IPSec Overview


Published on

IPSec protocol. Overview of IKE in IPSec. A look at ESP packet. AH is excluded in this presentation.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • There a few key things we need to describe to you so you can get a better idea of IPSec. Firstly, there are two main protocols in IPSec which namely Authentication Header, in short AH and Encapsulating Security Payload, in short ESP.
  • The next two key terms for IPSec are Security Policy, in short SP and Security Association, in short SA.
  • In layman’s term, SP governs how IPSec process different datagrams received by an IPSec device.
  • Now, on the other hand, Security Associations are sets of security information that describes a particular kind of secure connection between one IPSec device and another.
  • There are two important concepts of SA. Firstly, SAs are key to IPSec’s authentication and confidentiality mechanisms.
  • Secondly, SAs are needed to negotiate in the exchanging of the “shared secret” process Now, each host that wants to communicate with each other securely thru IPSec, has to first setup their own security association. And each host over IPSec negotiates a same shared secret to decrypt and encrypt messages. To get shared secret, they must first use IKE and thus I will explain the process [click]
  • Now that we know what Security Policies and Security Associations are, let’s us first understand how IPSec shares its shared secret before we move on to the Authentication Header and Encapsulating Security Payload protocols of the IPSec.
  • IPSec, like many secure networking protocol sets, is based on the concept of a “ shared secret ”.
  • Before AH or ESP can be used, any two devices must exchange the “secret” that the AH or ESP themselves will use.
  • So how does this happen?
  • The primary support protocol used for this “secret” exchange in IPSec is called Internet Key Exchange (IKE) . And during this exchange, s ymmetric encryption is used on the data(Which is must faster as data can be large) but asymmetric encryption is used to encrypt the key in transit, because a key is small in size and asymmetric encryption is more secure.
  • IKE allows IPSec-capable devices to exchange security associations (SAs) and populate their security association databases (SADs).
  • After setting up the Security Associations, these established SAs are then being used for the actual exchange of secured datagrams with the AH and ESP protocols. Right now, let me briefly explain how sharing of the secret works in IPSec. [Click]
  • -Alice, using a data application on Computer A [click], sends an application IP packet to Bob on [Click] Computer B. -The IPSec driver [click] on Computer A checks its outbound IP filter lists and determines that the packets should be secured. -The action is to negotiate security, so the IPSec driver [click] notifies IKE to begin negotiations. The IKE service on Computer A completes [click] a policy lookup and [click] the policy determines that Computer A proposes to Computer B. Computer A then sends the first IKE SA message to B. -Computer B receives A’s IKE SA requesting for secure negotiation. B then [click] looks up it’s own policy database to determine which security settings (which is the SA) to agree to. Since Computer B has a policy match, B replies to begin [click] negotiation of IKE SA. -Computer A and Computer B now negotiate parameters such options, exchange identities, verify authentication methods [click], and generate a shared master key. They have now established an IKE SA and had so established a mutual trust for the exchange of future secured datagrams either with the AH or ESP IPSec protocol.
  • The next core protocol of IPSec is the ESP
  • An encryption algorithm combines the data in the datagram with a key to transform it into an encrypted form. This is then repackaged using a special format and transmitted to the destination, which decrypts it using the same algorithm. And this key as known by the source and destination had already been negotiated fore front by IKE which we had covered earlier on.
  • ESP in transport mode does not sign the entire packet.
  • The signed portion of the packet indicates where the packet has been signed for integrity and authentication and the encrypted portion of the packet indicates what information is protected with confidentiality. Now you realized that the ESP Authentication Data appears separately because it is used to authenticate the rest of the encrypted datagram after encryption . This means it cannot appear in the ESP Header or ESP Trailer.
  • IPSec Overview

