0
IPSec—An Overview

BY Amin Pathan
MGM`s Polytechnic, Aurangabad

1
Outline


why IPSec?



IPSec Architecture



Internet Key Exchange (IKE)



IPSec Policy



discussion

2
IP is not Secure!


IP protocol was designed in the late 70s to early 80s

– Part of DARPA Internet Project
– Very small ...
Security Issues in IP


source spoofing



replay packets



no data integrity or confidentiality

• DOS attacks

• Rep...
Goals of IPSec


to verify sources of IP packets

– authentication


to prevent replaying of old packets



to protect ...
Outline


Why IPsec?



IPSec Architecture



Internet Key Exchange (IKE)



IPsec Policy



Discussion

6
The IPSec Security Model
Secure

Insecure

7
IPSec Architecture

ESP

AH

Encapsulating Security
Payload

Authentication Header
IPSec Security Policy

IKE
The Internet...
IPSec Architecture


IPSec provides security in three situations:

– Host-to-host, host-to-gateway and
gateway-to-gateway...
IPsec Architecture
Transport Mode

Router

Router

Tunnel Mode

10
Various Packets
Original

IP header

TCP header

Transport
mode

IP header

IPSec header TCP header

IP header

IPSec head...
IPSec


A collection of protocols (RFC 2401)

– Authentication Header (AH)


RFC 2402

– Encapsulating Security Payload ...
Authentication Header
(AH)


Provides source authentication
– Protects against source spoofing




Provides data integr...
AH Details




Use 32-bit monotonically increasing sequence number to avoid
replay attacks
Use cryptographically strong ...
Encapsulating Security
Payload (ESP)


Provides all that AH offers, and



in addition provides data confidentiality

– ...
ESP Details


Same as AH:

– Use 32-bit sequence number to counter
replaying attacks
– Use integrity check algorithms


...
Internet Key Exchange
(IKE)


Exchange and negotiate security policies



Establish security sessions

– Identified as S...
IPsec/IKE Acronyms


Security Association (SA)

– Collection of attribute associated with a
connection
– Is asymmetric!
...
IPsec/IKE Acronyms


Security Parameter Index (SPI)

– A unique index for each entry in the
SADB
– Identifies the SA asso...
How They Fit Together
SPD
SA-1
SA-2

SADB

SPI

SPI

20
SPD and SADB Example
A’s SPD

Transport Mode

A

C

B

D

Tunnel Mode

A’s SADB

From

To

Asub

Bsub

From

To

Asub

Bsu...
IPsec Policy



Phase 1 policies are defined in terms of
protection suites
Each protection suite
– Must contain the foll...
IPSec Policy




Phase 2 policies are defined in terms of
proposals
Each proposal:
– May contain one or more of the foll...
Resources


IP, IPsec and related RFCs:

– http://www.ietf.org/html.charters/ipsec-charter.html
– IPsec: RFC 2401, IKE: R...
Upcoming SlideShare
Loading in...5
×

IP Sec by Amin Pathan

81

Published on

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
81
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "IP Sec by Amin Pathan"

