the 7 digits to identify the town. The town uses 4 digits that are left to identify the telephone of a particular house. In this case, there is a three-level address allocation—state, city, and house. Network address allocation is no different. An organization that gets a chunk of network addresses would like to allocate it to make its routing and traffic separation easy. Various departments may like to have addresses in the same range as they may want to keep some traffic local to their network. For example, if an organization receives a network ID 132.131/255.255, it can use some bits to form its own subnets. Let us say that it uses 8 of the 16 bits to form its own subnet. Then the network mask within the organization is 255.255.255.0. However, this is oblivious to the outside world. For the outside world, the network mask for the organization is still 255.255.0.0.
You may be wondering why it is necessary to define subnets. The following are the advantages of defining subnets:
The routing table size in the Internet core decreases because it is unnecessary to specify each host in an organization. A router can be delegated the task of forwarding a packet originating or destined to any host on the subnet. Normally, at least one router is assigned for each subnet.
Subnets are used to contain some types of IP traffic, such as IP broadcasts. There are packets that are sent to all the hosts on a subnet. If an organization has a network ID 125.126, a broadcast packet would be sent to all the 65,000 hosts! If subnets are used, these packets are restricted just to the subnet.
IP supports three kinds of addresses—unicast, multicast, and anycast. Unicast addressing is where an IP address is uniquely a host. Any IP address in the range 1.0.0.1 to 223.255.255.255 represents a unicast address. Address range 224.0.0.0 to 239.255.255.255 represents a multicast address and address range 240.0.0.0 to 247.255.255.255 represents an anycast address, and 248.0.0.0 to 255.255.255.255 is reserved for future use. Anycast address is still a research topic, and is not covered in this book.
As there are 32 bits in an IPv4 address, one can address up to 232 hosts[6]! One would imagine that this should be more than sufficient to address hosts in the Internet. However, the Internet is running out of address spaces and this has led to the design of IPv6.
The IPv4 header is shown in Figure 2.5
The usage of various fields is described below.[7]
Version field: This 4-bit field is used to indicate the version. This value is 4 for IPv4. The version field is normally used for backward compatibility. When new versions are defined, they may be required to interoperate with the legacy systems.
Header length: The header length indicates the length of the header in 32 bits (4 bytes). This limits the maximum length of the IPv4 header to 60 bytes. This is one of the limitations of IPv4 that led to the development of a newer version of IP discussed in the next section.
Type Of Service (TOS): TOS is used to indicate the traffic requirements of the packet. This field is currently under review at the IETF.
Length: The length of the datagram in bytes (including the header) in the network byte order.[8] THIS FIELD INDICATES THE SIZE OF THE DATAGRAM TO THE NETWORK LAYER AT THE RECEIVING END.
Identification: The 16-bit identification field is used to uniquely identify an IP datagram. The term IP datagram refers to the transport payload plus IP header, and is used in the context of end hosts. The identification field is used mostly in the context of fragmentation that is described later. The identification field is used to uniquely identify which IP packets belong to an IP datagram.
Flags: Only 2 out of the 3 bits in the flag are defined. The first bit is used to specify not to fragment the IP packet. When this is set, a router sends back a control message to the host indicating its MTU (Maximum Transfer Unit). This bit is used in Path MTU. This is a process by which the end host discovers what size the IP packets it generates should be so that the packets do not get fragmented en route to the destination. This is necessary because fragmentation is detrimental to the operation of the network. The transport layer has to send the entire datagram if a fragment is lost. The second bit is used to indicate if the packet is the last fragment of a fragmented datagram or if there are more to follow. This bit is used in reassembling fragmented packets.
Fragmentation offset: This field indicates the offset of the IP packet in the IP datagram. The utility of this field is discussed in the fragmentation section.
Time To Live (TTL): This field is used to avoid packet looping and also to administratively scope the transmission of a packet. The host sets this field to a certain default value and each router along the path decrements this field by 1. If a router sees a packet with a TTL of 1, it drops the packet. This is crucial in case of routing loops as the packet will be roaming in the network forever if nobody drops it.