    1. 1. Internet Protocol Security (IPSec) Group name: grouppage
    2. 2. What to expect <ul><li>What is the difference between SSL and IPSec </li></ul><ul><li>And when to use it? </li></ul><ul><li>Go through the basics for IPSec </li></ul><ul><li>Explain IPSec’s key exchange </li></ul><ul><li>Look further into ESP, main protocol of IPSec </li></ul>
    3. 3. Internet Protocol (TCP/IP) <ul><li>Has no inherent security </li></ul><ul><li>Man in the middle can read/write to: </li></ul><ul><ul><ul><ul><li>The TCP/IP headers </li></ul></ul></ul></ul><ul><ul><ul><ul><li>The payload data </li></ul></ul></ul></ul><ul><li>SSL/TLS and IPSec can encrypt data </li></ul>
    4. 4. IPSec Compared To SSL <ul><li>IPSec </li></ul><ul><li>Application Independent </li></ul><ul><li>Authenticates IP headers </li></ul><ul><li>Encrypts TCP and Application layer </li></ul><ul><li>SSL </li></ul><ul><li>Must be compiled in Application </li></ul><ul><li>Insecure IP headers </li></ul><ul><li>Encrypts application layer </li></ul>
    5. 5. <ul><li>Malory can: </li></ul><ul><li>Create packets that have A's IP as src address </li></ul><ul><li>Read A's packets </li></ul><ul><li>Can change A's packets </li></ul><ul><li>Normal IP </li></ul>
    6. 6. IP with SSL <ul><li>Mallory Can </li></ul><ul><li>Create packets that have A's IP as src address </li></ul><ul><li>R/W the TCP header </li></ul>
    7. 7. IPSec <ul><li>Malroy can do nothing </li></ul>
    8. 8. When to use? <ul><li>Reasons not to use </li></ul><ul><li>NAT </li></ul><ul><li>Support </li></ul><ul><li>User authentication </li></ul><ul><li>Reasons to use: </li></ul><ul><li>VPN </li></ul><ul><li>Application doesn't support TLS </li></ul><ul><li>Don't want to use PKI </li></ul><ul><li>Host authentication </li></ul>
    9. 9. IPSec basics for this presentation <ul><li>Main protocol in IPSec: </li></ul><ul><ul><li>Encapsulating Security Payload (ESP) </li></ul></ul>
    10. 10. <ul><li>Constructs that guide the operation of IPSec </li></ul><ul><ul><li>Security Policy (SP) </li></ul></ul><ul><ul><li>Security Association (SA) </li></ul></ul>IPSec basics for this presentation
    11. 11. Security Policies <ul><li>Governs how IPSec process different datagrams received by an IPSec device </li></ul>
    12. 12. <ul><li>SA describes a particular kind of secure connection between one device and another. </li></ul>Security Associations AH
    13. 13. <ul><li>Security Associations are key to IPSEC’s authentication and confidentiality mechanisms. </li></ul>Security Associations
    14. 14. <ul><li>SAs are needed to negotiate in the exchange of the “shared secret” process </li></ul>Security Associations
    15. 15. Sharing the shared secret
    16. 16. Sharing the shared secret <ul><li>IPSec, like many secure networking protocol sets, is based on the concept of a “ shared secret ”. </li></ul>
    17. 17. Sharing the shared secret <ul><li>Before ESP (IPSec protocols) can be used, any two devices must exchange the “secret” that the ESP themselves will use. </li></ul>
    18. 18. Sharing the shared secret <ul><li>So how does this happen? </li></ul>
    19. 19. Exchanging the secret <ul><li>Internet Key Exchange (IKE) . </li></ul>
    20. 20. Internet Key Exchange (IKE) <ul><li>IPSec-capable devices to exchange security associations (SAs), </li></ul><ul><li>Populate their security association databases (SADs). </li></ul>
    21. 21. Internet Key Exchange (IKE) <ul><li>These established SAs are then being used for the actual exchange of secured datagrams with the ESP protocols. </li></ul>
    22. 22. Sharing the shared secret Source: http://technet.microsoft.com
    23. 23. IPSec Protocols <ul><li>Encapsulating Security Payload </li></ul>
    24. 24. Encapsulating Security Payload (ESP) <ul><li>Main function: </li></ul><ul><li>Provide privacy for IP datagrams by encrypting them. </li></ul>
    25. 25. ESP packet in transport mode
    26. 26. ESP packet in tunnel mode New IP Header
    27. 27. Thank You! <ul><li>The end and we hope you understand </li></ul>
    28. 28. References <ul><li>Understanding IPSEC - Server 2003 </li></ul><ul><li>http://www.youtube.com/watch?v=DH1zI8QYi4A </li></ul><ul><li>TCPIP Guide </li></ul><ul><ul><li>http://www.tcpipguide.com/free/t_IPSecurityIPSecProtocols.htm </li></ul></ul>