Scribd Logo
Upload

Welcome to Scribd!

  • Lecture 8 IP Security NPTEL

    Uploaded by

    AK The Tuber's Cafe
    4 views25 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    4 views25 pages

    Lecture 8 IP Security NPTEL

    Uploaded by

    AK The Tuber's Cafe

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 25

    IP Security

    Dr. Neminath Hubballi

    Indian Institute of Technology Indore


    Overview
    q Background
    q IPSec features
    q Deployment scenarios
    q Components
    q Methods
    q Security Association

    Indian Institute of Technology Indore


    IPSec Features
    q Encrypt and authenticate network traffic at the IP layer
    q Several networked applications can be secured
    q Data origin authentication: Each IP datagram was originated by the
    claimed sender.
    q Data integrity: IP datagram was not modified in transit
    q Data confidentiality: Conceals the content of a message, typically by using
    encryption.
    q Replay protection: Capture and retransmit is not allowed
    q Automated management of cryptographic keys and security associations:
    Ensures that your VPN policy can be used throughout the extended
    network with little or no manual configuration.

    Indian Institute of Technology Indore


    one reciever gets P1 attacker cannot send P1 again
    full form of vpn -> virtual private network

    Use cases (VPN)

    q Secure branch office connectivity over Internet


    q Secure remote access over the Internet
    q Secure connections with partner organizations

    Indian Institute of Technology Indore


    Where to Implement IPSec Methods ?
    q End host or
    q Middlebox

    Indian Institute of Technology Indore


    middle box
    IPSec -Two Methods
    not provide confidentiality
    q Authentication Header (AH): Provides authentication through an
    extended/extra header.
    qDeprecated as ESP provides both confidentiality and authentication
    q Encapsulating Security Payload(ESP): Provides confidentiality and
    confidentiality along with authentication.

    Indian Institute of Technology Indore


    IPSec Modes Both of those methods can operate in two diff modes

    q Transport Mode: Secure the data given by a protocol above IP


    q IPSec header is inserted into the original IP header
    q Tunnel Mode: Original IP packet is encrypted and sent
    q A new IP header is inserted at the beginning

    Indian Institute of Technology Indore


    original packet is not modified only
    a new IPsec header is inserted
    protocol identifies which entity is actually carried.
    6 for TCP
    17 for UDP

    IPv4 Header Format 4 for IP header


    50 for ESP header
    51 for authentication header
    (authentication header provides only the authentication of datagram )

    protocol field is actually carrying this number


    meaning that it is actually identifying what is
    the next header type.

    so it is actually in some sense it's actually


    pointing to the next header

    Indian Institute of Technology Indore


    Authentication Header and IPv4

    Courtesy: tcpguide.com

    Indian Institute of Technology Indore


    Authentication Header Format
    who is recipient who is sender and what
    cryptographic algo we are using are identified
    4 bits
    16 bits
    Next Header Payload Length Reserved
    Security Parameter Index
    Sequence Number
    Authentication Data (ICV)

    32 bits

    sequence number originally identifies the ip packet

    Indian Institute of Technology Indore


    Encapsulating Security Payload

    Courtesy: tcpguide.com

    Indian Institute of Technology Indore


    Encapsulating Security Payload

    Security Parameter Index


    Sequence Number
    Data

    Padding Pad length Next Header


    Integrity Check Value

    ESP authentication data


    padded data acc to the
    how many bytes are
    requirement of encryption algo
    added to orig data
    Indian Institute of Technology Indore
    Indian Institute of Technology Indore
    IPSec Components
    q Encryptions and Hashing Algorithms
    q DES, AES
    q MD5, SHA-1
    q Security Associations
    q Key Exchange Methods

    security association defines what kind of the cryptographic algorithm or hash algorithm to be used

    Indian Institute of Technology Indore


    IP Security Policy
    q Security Association Database (SAD)
    qA security association is uniquely identified by
    q Security Parameter Index (SPI)- a bit string added to IP packet
    q Destination IP Address
    q Security Protocol Identified – AH or ESP
    qSecurity Association is One-Way connections
    q Security Policy Database (SPD)- Determines a SA for a subset of IP traffic
    qRemote IP address
    qLocal IP address
    qHigher layer protocol
    qName
    qPort numbers

    Indian Institute of Technology Indore


    IPSec Architecture
    Security Policy

    AH ESP IKE

    internet key exchange

    Indian Institute of Technology Indore


    Establishing a Security Association
    q Manually
    q On each node configuration
    q Who are the participants of communication
    q Mode of IPSec
    q Key to be used
    q Internet Key Exchange (IKE)
    q Automatic configuration

    Indian Institute of Technology Indore


    IP Packet Processing: Outbound
    Courtesy: Network Security Essentials
    By William Stallings

    Indian Institute of Technology Indore


    IP Packet Processing: Inbound
    Courtesy: Network Security Essentials
    By William Stallings

    Indian Institute of Technology Indore

    You might also like