Protocol: This 8-bit field is used to indicate the transport protocol carried by this IP packet. This field is used by the end host to demultiplex the packet among various transport protocols.
Checksum: The checksum is calculated on the IP header and is used to guarantee the integrity of the IP header. The checksum is not a cryptographic checksum and can be easily forged.
Source address: This 32-bit field indicates the IP address of the source that generated this packet.
Destination address: This 32-bit field indicates the IP address of the destination host.
Options: An IP header can optionally carry additional information. As options are not important in understanding IP security, they are not discussed in this book.
IPv4 limits the address space to 32 bits. To avoid the address crunch, the IETF started working on the next version of IP and called it IPv6. One of the main advantages of IPv6 is that it increased the address space from 32 bits to 128 bits (16 bytes).
Other modifications include:
No fragmentation support for transit packets in routers. The end hosts are required to perform PMTU now.
Richer options support. The options are treated as separate headers instead of being part of the IP header. This is called header chaining and is more flexible. In this case, the IP extension headers (options) are inserted between the IP header and the transport layer header.
Conceptually, both the address and subneting of IPv6 are similar to that of IPv4. IPv6 address is 128 bits long and their representation is different. Instead of the dotted decimal notation used in IPv4, IPv6 uses a different notation—hexadecimal numbers separated by colons:
0123:4567:89AB:CDEF:0123:4567:89ab:cdef
There are a number of variations to compress the address. The reader is encouraged to refer to IPv6 addressing architecture IETF documents for a more detailed discussion.
The concept of network mask and subnet in IPv6 is similar to what exists in IPv4. IPv6 implements a much richer hierarchy for addressing to ease the problem of routing and addressing.
The IPv6 header is shown in Figure 2.6.
The usage of various fields is described below.
Version: This 4-bit field indicates the version. For IPv6 this value is 6.
Traffic Class: This 8-bit field is used to indicate the traffic requirements of the packet and is similar to the TOS field in the IPv4 header.
Flow Label: This 20-bit field is still experimental and it is still not clear how this will be used in the future. One possible usage is to identify a flow that requires special processing by the routers.
Payload Length: This 16-bit field indicates the length of the payload excluding the IPv6 header.
Next Header: This 8-bit field is similar to the next protocol field in IPv4 header, the only difference being that the option header may appear in this field unlike IPv4.
Hop Limit: This 8-bit field is the same as TTL field in the IPv4 header.
Source and Destination Address: These 128-bit fields represent the source and destination IPv6 addresses respectively.
As mentioned before, IPv6 defines option headers to provide the capabilities that IPv4 option fields provide. These are called extensions. The option extensions are inserted between the IPv6 header and the transport header as shown in Figure 2.7.
Each option header is assigned a unique protocol ID and is encoded using the same format as shown in Figure 2.8.
There are two kinds of options—hop by hop and destination-based. Hop-by-hop options can change along the path and are normally included immediately following the IPv6 header. Destination-based options do not change along the path and are inserted after the hop-by-hop options.
Fragmentation is the process whereby an IP packet is fragmented into multiple IP packets at the source or in a router. After fragmentation, each packet is transmitted independently and is reassembled at the destination. The question that immediately comes to mind is: Why should we fragment IP packets?
The IP layer accepts any transport layer payloads. The transport layer payloads can be of any size (restricted only by the buffer limitations on the system). The IP layer does not have the ability to restrict the data that is passed to it from the upper layers. However, as the network layer (IP) has to transmit the packet over a physical interface, there are limitations with respect to the size of the packet it can transmit. These limitations arise because of the physical limitations of the medium over which a packet is transmitted. For example, over Ethernet the maximum size of the packet cannot exceed 1518 bytes. If the IP layer's transport payload is more than 1480 bytes (assuming there are no options), it has to fragment the packet before it is transmitted. Otherwise, the length of the packet will exceed 1518 bytes—1480 + 20 bytes for IP header + 14 bytes for Ethernet layer header + 4 bytes of CRC used for detecting errors.
