One of the problems of the originators of the internet not putting security into anything is that by the end of the 1990s, everybody was making their own security. So if you had web pages you were doing SSL or TLS. If you were trying to make a remote connection, you'd be using things like SSH instead of telnet. Everybody was doing their own thing when it came to security on a TCP IP network. And by the late 90s, there was a thought that, you know, this might not be the best way to do it. What if instead of having all these different applications and things like that doing their own security, what if we could come up with a type of IP security that worked on a host a host basis, we're literally every single computer on the internet had its own security and when you would make a connection, that point to point security would take care of everything.
And that is known generically as IP sec. Now, IPS SEC is not one thing. IP SEC is actually a bunch of protocols that work together that come up with this idea that we can have any two hosts create a secure connection. Now, IP sec was totally rolled out, it would be a pretty cool thing, we could theoretically get rid of HTTPS, we could get rid of SSH, we could get rid of encrypted email, because everything would be point to point encrypted. The reality is is that didn't happen. However, IP SEC is a very cool protocol.
It is used all over the place. And it's also a little complicated. So in this episode, what I want to do is take about a 5000 foot overview of IP sec, make sure you understand the base pieces of it. Now, if we're going to be making Point to Point connections, obviously, we're going to have to do a lot of important stuff when it comes to security. We're gonna have to go through an authentication process. We're gonna have to go through encryption and all that stuff.
Now I'm going to talk about that in a minute. But once everything's going, what do you want to do with that data? Well, there's two things You can do number one, you can generate what are known as authentication headers. Or you can generate what's known as encapsulating security payloads. So IP sec runs in two very different modes. Let's go through both of those.
Here is some TCP data. I've got a TCP header here. And then I've got some data. Now, I'm eventually going to put an IP address on this and send it out the door. Now, one of the encapsulation formats that we use with IP SEC is known as authentication header. The only thing this does is provides integrity.
So what we'll do is before we send this guy out, what we're going to do is we're going to go ahead and do an integrity check on the actual data itself. And then we're going to insert this little bit of authentication header data. So in essence, what we've done here is we've just generated an H Mac. So the important thing to remember about authentication header is that it only provides integrity now The more popular one that we're going to see is the encapsulating security protocols. So let's go ahead and start with that exact same header that we had before. Now this time, what we're going to do is we're going to actually go through the process of encrypting this guy.
So we'll use sometimes something like desert triple does or even as encryption. And we're going to go ahead and create an encryption here. And then we're going to put a header on there. And then that thing is now fully encrypted. So IP sec works simply by encapsulating our data into an IP set packet. That works great.
However, there's some issues here. You'll notice in those examples, we took the original IP address, and in essence, kind of inserted some stuff in there and that's fine. And if I were the Overlord godhead of the universe, and I made everybody use the exact same IP protocols, and I got rid of Nat and I got rid of all kinds of problems, this would be a great thing. However, we live in a world where there's Nat, and there's ipv4 and ipv6, and all of these issues, where we can't simply take an existing IP address. And that can be a problem. Now, what I just showed you is one of two different ways that we can run IP sec.
So they're actually two separate protocols. So when we're talking about keeping the original IP address, we call that transport mode. transport mode would work great if everybody had the exact same ipv4 range or ipv6 range if we got rid of Nat and a bunch of other things. But transport mode in the real world doesn't work very well. So what we do instead is we use tunnel mode. Let me show you how that works.
Let's take a look at that authentication header we did earlier. Now normally, what we're going to do is just run an H Mac on all this value, and then insert that into the h header. Now, the problem here is that we're still using the original IP address. And in a lot of places, that's simply not going to work. So what we use is what we call is tunnel mode. So this right now is transport mode, we still have the original IP header.
But what we can do is get rid of that and then add a new IP address to it. And by adding a new different IP address, then we could actually run this in transport mode. Now you have to be careful, this would drive the poor system crazy because remember, you're doing an H Mac on this entire value, including the original IP header. And if you were to change it, that would be a problem. So we don't actually do tunnel mode with h by itself. Instead, what we'll tend to do is we will use it with ESP.
