present, contains parameters that depend on the
encryption algorithm used. The DES – CBC1)
algorithm is mentioned as one possibility. Parts
of the ESP header including the SPI are trans-
mitted unencrypted. This privacy mechanism
can be used in two ways depending on the
required level of privacy. The first option is to
only encrypt the transport layer segment in the
IP payload. This scheme is called transport mode
ESP. The other option is to encrypt the entire IP
packet and encapsulate it in a new IP packet.
This is called tunnel mode ESP. Transport mode
offers confidentiality to the higher layer proto-
cols by introducing little overhead. A disadvan-
tage is that traffic analysis can be carried out by
a (unwanted) third party as the packet is add-
ressed to its final destination.
Tunnel mode ESP has more overhead than the
transport mode but it prevents traffic analysis.
Different key management solutions are possi-
ble, including both manual and automatic ones.
IPsec is not related in principle to QoS proto-
cols, procedures or management. However,
some aspects of IPsec may have an impact on
QoS:
- The AH and ESP protocols introduce over-
head for IP packets. - Key management can increase the time to
establish a connection and introduces some
additional traffic. - Cryptographic algorithms can be rather CPU
consuming. - Encryption may prevent effective compression
by lower layers. To minimise this problem
IPsec supports negotiation of IP compression. - The ToS and Class fields of tunnelled packets
are copied to the outer IP header, making
IPsec transparent to QoS mechanisms based
on the analysis of such fields. - Any other QoS mechanism based on the
inspection of fields of upper layer protocols
may become useless when encryption is used.
6.3.2 Firewalls and Proxies
IPsec does not protect against every type of
attack a system may be exposed to. A critical
question is how internal (protected) traffic and
resources can be left unexposed to external par-
ties, and thereby avoiding that network informa-
tion can be used in further attacks. Such prob-
lems are hindered by controlling all traffic enter-
ing and leaving the system. For this purpose,
firewalls are introduced.
A firewall is an implementation of an access
control policy between two networks. Two types
of firewalls exist:
- Network level: packets are filtered on the
basis of source address, destination address
and port. This means that a router may be
used as a network level firewall. - Application level: a proxy server which is a
software running on the firewall allowing no
direct traffic between the networks. It is not
transparent for applications which have to be
configured to use the proxy to reach the net-
work. One step is to perform network address
translation, which hides internal addresses
from the outside.
Security restrictions imposed by firewalls may
make it difficult to establish end-to-end connec-
tions. In the case of network level firewalls, it
is a matter of firewall configuration to allow or
block the exchange of packets. Inspection of
QoS-related IP header fields such as ToS or
Class should then be supported.
Since proxies block all direct traffic between
networks, special mechanisms must be imple-
mented on proxy servers to support QoS guaran-
tees. Applications should be able to inform the
proxy of the required QoS parameters for the
session and then the proxy should be able to
establish the requested session with the remote
host.
7 Scenarios/Examples
7.1 Client – Server
A large group of applications related to the cur-
rent use of IP-based networks can be categorised
according to the Client – Server model. Here the
term server refers to any program that offers a
service. Servers accept requests, perform their
service, and return the result to the requester.
A program becomes a client when it sends a
request to a server and waits for a response.
Commonly, the server has a well-known port
that requests are using, see Figure 18. The client
can allocate an unused port to this communica-
tion.
Telnetallows a user to establish a TCP connec-
tion to another machine. Then the keystrokes are
passed to the remote machine and the response is
1)Data Encryption Standard – Cipher Block Chaining.