The network layer packets can also be fragmented in any router where there is a mismatch in the maximum length of the packets between two physical layers. For example, the incoming interface can be a token ring that has a maximum packet size of 4096 and the outgoing interface can be Ethernet that has a maximum packet size of 1518. If the IP packet coming in on the token ring is greater than 1500 bytes, the router has to fragment the packets even though it did not generate the packet.
On the destination, the IP layer has to reassemble all the fragmented packets before it passes the payload to the transport layer. Referring to Figure 2.3, the transport layer on the destination should see the same information that was passed from the transport layer down to the network layer on the source. Hence, it is up to the IP layer to reassemble all the fragmented packets, construct the transport payload, and pass it up to the transport layer.
The IP layer achieves this process of fragmentation and reassembly by using the flags, length, and fragmentation offset fields in the IP header.
Fragmenting a packet is considered detrimental to the operation of the network. This is because, even if one packet is lost, the transport payload has to be retransmitted by the reliable transport layer as the IP layer does not cache packets. The IP layer avoids fragmentation by monitoring the MTU along the path from the source to the destination. This process is called Path MTU discovery or PMTU. After the IP layer discovers the PMTU, it never sends a packet that exceeds the PMTU.
ICMP (Internet Control Message Protocol) is used to ensure the proper operation of the network and for debugging. The protocol runs on top of a network protocol such as IPv4 or IPv6.
ICMP messages are generated both by hosts and routers to monitor the network and to ensure proper operation of the network. For example, if a router does not have a route to a particular network, it sends an ICMP message back to the host indicating the network is unreachable. If the router drops the packet without any indication, monitoring the network becomes a nightmare. ICMP is used to determine if a host is reachable or not. ICMP is used in PMTU discovery. If a router needs to fragment a packet but the do not fragment bit is set, then the router sends back an ICMP message to host indicating the MTU of its link so that the host can generate packets whose size does not exceed this MTU.
IP also provides the ability to send a packet to multiple hosts anywhere on the Internet. This is a special case of broadcasting where only interested hosts receive a packet. Consider the example of pay-per-view broadcast. If a cable company intends to telecast a program over the Internet to all its subscribers, it has three options:
Telecast individually to each subscriber. This process has a very high overhead as the same data is duplicated to all the subscribers. It has lot of undesired side effects. It increases the Internet traffic substantially and also increases tremendously the load on the server that is distributing data.
Telecast by sending a broadcast to the whole Internet. This process is unacceptable because even nonsubscribers get to see the pay-per-view program. Moreover, Internet-level broadcast is very bad.
Telecast only to subscribers by using a technique called multicast. Multicast is an intelligent packet distribution mechanism where only subscribers get the packet. The data is distributed on only those links with subscribers. The traffic is delivered only to those nodes that have subscribed to the traffic.
Multicast packets have the same format as unicast IP packets. However, the destination field in the IP header has a multicast address and not a unicast address. The obvious question that comes to mind is, How do you know where to send the packet if you cannot uniquely identify a host? That is the beauty of multicast. There is support from the routing layer that has the knowledge of the hosts that are listening on a particular multicast address. A detailed discussion of multicast is out of the scope of this book. In fact, multicast discussion is a whole topic in itself.
The TCP/IP protocol suite implements two protocols at the transport layer—Transmission Control Protocol (TCP) and User Datagram Protocol (UDP).
TCP is a connection-oriented protocol ensuring ordered and guaranteed delivery of packets. It has mechanisms built into it to provide these services to the application layer. In addition, TCP also implements mechanisms such as flow control, that ensures that the destination is not bombarded with packets. UDP is a connectionless protocol that does not ensure either guaranteed or ordered delivery of the packets nor does it ensure flow control. The choice of using TCP or UDP is entirely up to the application.
