[Dr.WoW] [No.29] IPSec Overview Highlighted

Latest reply: May 19, 2018 01:28:14 2938 3 1 0

With the wide-spread use of GRE and L2TP, private "Tiandihui" (lit. Heaven and Earth Society, in reference to anti-Qing Dynasty resistance groups) have also kept pace with the times, deploying host-to-sub-hosts GREs and L2TPs. Hosts and sub-hosts use GRE and L2TP tunnels to exchange and transmit messages. The cause to "overthrow the Qing Dynasty and restore the Ming Dynasty" is in full swing. However, the good times rarely last for long, and many of the confidential messages transmitted between hosts and sub-hosts have been seized by "government officials". Sub-host client groups have been rounded up by the dozen. An undercurrent surges through the Internet, and the road ahead is perilous.

Faced with the faction's life and death, Host Chen hastened to convene a conference to discuss countermeasures. The problem at hand, be it GRE or L2TP, no security encryption measures had been taken for any established tunnels, and as such, it is all too easy for "government officials" to seize plaintext confidential messages transmitted between hosts and sub-hosts through both GRE and L2TP tunnels. Tiandihui was faced with the issue of ensuring the safe transfer of messages. Private lines are a possible solution, but the treasures of the Sutra of 42 Chapters have yet to be discovered. Strapped for the cash needed to build host-to-sub-host private lines, Tiandihui must seek recourse through an existing, common resource - the Internet.

After paying homage to the Supreme Host, Tiandihui finally found the answer: IPSec (IP Security). As a next-generation VPN technology, IPSec can establish secure, stable dedicated lines across the Internet. Compared to GREs and L2TPs, IPSec is more secure and can guarantee the safe transfer of messages between hosts and sub-hosts.

1 Encryption and Authentication

To discuss IPSec is no easy task. It's not a single maneuver, but rather a set of tactics. IPSec cleverly borrows the art of hoodwinks from the school of cryptology and has created its own unique blend of shapeshifting for safe passage through changing AHs (Authentication Headers) and ESPs (Encapsulating Security Payloads) for positive identification to "return the jade intact to its rig**ul owner". Even if the message is intercepted, no one would ever understand it, and any message that has been tampered can be spotted almost instantly.

l   Shapeshifting for safe passage - encryption

As shown in Step 11.Figure 1-1, IPSec borrows a simple trick - before either end transmits a message, an encryption algorithm and cipher key is first used to change the message header; this process is known as encryption. Once the other end receives the message, the same encryption algorithm and cipher key is used to restore the message to its original; this process is known as decryption. As the message is being transmitted, it's impossible to see its true nature, leaving perpetrators empty-handed.

Figure 1-1 Schematic of packet encryption/decryption

[Dr.WoW] [No.29] IPSec Overview-1236187-1 

When Tiandihui hosts and sub-hosts must exchange messages, both ends must first agree to an encryption algorithm and cipher key. Suppose that the host must send the command "August 15, shores of Lake Taihu, holding a big event" to the sub-host. The host must first use an incoherent encryption algorithm to garble the text. Then, once the cipher key "Overthrow the Qing to Restore the Ming" is inserted, the encrypted command will finally read out a message like "Overthrow 15 the Lake Taihu Qing shores to holding Restore a the big event August Ming" which is then transmitted. Even if this message is intercepted by "government officials" along the way, they'll be stumped, without even so much as a trace of the original meaning. Once the sub-host receives the message, it will use the same encrypted algorithm and decryption key "Overthrow the Qing to Restore the Ming", so that the message will be restored to its original command "August 15, shores of Lake Taihu, holding a big event".

Hosts and sub-hosts use the same key for encryption and decryption. This method is also known as a symmetric encryption algorithm (or symmetric-key algorithm), of which there are 3 - DES, 3DES and AES. See Table 1-1 for a comparison of the 3 algorithms.

Table 1-1 Symmetrical encryption algorithms





Full Name

Data Encryption Standard

Triple Data Encryption Standard

Advanced Encryption Standard

Key Length (bits)



128, 192. 256

Security Level





lPositive identification to "return the jade intact to its rig**ul owner" - authentication

Packet authentication, as shown in Figure 1-2, is a process wherein an authentication algorithm and authentication key pair is used before the message is transmitted to "sign the papers" and create a signature. Then, the signature is sent together with the message. Once the other end receives the message, the same authentication algorithm and authentication key pair is used to get the same signature. If the packet is sent over with a signature, and if the signature is the same, it will verify that the message has not been tampered with.

