Encapsulation Security Payload

ESP can provide privacy, integrity, or both using one of two modes. If the entire IP packet is encrypted, and then concatenated to a cleartext version of the IP header before being sent on the network, this is known as tunnel mode. The receiving system uses the decryption key defined by the security association to decrypt the encrypted IP header and packet. Verification of the packet contents depends on successful decryption for privacy or successful hashing for integrity. Privacy for the datagram passed to the IP layer—the data portion of the IP packet—can be implemented separately in transport mode. Because only the datagram from the layer above undergoes cryptographic transformation, and not the IP packet header, performance is improved. Naturally, IPsec is slower than unprotected IP traffic because of the additional path lengths introduced for cryptographic computations and session parameter negotiation. Any packets that do not decrypt properly are dropped. This capability prevents address impersonation attempts.

Supporting Protocols for IP

A number of other protocols are useful in the IP model. The three most important—ARP, DNS, and RIP—are briefly discussed in the following sections.

Address Resolution Protocol (ARP)

Network communications ultimately occur at a layer below IP. The network adapters have unique physical addresses that are needed to deliver the packets between network nodes. A mapping is needed between the conceptual address of IP and the physical address of the adapter. When the Ethernet device driver receives an IP packet for delivery, it sends out a special broadcast packet containing the destination IP address of the IP packet. As part of the behavior of a correctly implemented device driver, a node whose IP address matches sends back a reply with the physical address of its Ethernet adapter. The original node now encapsulates the IP packet into an Ethernet packet and uses the newly found Ethernet address as the target. This is essentially how the ARP works. Different network device drivers might implement ARP using something other than a broadcast, but this is only a slight difference.

Most nodes cache results from ARP broadcasts for performance. Earlier ARP cache implementations would accept unsolicited ARP replies and update their caches. This form of address impersonation occurs at the physical instead of the IP layer. Indeed, nothing in the ARP protocol provides strong authentication. An impostor can respond with an ARP reply before the true owner and consequently spoof the requesting node. To be successful, the real owner of the IP address must be disabled or at least significantly hindered so that it cannot respond to network messages.

Note that address impersonation at this layer and at the IP layer has beneficial value, too. For cluster or high-availability environments, it is sometimes necessary for one node to impersonate the address of another to support a fail-over relationship. Controlled impersonation like this is unlikely to be configured across unsecure networks, though.

Domain Name System (DNS)

Dotted decimal addresses are paired with more semantically meaningful names by pairing each octet with an alphanumeric string. The address 198.29.36.126 could be referred to as webserver1.boulder.ibm.com. The association between octets and string names is actually inverted, but this is not an important security issue. Like the decimal addresses, domain names are assigned by a registration authority. DNS is a protocol that is used to manage lookups for converting between dotted decimal and domain name versions of an address. Because the Internet depends heavily on this capability, a group of hierarchically related, tightly controlled nameservers populates the Internet. Each nameserver is responsible for names without a fixed domain but can request name resolution from other nameservers to which it is connected. DNS also defines a protocol for how nameservers communicate and receive updates to their universe of names, or namespace. Each nameserver is identified by one or more IP addresses.

Now that you know you can impersonate IP addresses, you can see that spoofing a nameserver can lead to serious consequences on the Internet. By feeding fake information to a nameserver or by impersonating the nameserver itself, you can intercept and forge traffic for arbitrary nodes. Frequent impersonation attacks against nameservers forced many changes to the programs used to implement DNS, most notably the bind program. Today, most nameservers on the Internet have been upgraded to avoid known attacks, but new threats are sure to arise. Luckily, the maintainer of bind is very responsive and has provided timely fixes to security problems. A good review of DNS is given in Bellovin (1995).

A proposed standard for secure, authenticated DNS has been implemented for some nameservers on the Internet. Trusted Information Systems is a leading vendor in this effort. Secure DNS is achieved by using cryptographic protocols for message exchanges between nameservers. Implementations can be found on the Internet. More details on DNS and how to administer it are available in Link (1995).

Routing Interchange Protocol (RIP)

Like ARP and DNS, RIP is used to provide message delivery information on the Internet or in private networks. Instead of helping to locate the target of a message, RIP is used to find the best route for a message to travel. RIP suffers from the same problems as insecure DNS in that RIP depends only on the source IP address for I&A of the message. A secure version of RIP is also available.