Although we will not discuss the TCP and UDP headers in detail, we will briefly discuss two fields that are present in both the headers—the source port and the destination port. These two fields are critical in identifying how to process the data once the destination receives it.
The TCP/IP protocol suite identifies the application a packet is destined to by a five tuple: <source address, destination address, source port, destination port, protocol>. This tuple must be unique for each application running on a host. We have already discussed the source and destination address fields. These fields are set in the network header. The source and destination ports are 16-bit fields set in the transport header. The source port is allocated by the source host and the destination is allocated by the destination host. For an application to communicate with another application on another host, it needs to know three things—the address of the destination, the port number on which the application is running, and the protocol over which to communicate. For example, most Web servers are listening on port 80 and use TCP protocol. An application binds to the source and destination port and also specifies the transport protocol to use for the transmission. The transport protocol uses this tuple to identify the application that receives the data.
Domain Name System (DNS) is a simple and scalable directory system for the Internet. Its most important function is to translate a machine name that is in the form www.xyz.com into an IP address. It is not possible for humans to remember hundreds of addresses, particularly when there are no semantics associated with the address. Also, IP addresses are allocated dynamically and hence remembering IP addresses may be meaningless. On the other hand, the network layer can handle only addresses. This necessitates a scalable system that can translate a name to an IP address.
DNS achieves this by defining a domain name hierarchy. There is the concept of a root. The root server address is well known. In fact, there are few well-known root servers. Under the root there are a few well-defined domains as shown in Figure 2.9.
Under each of these well-known domains exists one or more organizations belonging to that domain. In our example, com domain is registered under the root server and the company xyz is registered under com domain. Registering implies that the organization is running a domain name server that can answer to queries.
When a client wishes to talk to a host, it requests the resolver (software that resolves the domain name to an IP address) to resolve the domain name to an IP address. For example, when you enter www.xyz.com in your browser, the browser requests the resolver to map www.xyz.com to an IP address. The resolver goes through a well-defined process to resolve the domain name to an IP address. This algorithm is beyond the scope of this book. After the domain name is resolved, the client is ready to communicate with the www.xyz.com Web server.
In addition to resolving DNS names, DNS is also used to resolve the mail host, that is, where to send all the mail destined to the company xyz.com. DNS is also being enhanced to perform other directory services. The reader is urged to refer to it for a better understanding of DNS and its capabilities.
In today's Internet, there are a lot of protocols designed to secure traffic at various levels in the network. It depends on the security requirements of the application and the user to decide where in the stack security should be implemented. Irrespective of where in the stack security is implemented, the following basic services have to be provided:
Key management (This includes negotiation of keys and storage of keys.)
Confidentiality
Nonrepudiation
Integrity/authentication
Authorization
Depending on where in the stack the security is implemented, it is possible to provide some or all of the services above. In some cases, it does make sense to provide some capabilities at one layer and other capabilities at a different layer.
This section discusses the advantages and disadvantages of providing security at various layers in the stack.
Application-level security has to be implemented in end hosts. Providing security at the application layer has the following advantages:
Executing in the context of the user enables easy access to user credentials such as private keys.
Complete access to the data the user wants to protect. This simplifies the task of providing services such as nonrepudiation.
An application can be extended without having to depend on the operating system to provide these services. Normally, applications have no control over what gets implemented in the operating system.
Application understands the data and can provide appropriate security.
The downside to application layer security is that the security mechanisms have to be designed independently for each application. This implies existing applications have to be enhanced to provide security. As each application has to define its own security mechanisms, there is a greater probability of making mistakes and hence opening up security holes for attacks.
In implementing security mechanisms in applications, applications integrate with a system providing the security mechanisms. Examples of such systems are PGP, Kerberos, and Secure Shell. These systems are application-level protocols that provide the capability of key negotiation and other security services. Applications are enhanced to call into this system to use their security mechanisms. One example is the e-mail clients that use PGP to provide e-mail security. In this case, the e-mail clients are extended the following capabilities:
ability to look up public keys in a local database that correspond to a particular user,
ability to provide security services such as encryption/decryption, nonrepudiation, and authentication for e-mail messages.