Figure 1-2 Schematic of packet authentication

[Dr.WoW] [No.29] IPSec Overview-1236187-2


Apart from authenticating the integrity of the message, IPSec can also authenticate the source of the message. That is, it positively identifies the message to ensure that the message was sent from the real sender.

In general, authentication and encryption are used in tandem, and encrypted packets will go through an authentication algorithm to generate signatures. MD5 and SHA series algorithms are two common forms of authentication. See Table 1-2 for a comparison of the two.

Table 1-2 Authentication algorithms





Full Name

Message Digest 5

Secure Hash Algorithm 1

Secure Hash Algorithm 2

Signature Length (bits)



SHA2-256: 256

SHA2-384: 384

SHA2-512: 512

Security Level





Of IPSec's two feats, AHs can only be used for authentication but not for encryption. ESP, on the other hand, can be used for both encryption and authentication. AH and ESP can be used independently or in tandem.

2 Security Encapsulation

Tiandihui cannot raise their "anti-Qing" banners or proclaim their mission, so they often have to cloak their actions through "legitimate" forms of business. For instance, the public identity of a host might be as online shopkeeper, and the public identity of a sub-host might be a buyer; such an exchange just might be the best catch-all. To better utilize this catch-all, IPSec has designed two modes of encapsulation:

l   Openly repair the gallery by day while secretly passing through Chencang - tunnel mode

With tunneling, before an AH or ESP header is inserted into the original IP header, a new packet header is generated and placed before the AH or ESP header, as shown in Figure 1-3.

Figure 1-3 Tunnel mode packet encapsulation

[Dr.WoW] [No.29] IPSec Overview-1236187-3


The tunnel uses the new packet header to encapsulate the message; the new IP header's source and destination IP addresses serve as the tunnel's two public IP addresses; in this way, tunneling uses two gateways to establish an IPSec tunnel, thereby guaranteeing communication between the two networks behind each gateway. This is currently one of the more commonly-used modes of encapsulation. Messages within the host-to-sub-host private network is often disguised as everyday communication between the identities of the host and sub-host (public IP addresses) as ship-owner and buyer once the message is encrypted and encapsulated so it won't be suspected.

l   "The door opens on a view of mountains"; cut to the chase - transfer mode

In a transfer, the AH header or ESP header is inserted between the IP header and TCP, as shown in Figure 1-4.

Figure 1-4 Transfer mode packet encapsulation

[Dr.WoW] [No.29] IPSec Overview-1236187-4


In a transfer, the packet header is left unchanged, and the tunnel source and destination IP addresses are the final source and destination IP addresses of the string of communication. As such, only messages sent between the two ends are protected instead of all network-wide messages. For this reason, this mode is only useful for communication between two parties rather than private networks amongst Tiandihui hosts and sub-hosts.

3 Security Associations

A connection established in IPSec between two ends is known as an SA (Security Association). As the name suggests, the two ends become associates wherein the same encapsulation mode, encryption algorithm, cipher key, authentication algorithm, and authentication key are used, which naturally requires mutual trust and a degree of intimacy.

An SA is a unidirectional connection, wherein hosts and sub-hosts will establish an SA to protect all aspects of communication. Host inbound SAs correspond to sub-host outbound SAs, and host outbound SAs correspond to sub-host inbound SAs, as shown in Figure 1-5.

Figure 1-5 Schematic of IPSec security association

[Dr.WoW] [No.29] IPSec Overview-1236187-5


To differentiate between SAs in different directions, IPSec will add unique identifier to each SA. This identifier is called an SPI (Security Parameter Index).

The most direct method of establishing an SA is to have hosts and sub-hosts define encapsulation modes, encryption algorithms, cipher keys, authentication algorithms, and authentication keys, that is, to manually establish IPSec SAs.



To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

Created Jul 21, 2015 10:22:42 Helpful(0) Helpful(0)

  • x
  • convention:

MVE Created Apr 10, 2018 15:46:59 Helpful(0) Helpful(0)

useful document, thanks
  • x
  • convention:

Created May 19, 2018 01:28:14 Helpful(0) Helpful(0)

useful document, thanks:)
  • x
  • convention:


You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits