Link layer encryption

Link layer encryption

Link layer encryption has been available for some time and can be applied by bulk encryptors, which encrypt all the traffic on a given link. Packets are encrypted when they leave a node and decrypted when they enter a node.  data link layer headers are not encrypted. Because network layer information, in the form of layer headers, is embedded in the link data stream, link layer encryption is independent of network protocols. However, each link will typically use a separate key to encrypt all traffic. This makes the encryption devices specific to a given medium or interface type. In a large network, where many individual links may be used in a connection, traffic will need to be repeatedly encrypted and decrypted. One disadvantage is that while data is held at a node it will be in the clear (unencrypted) and vulnerable. Another is the need for a large number of keys along any path comprising many links. Hardware-based encryption devices are required to give high-speed performance and to ensure acceptable delays at data link layer interfaces. The effectiveness of link layer encryption depends on the relative security of nodes in the path, some of which may be within the internet. The question of who can access nodes in the internet then becomes a significant concern.

When applied to terrestrial networks, link layer encryption creates problems of delay and expense, but it is particularly useful in satellite links, because of their vulnerability to eavesdropping. In this case the satellite service provider takes responsibility for providing encryption between any two earth stations.

End-to-end encryption

I shall consider end-to-end encryption at the network layer and the application layer separately.

Network layer encryption

Network layer encryption is normally implemented between specific source and destination nodes as identified, for example, by IP addresses. As Figure 10(b) indicates, the network layer headers remain unencrypted.


What threats that you have previously encountered in this unit are still present with network layer encryption?

Network layer encryption may be applied to sections of a network rather than end-to-end; in this case the network layer packets are encapsulated within IP packets. A major advantage of network layer encryption is that it need not normally be concerned with the details of the transmission medium.

A feature of encryption up to and including the network layer is that it is generally transparent to the user. This means that users may be unaware of security breaches, and a single breach could have implications for many users. This is not the case for application layer encryption. As with link layer encryption, delays associated with encryption and decryption processes need to be kept to an acceptable level, but hardware-based devices capable of carrying out these processes have become increasingly available.

An important set of standards that has been introduced to provide network layer encryption, as well as other security services such as authentication, integrity and access control in IP networks, is IPSec from the IP Security Working Group of the Internet Engineering Task Force. You should refer to RFC 2401 if you need further details on these standards.

Application layer encryption

In application layer encryption, end-to-end security is provided at a user level by encryption applications at client workstations and server hosts. Of necessity, encryption will be as close to the source, and decryption as close to the destination, as is possible. ,  application layer encryption only the data is encrypted.

Examples of application layer encryption are S/MIME (secure/multipurpose internet mail extensions), S-HTTP (secure hypertext transfer protocol), PGP (Pretty Good Privacy) and MSP (message security protocol). Another example is SET (secure electronic transactions), which is used for bank card transactions over public networks. ‘Host layer encryption’ is a term sometimes used to refer to programs that perform encryption and decryption on behalf of the applications that access them. An example is secure socket layer.

Link layer encryption and end-to-end encryption compared and combined

Activity 9

Comparing end-to-end encryption with link layer encryption, which do you think is better?

An effective way of securing a network is to combine end-to-end with link layer encryption. The user data portion of a packet is encrypted at the host using an end-to-end encryption key. The packet is then transported across the nodes using link layer encryption, allowing each node to read the header information but not the user data. The user data is secure for the entire journey and only the packet headers are in the clear during the time the packet is processed by any node.


A network security manager in an organisation has overall responsibility for ensuring that networks are operated in a secure manner. From the manager's perspective, what level of encryption would be most suitable and why?

In considering the application of any encryption scheme, the cost in terms of network delay, increased overheads and finance must be weighed against the need for protection. As always, there is a need to balance the advantages of a more secure network against the disadvantages of implementing security measures and the potential costs of data interception and network attack.