Applications should design their own security mechanisms when their needs are specific and they cannot depend on the lower layers to provide those services. One such example is nonrepudiation. It is difficult for lower layer to provide nonrepudiation services as they do not have access to the data.
Providing security at the transport layer has a definite advantage over the application-layer security as it does not mandate enhancements to each application. Existing applications get security services seamlessly.
However, obtaining the user context gets complicated. In order to provide user-specific services, assumptions are made that a single user is using the system, which is becoming a popular paradigm. Like application-level security, transport-layer security can only be implemented on an end system.
Transport-layer security is protocol specific. Transport Layer Security (TLS) is a protocol that provides security services such as authentication, integrity, and confidentiality on top of TCP. TLS needs to maintain context for a connection and is not currently implemented over UDP as UDP does not maintain any context. As the security mechanism is transport-protocol specific, security services such as key management may be duplicated for each transport protocol.
The World Wide Web currently provides security services using TLS. However, if security services were implemented at the network layer, this can be moved down to the network layer. Another limitation of transport-layer security as it is currently defined is that the applications still need modification to request security services from the transport layer.
Implementing security at this layer has many advantages. First off, the overheads of key negotiation decrease considerably. This is because multiple transport protocols and applications can share the key management infrastructure provided by the network layer. Also, if security is implemented at lower layers, fewer applications need changes. It reduces the explosion in the implementation of security protocols at the higher layer. If security is implemented at higher layers, each application has to design its own security mechanism. This is overkill and the probability of someone making a mistake is much higher. Also, security is provided seamlessly for any transport protocol.
One of the most useful features of network layer security is the ability to build VPNs and intranets. Because VPNs and intranets are subnet based, and network layer supports subnet-based security, it is easy to implement VPNs and intranets.
The disadvantage of implementing security at the network layer is the difficulty in handling issues such as nonrepudiation of data. This is better handled in higher layers. It is more difficult to exercise control on a per user basis on a multiuser machine when security is implemented at network layer. However, mechanisms can be provided to perform user-based security on end hosts. On the routers, there is no context of user and this problem does not arise.
IP Security, the focus of this book, provides security at the network layer. IPSec is the only protocol that can secure all and any kind of Internet traffic. IPSec also allows per flow or per connection security and thus allows for very fine-grained security control.
If there is a dedicated link between two hosts/routers and all the traffic needs to be encrypted for the fear of snooping, one can use hardware devices for encryption.
The advantage of this solution is speed. However, this solution is not scalable and works well only on dedicated links. Moreover, the two entities involved in communication have to be physically connected.
This type of model is useful in automatic teller machines where all the machines are connected via dedicated links to a central office. If ATM machines were connected to an IP network instead of dedicated secure links, the data link layer security would not suffice and one would have to move up one layer to provide security services.
[1] For a more in-depth discussion of TCP/IP protocol, we strongly recommend that readers refer to other books.
[2] Packet is the unit of data.
[3] In this book we use the term “host” in the context of an end system. The host generates traffic but is not involved in any routing decisions. Routers, on the other hand, normally do not generate traffic but instead forward traffic. The term “gateways” normally refers to a router.
[4] A host is an entity that is involved in the communication.
[5] Broadcast is the ability to communicate with a set of hosts without duplicating the packets. In this case, the network ID part of the destination address is used to identify the destination and hence all nodes with the same network ID get the packet.
[6] In reality, the number of addressable hosts is less than this number because some addresses are reserved.
[7] We describe in detail only those fields that are used by IPSec. For example, the options field is not discussed in detail.
[8] In the rest of the book, the network byte order is assumed. There are two types of representation of integers— big endian and little endian. In big endian, the most significant byte of an integer is in the most significant byte (Motorola chips use big endian). In little endian, the most significant byte of an integer is in the least significant byte (Intel). Network byte order corresponds to big endian.