5.3.1 Network layer encryption
Network layer encryption is normally implemented between specific source and destination nodes as identified, for example, by IP addresses. As Figure 10(b) indicates, the network layer headers remain unencrypted.
What threats that you have previously encountered in this unit are still present with network layer encryption?
As information contained in IP packet headers is not concealed, eavesdroppers could perform traffic analysis based on IP addresses, and information in the headers could also be modified for malicious purposes.
Network layer encryption may be applied to sections of a network rather than end-to-end; in this case the network layer packets are encapsulated within IP packets. A major advantage of network layer encryption is that it need not normally be concerned with the details of the transmission medium.
A feature of encryption up to and including the network layer is that it is generally transparent to the user. This means that users may be unaware of security breaches, and a single breach could have implications for many users. This is not the case for application layer encryption. As with link layer encryption, delays associated with encryption and decryption processes need to be kept to an acceptable level, but hardware-based devices capable of carrying out these processes have become increasingly available.
An important set of standards that has been introduced to provide network layer encryption, as well as other security services such as authentication, integrity and access control in IP networks, is IPSec from the IP Security Working Group of the Internet Engineering Task Force. You should refer to RFC 2401 if you need further details on these standards.