  1. 1. IPSec—An Overview BY Amin Pathan MGM`s Polytechnic, Aurangabad 1
  2. 2. Outline  why IPSec?  IPSec Architecture  Internet Key Exchange (IKE)  IPSec Policy  discussion 2
  3. 3. IP is not Secure!  IP protocol was designed in the late 70s to early 80s – Part of DARPA Internet Project – Very small network All hosts are known!  So are the users!  Therefore, security was not an issue  3
  4. 4. Security Issues in IP  source spoofing  replay packets  no data integrity or confidentiality • DOS attacks • Replay attacks • Spying • and more… Fundamental Issue: Networks are not (and will never be) fully secure 4
  5. 5. Goals of IPSec  to verify sources of IP packets – authentication  to prevent replaying of old packets  to protect integrity and/or confidentiality of packets – data Integrity/Data Encryption 5
  6. 6. Outline  Why IPsec?  IPSec Architecture  Internet Key Exchange (IKE)  IPsec Policy  Discussion 6
  7. 7. The IPSec Security Model Secure Insecure 7
  8. 8. IPSec Architecture ESP AH Encapsulating Security Payload Authentication Header IPSec Security Policy IKE The Internet Key Exchange 8
  9. 9. IPSec Architecture  IPSec provides security in three situations: – Host-to-host, host-to-gateway and gateway-to-gateway  IPSec operates in two modes: – Transport mode (for end-to-end) – Tunnel mode (for VPN) 9
  10. 10. IPsec Architecture Transport Mode Router Router Tunnel Mode 10
  11. 11. Various Packets Original IP header TCP header Transport mode IP header IPSec header TCP header IP header IPSec header Tunnel mode data IP header data TCP header 11 data
  12. 12. IPSec  A collection of protocols (RFC 2401) – Authentication Header (AH)  RFC 2402 – Encapsulating Security Payload (ESP)  RFC 2406 – Internet Key Exchange (IKE)  RFC 2409 – IP Payload Compression (IPcomp)  RFC 3137 12
  13. 13. Authentication Header (AH)  Provides source authentication – Protects against source spoofing   Provides data integrity Protects against replay attacks – Use monotonically increasing sequence numbers – Protects against denial of service attacks  NO protection for confidentiality! 13
  14. 14. AH Details   Use 32-bit monotonically increasing sequence number to avoid replay attacks Use cryptographically strong hash algorithms to protect data integrity (96-bit) – Use symmetric key cryptography – HMAC-SHA-96, HMAC-MD5-96 14
  15. 15. Encapsulating Security Payload (ESP)  Provides all that AH offers, and  in addition provides data confidentiality – Uses symmetric key encryption 15
  16. 16. ESP Details  Same as AH: – Use 32-bit sequence number to counter replaying attacks – Use integrity check algorithms  Only in ESP: – Data confidentiality:  Uses symmetric key encryption algorithms to encrypt packets 16
  17. 17. Internet Key Exchange (IKE)  Exchange and negotiate security policies  Establish security sessions – Identified as Security Associations  Key exchange  Key management  Can be used outside IPsec as well 17
  18. 18. IPsec/IKE Acronyms  Security Association (SA) – Collection of attribute associated with a connection – Is asymmetric!    One SA for inbound traffic, another SA for outbound traffic Similar to ciphersuites in SSL Security Association Database (SADB) – A database of SAs 18
  19. 19. IPsec/IKE Acronyms  Security Parameter Index (SPI) – A unique index for each entry in the SADB – Identifies the SA associated with a packet  Security Policy Database (SPD) – Store policies used to establish SAs 19
  20. 20. How They Fit Together SPD SA-1 SA-2 SADB SPI SPI 20
  21. 21. SPD and SADB Example A’s SPD Transport Mode A C B D Tunnel Mode A’s SADB From To Asub Bsub From To Asub Bsub From To Protocol Port Policy A B Any Any AH[HMAC-MD5] From To Protocol SPI SA Record A B AH 12 HMAC-MD5 key Protocol Port Policy Tunnel Dest Any Any ESP[3DES] D Protocol SPI SA Record ESP 14 C’s SPD 3DES key C’s SADB 21
  22. 22. IPsec Policy   Phase 1 policies are defined in terms of protection suites Each protection suite – Must contain the following:     Encryption algorithm Hash algorithm Authentication method Diffie-Hellman Group – May optionally contain the following:   Lifetime … 22
  23. 23. IPSec Policy   Phase 2 policies are defined in terms of proposals Each proposal: – May contain one or more of the following     AH sub-proposals ESP sub-proposals IPComp sub-proposals Along with necessary attributes such as – Key length, life time, etc 23
  24. 24. Resources  IP, IPsec and related RFCs: – http://www.ietf.org/html.charters/ipsec-charter.html – IPsec: RFC 2401, IKE: RFC 2409 – www.freeswan.org  Google search 24
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×