Overview q Background q IPSec features q Deployment scenarios q Components q Methods q Security Association
Indian Institute of Technology Indore
IPSec Features q Encrypt and authenticate network traffic at the IP layer q Several networked applications can be secured q Data origin authentication: Each IP datagram was originated by the claimed sender. q Data integrity: IP datagram was not modified in transit q Data confidentiality: Conceals the content of a message, typically by using encryption. q Replay protection: Capture and retransmit is not allowed q Automated management of cryptographic keys and security associations: Ensures that your VPN policy can be used throughout the extended network with little or no manual configuration.
Indian Institute of Technology Indore
one reciever gets P1 attacker cannot send P1 again full form of vpn -> virtual private network
Use cases (VPN)
q Secure branch office connectivity over Internet
q Secure remote access over the Internet q Secure connections with partner organizations
Indian Institute of Technology Indore
Where to Implement IPSec Methods ? q End host or q Middlebox
Indian Institute of Technology Indore
middle box IPSec -Two Methods not provide confidentiality q Authentication Header (AH): Provides authentication through an extended/extra header. qDeprecated as ESP provides both confidentiality and authentication q Encapsulating Security Payload(ESP): Provides confidentiality and confidentiality along with authentication.
Indian Institute of Technology Indore
IPSec Modes Both of those methods can operate in two diff modes
q Transport Mode: Secure the data given by a protocol above IP
q IPSec header is inserted into the original IP header q Tunnel Mode: Original IP packet is encrypted and sent q A new IP header is inserted at the beginning
Indian Institute of Technology Indore
original packet is not modified only a new IPsec header is inserted protocol identifies which entity is actually carried. 6 for TCP 17 for UDP
IPv4 Header Format 4 for IP header
50 for ESP header 51 for authentication header (authentication header provides only the authentication of datagram )
protocol field is actually carrying this number
meaning that it is actually identifying what is the next header type.
so it is actually in some sense it's actually
pointing to the next header
Indian Institute of Technology Indore
Authentication Header and IPv4
Courtesy: tcpguide.com
Indian Institute of Technology Indore
Authentication Header Format who is recipient who is sender and what cryptographic algo we are using are identified 4 bits 16 bits Next Header Payload Length Reserved Security Parameter Index Sequence Number Authentication Data (ICV)
32 bits
sequence number originally identifies the ip packet
Indian Institute of Technology Indore
Encapsulating Security Payload
Courtesy: tcpguide.com
Indian Institute of Technology Indore
Encapsulating Security Payload
Security Parameter Index
Sequence Number Data
Padding Pad length Next Header
Integrity Check Value
ESP authentication data
padded data acc to the how many bytes are requirement of encryption algo added to orig data Indian Institute of Technology Indore Indian Institute of Technology Indore IPSec Components q Encryptions and Hashing Algorithms q DES, AES q MD5, SHA-1 q Security Associations q Key Exchange Methods
security association defines what kind of the cryptographic algorithm or hash algorithm to be used
Indian Institute of Technology Indore
IP Security Policy q Security Association Database (SAD) qA security association is uniquely identified by q Security Parameter Index (SPI)- a bit string added to IP packet q Destination IP Address q Security Protocol Identified – AH or ESP qSecurity Association is One-Way connections q Security Policy Database (SPD)- Determines a SA for a subset of IP traffic qRemote IP address qLocal IP address qHigher layer protocol qName qPort numbers
Indian Institute of Technology Indore
IPSec Architecture Security Policy
AH ESP IKE
internet key exchange
Indian Institute of Technology Indore
Establishing a Security Association q Manually q On each node configuration q Who are the participants of communication q Mode of IPSec q Key to be used q Internet Key Exchange (IKE) q Automatic configuration
Indian Institute of Technology Indore
IP Packet Processing: Outbound Courtesy: Network Security Essentials By William Stallings
Indian Institute of Technology Indore
IP Packet Processing: Inbound Courtesy: Network Security Essentials By William Stallings