So let's take a look at original ESP p packet that we had before. So we got our encrypted data. Then we have our authenticated data, but in this case, what we're going to be doing is the original IP header is encrypted. And then we add a new IP header to the outside of that This. So the bottom line is, in today's upset world, most people are going to be running in tunneling mode. And they're going to be doing a whole lot of ESP.
Now, to get all this roll, you've got these two hosts. So you've got an entire security aspect that you've got to deal with. Now, in the chipset world, they use something called ISO KMP. Internet Security Agreement, Key Management Protocol, ISO KMP is only job is to create what we call a security agreement between two hosts. So if two hosts want to start talking IP sec, the first thing you're going to do is begin this negotiation protocol using eisah KMP. So I say KMP is going to handle all kinds of stuff like for example, initial authentication, so it can use certificates.
It can use pre shared keys, it can use just about anything, you want to start that initial negotiation between the two. It'll set up key exchange, it'll say setup the type of shop for H Mac, it handles all of this through the negotiation process. So ICMP is the cornerstone of what gets all the security rocking and rolling in order for two IP sec hosts to talk to each other, and in a nice, secure way. So this can be pretty challenging to configure. And as a result, we don't see IP sec being used in the way that a lot of people thought it might be used. But I would like to take a minute and talk about where we actually see IP sec in today's world.
And let's start with the P ns. The tunneling aspect of IP sec makes it a natural for VPN. So we see a lot of VPNs that use IP sec. And there's really two different ways that you'll see IP sec used in VPN. First would be a real honest to Pete, traditional IP sec pure VPN. In that case, it's only running up seconds.
You tunneling mode, and you make these two connections between two hosts, and it works okay. However, that's really not the more common way to do it. The more common and somewhat older way to do it is running IP sec with the L two TP protocol. In this scenario, what will happen is lttp generates an initial tunnel, and if set goes ahead, and it puts a tunnel within the tunnel, so it's got a lot more security to it, but it works really well. And that is if you're going to be setting up a VPN with IP sec, it's probably going to be IP sec with lttp. Now the other place we're going to be seeing IP sec used a lot is with radius and to cactus.
If you have some setup using triple A radius or to cactus in these situations, you don't really have a native encryption built into it. So a lot of these folks will go ahead and use IP sec to create an essence of VPN tunnel between The two hosts so that they can communicate securely. So you're not going to see this too much outside of, say, a enterprise level wireless network. Or if you got a bunch of Cisco boxes, that all have to talk to each other, it is fairly uncommon, but it is out there. Now, the other thing I want to talk about one that bugs me a little bit is IP sec with ipv6. When ipv6 first came out, one of the big pushes was that IP SEC is mandatory and built into ipv6, which we all thought was going to be so cool because we'd have to get rid of all of our secure websites and secure email because if sec was going to take care of everything with ipv6, that's actually not accurate.
Now, within the RFCs, there was mentioned that IP sec would be required. The reality of this simply means that the IP sec header information can be placed within an ipv6 header. That's it. So there's nothing about ipv6 that makes it work perfectly with IP sec. In fact, IP sec works perfectly with Google ipv4 just as well. And by the way, the powers of the internet dropped all that and no longer say that you must run IP sec with ipv6, because be honest with you, I've never seen it.
Alright, now there's one more place and you're going to see questions on the exam, that kind of point to stuff like that. And that is using IP sec with non secure protocols. Remember that the whole idea behind IP SEC is that we would no longer have to have secure applications, or it would be more optional because you'd have this layer three security. And that is one aspect where IP sec can work pretty well. For example, let's say for some reason, you absolutely have to have a telnet connection or something scary like that. telnet wide open, easy to read.
You could set up an IP sec property A sec tunnel that would allow you to encrypt all of that telnet information between the two hosts and saving you a lot of trouble. So, if you had an application that absolutely had to have telnet, you could do all kinds of stuff you could put in ipv6 and, and IP sec and all that stuff. But the reality is, you're probably just going to use SSH. IP SEC is an amazing tool. It's been around for a while, and we certainly see a lot of adoption to it. But unfortunately, IP sec being the ultimate fix for all of our security problems is probably never going to happen.