Category - Computer Networks | Network Layer

This article begins with a consideration of security at the network layer. Security is implemented between two hosts, two routers, or a host and a router at the network layer.

Those programs directly using the network layer's services, including routing protocols, are protected by network-layer security. Since UDP is a connectionless protocol and transport-layer security mechanisms cannot be applied to UDP, apps that use UDP can also profit from this service. We just talk about IPSec as an example of application-layer security here. The Internet Engineering Task Force (IETF) created a group of protocols known as IP Security (IPSec) to secure a packet at the network level. The IP layer benefits from creating authenticated and private packets thanks to IPSec.

IPSec Modes

Transport mode or tunnel mode are the two ways IPSec can be used.

1. Transport Mode - In transport mode, IPSec safeguards information sent from the transport layer to the network layer. Or, to put it another way, transport mode safeguards the payload that will be contained in the network layer, as shown in Figure.

Keep in mind that IP header protection is not provided by transport mode. To put it another way, the packet from the transport layer is protected by transport mode, which does not secure the entire IP packet (the IP-layer payload). The information arriving from the transport layer is enhanced in this mode by adding the IPSec header (and trailer). The IP header is included afterwards.

1. IPSec protects only the payload arriving from the transport layer in transport mode; it does not secure the IP header.  

When host-to-host (end-to-end) data protection is required, we typically employ the transport mode. The payload sent from the transport layer is authenticated and/or encrypted by the sender host using IPSec. The IP packet is delivered to the transport layer by the receiving host using IPSec to verify the authentication and/or decrypt it. This idea is demonstrated in the given figure.

1. Tunnel Mode - IPSec safeguards the entire IP packet when it is employed in tunnel mode. As shown in Figure, it starts with an IP packet that includes the header, uses IPSec security techniques to encrypt the entire packet, and then inserts a new IP header.

We'll see in a moment how the new IP header differs from the old IP header in terms of its information. As illustrated in the following figure, tunnel mode is typically used between two routers, a host and a router, or a router and a host. It appears as though the complete original packet travels via a fictitious tunnel to prevent tampering between the sender and the receiver.

1. The initial IP header is safeguarded by IPSec when used in tunnel mode.  

The IPSec layer sits between the transport and network layers in transport mode. In tunnel mode, data is transferred back and forth between the network and IPSec layers before being sent back to the network layer. The two modes are compared in the following figure.