Scribd Logo
Upload

Welcome to Scribd!

  • IPSec

    Uploaded by

    Dinesh Parashar
    35 views25 pages

    Original Title

    IPSec.ppt

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    35 views25 pages

    IPSec

    Uploaded by

    Dinesh Parashar

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 25

    Information System Security

    AABFS-Jordan
    Summer 2006

    IP Security
    Supervisor :Dr. Lo'ai Ali Tawalbeh
    Done by: Wa’el Musa Hadi
    What is IP Security

    • Framework of open standards to ensure


    secure communications over the Internet

    In short: It is the network layer Internet


    Security Protocol
    IPSEC Service

    Upper
    IP layer
    Header data Case 1 : Insecure IP Packet

    Internet/ IPSec disabled host


    Intranet
    Upper
    IP IPSec layer
    Header Header data Case 2 : Secure IP Packet

    IPSec enabled host


    IPSec
    • general IP Security mechanisms
    • provides
    – authentication
    – confidentiality
    – key management
    • applicable to use over LANs, across public
    & private WANs, & for the Internet
    IP sec Application
    •IPSec provides the capability to secure
    communications across a LAN, across private
    and public WANs, and across the Internet.
    –Secure branch office connectivity over the Internet
    –Secure remote access over the Internet
    –Establishing extranet and intranet connectivity with partners
    –Enhancing electronic commerce security
    Security Associations
    • One of the most important concepts in IPSec is called a
    Security Association (SA). Defined in RFC 1825.
    • SAs are the combination of a given Security Parameter
    Index (SPI) and Destination Address.
    • SAs are one way. A minimum of two SAs are required
    for a single IPSec connection.
    • SAs contain parameters including:
    – Authentication algorithm and algorithm mode
    – Encryption algorithm and algorithm mode
    – Key(s) used with the authentication/encryption algorithm(s)
    – Lifetime of the key
    – Lifetime of the SA
    – Source Address(es) of the SA
    – Sensitivity level (ie Secret or Unclassified)
    IP security scenario
    scenario of IPSec usage
    • An organization maintains LANs at dispersed
    locations
    • Non secure IP traffic is conducted on each LAN.
    • IPSec protocols are used
    • These protocols operate in networking devices
    that connect each LAN to the outside world.
    (router, firewall )
    • The IPSec networking device will typically
    encrypt and compress all traffic going into the
    WAN, and decrypt and decompress traffic
    coming from the WAN
    Why not use IPSec?
    • Processor overhead to encrypt & verify
    each packet can be great.
    • Added complexity in network design.
    Benefits of IPSec
    • in a firewall/router provides strong security
    to all traffic crossing the perimeter
    • in a firewall/router is resistant to bypass
    • is below transport layer, hence transparent
    to applications
    • can be transparent to end users
    • can provide security for individual users
    • secures routing architecture
    IPsec
    Network Layer Security
    • IP security (IPsec)
    – Two protocols
    • Authentication protocol, using an Authentication Header (AH)
    • Encryption/authentication protocol, called the Encapsulating
    Security Payload (ESP)
    – Two modes of operation
    • Transport mode: provides protection for upper-layer
    protocols
    • Tunnel mode: protects the entire IP datagram
    IPSec protocols – AH protocol
    • AH - Authentication Header
    – Defined in RFC 1826
    – Integrity: Yes, including IP header
    – Authentication: Yes
    – Non-repudiation: Depends on cryptography algorithm.
    – Encryption: No
    – Replay Protection: Yes
    Transport Packet layout
    IP Header AH Header Payload (TCP, UDP, etc)
    Tunnel Packet layout
    IP Header AH Header IP Header Payload (TCP. UDP,etc)
    IPSec protocols – ESP protocol
    • ESP – Encapsulating Security Payload
    – Defined in RFC 1827
    – Integrity: Yes
    – Authentication: Depends on cryptography algorithm.
    – Non-repudiation: No
    – Encryption: Yes
    – Replay Protection: Yes
    Transport Packet layout
    IP Header ESP Header Payload (TCP, UDP, etc)
    Tunnel Packet layout
    IP Header ESP Header IP Header Payload (TCP. UDP,etc)

    Unencrypted Encrypted
    What protocol to use?
    • Differences between AH and ESP:
    – ESP provides encryption, AH does not.
    – AH provides integrity of the IP header, ESP does not.
    – AH can provide non-repudiation. ESP does not.
    • However, we don’t have to choose since both
    protocols can be used in together.
    • Why have two protocols?
    – Some countries have strict laws on encryption. If you
    can’t use encryption in those countries, AH still
    provides good security mechanisms. Two protocols
    ensures wide acceptance of IPSec on the Internet.
    Data Integrity and Confidentiality

    Basic difference between AH and ESP


    IPSec Protocols (cont)
    Algorithms Used:
    Encryption:
    Symmetric – As IP packets may arrive out of order and
    Asymmetric algorithms are incredible slow.
    E.g. DES (Data Encryption Standard)

    Authentication:
    MAC (Message Authentication Codes) based on symmetric
    encryption algorithms.
    One way hash functions. (MD5 or SHA-1)
    Transport Versus Tunnel Mode

    Transport Mode:
    • Used for Peer to Peer communication security
    • Data is encrypted

    Tunnel Mode:
    • Used for site-to-site communication security
    • Entire packet is encrypted.
    Transport versus Tunnel mode
    (cont)
    Transport mode is used when the cryptographic endpoints are also the
    communication endpoints of the secured IP packets.

    Cryptographic endpoints: The entities that generate / process an IPSec header


    (AH or ESP)
    Communication endpoints: Source and Destination of an IP packet
    Transport versus Tunnel mode
    (cont)
    Tunnel mode is used when at least one cryptographic endpoint is not a
    communication endpoint of the secured IP packets.

    Outer IP Header – Destination for the router.


    Inner IP Header – Ultimate Destination
    Transport Mode

    Tunneling Mode
    How IPSec works: Phase 1
    • Internet Key Exchange (IKE) is used to setup
    IPSec.
    • IKE Phase 1:
    – Establishes a secure, authenticated channel between the two
    computers
    – Authenticates and protects the identities of the peers
    – Negotiates what SA policy to use
    – Performs an authenticated shared secret keys exchange
    – Sets up a secure tunnel for phase 2
    – Two modes: Main mode or Aggressive mode
    • Main Mode IKE
    1. Negotiate algorithms & hashes.
    2. Generate shared secret keys using a Diffie-Hillman exchange.
    3. Verification of Identities.
    • Aggressive Mode IKE
    – Squeezes all negotiation, key exchange, etc. into less packets.
    – Advantage: Less network traffic & faster than main mode.
    How IPSec works: Phase 2
    – An AH or ESP packet is then sent using the agreed
    upon “main” SA during the IKE phase 1.
    – IKE Phase 2
    • Negotiates IPSec SA parameters
    • Establishes IPSec security associations for specific
    connections (like FTP, telnet, etc)
    • Renegotiates IPSec SAs periodically
    • Optionally performs an additional Diffie-Hellman exchange
    How IPSec works: Communication
    • Once Phase 2 has established an SA for a
    particular connection, all traffic on that
    connection is communicated using the SA.
    • IKE Phase 1 exchange uses UDP Port 500.
    • AH uses IP protocol 51.
    • ESP uses IP protocol 50.
    Key Management

    You might also like