SlideShare a Scribd company logo

Rooster ipsecindepth

Download as PPT, PDF
D
dharajani

IPsecurity

TechnologyEducation
1 of 14
IPSec In Depth
Encapsulated Security Payload (ESP) • Must encrypt and/or authenticate in each packet • Encryption occurs before authentication • Authentication is applied to data in the IPSec header as well as the data contained as payload
IPSec Encapsulating Security Payload (ESP) in Transport Mode Orig IP Hdr TCP Hdr Data Insert Append Orig IP Hdr ESP Hdr TCP Hdr Data ESP Trailer ESP Auth Usually encrypted integrity hash coverage SecParamIndex Seq# InitVector Keyed Hash 22-36 bytes total Padding PadLength NextHdr ESP is IP protocol 50 © 2000 Microsoft Corporation
IPSec ESP Tunnel Mode Orig IP Hdr TCP Hdr Data IPHdr ESP Hdr IP Hdr TCP Hdr Data ESP Trailer ESP Auth Usually encrypted integrity hash coverage New IP header with source & destination IP address © 2000 Microsoft Corporation
Authentication Header (AH) • Authentication is applied to the entire packet, with the mutable fields in the IP header zeroed out • If both ESP and AH are applied to a packet, AH follows ESP
IPSec Authentication Header (AH) in Transport Mode Orig IP Hdr TCP Hdr Data Insert Orig IP Hdr AH Hdr TCP Hdr Data Integrity hash coverage (except for mutable fields in IP hdr) Next Hdr Payload Len Rsrv SecParamIndex Seq# Keyed Hash AH is IP protocol 51 24 bytes total © 2000 Microsoft Corporation
IPSec AH Tunnel Mode Orig IP Hdr TCP Hdr Data IP Hdr AH Hdr Orig IP Hdr TCP Hdr Data Integrity hash coverage (except for mutable new IP hdr fields) New IP header with source & destination IP address © 2000 Microsoft Corporation
Internet Key Exchange (IKE) • Phase I – Establish a secure channel(ISAKMP SA) – Authenticate computer identity • Phase II – Establishes a secure channel between computers intended for the transmission of data (IPSec SA)
Main Mode • Main mode negotiates an ISAKMP SA which will be used to create IPSec Sas • Three steps – SA negotiation – Diffie-Hellman and nonce exchange – Authentication
Main Mode (Kerberos) Initiator Responder Header, SA Proposals Header, Selected SA Proposal Header, D-H Key Exchange, Noncei, Kerberos Tokeni Header, D-H Key Exchange, Noncer, Kerberos Tokenr Encrypted Header, Idi, Hashi Header, Idr, Hashr
Main Mode (Certificate) Initiator Responder Header, SA Proposals Header, Selected SA Proposal Header, D-H Key Exchange, Noncei Header, D-H Key Exchange, Noncer,Certificate Request Encrypted Header, Idi, Certificatei, Signaturei, Certificate Request Header, Idr, Certificater, Signaturer
Main Mode (Pre-shared Key) Initiator Responder Header, SA Proposals Header, Selected SA Proposal Header, D-H Key Exchange, Noncei Header, D-H Key Exchange, Noncer Encrypted Header, Idi, Hashi Header, Idr, Hashr
Quick Mode • All traffic is encrypted using the ISAKMP Security Association • Each quick mode negotiation results in two IPSec Security Associations (one inbound, one outbound)
Quick Mode Negotiation Initiator Responder Encrypted Header, IPSec Proposed SA Header, IPSec Selected SA Header, Hash Header, Connected Notification

Recommended

Ip security in i psec
Ip security in i psecIp security in i psec
Ip security in i psec
Mohd Arif
 
Cryptography
CryptographyCryptography
Cryptography
Techprahlad
 
Ip sec talk
Ip sec talkIp sec talk
Ip sec talk
anoean
 
Strong cryptography in PHP
Strong cryptography in PHPStrong cryptography in PHP
Strong cryptography in PHP
Enrico Zimuel
 
Hybrid Cryptography with examples in Ruby and Go
Hybrid Cryptography with examples in Ruby and GoHybrid Cryptography with examples in Ruby and Go
Hybrid Cryptography with examples in Ruby and Go
Eleanor McHugh
 
Threshold Cryptography and Distributed Key Generation
Threshold Cryptography and Distributed Key GenerationThreshold Cryptography and Distributed Key Generation
Threshold Cryptography and Distributed Key Generation
Leonid Beder
 
Cryptography
CryptographyCryptography
Cryptography
Sahil chawla
 
Crypography in c#
Crypography in c#Crypography in c#
Crypography in c#
Manu Cohen-Yashar
 

Recommended

Ip security in i psec
Ip security in i psecIp security in i psec
Ip security in i psec
Mohd Arif
 
Cryptography
CryptographyCryptography
Cryptography
Techprahlad
 
Ip sec talk
Ip sec talkIp sec talk
Ip sec talk
anoean
 
Strong cryptography in PHP
Strong cryptography in PHPStrong cryptography in PHP
Strong cryptography in PHP
Enrico Zimuel
 
Hybrid Cryptography with examples in Ruby and Go
Hybrid Cryptography with examples in Ruby and GoHybrid Cryptography with examples in Ruby and Go
Hybrid Cryptography with examples in Ruby and Go
Eleanor McHugh
 
Threshold Cryptography and Distributed Key Generation
Threshold Cryptography and Distributed Key GenerationThreshold Cryptography and Distributed Key Generation
Threshold Cryptography and Distributed Key Generation
Leonid Beder
 
Cryptography
CryptographyCryptography
Cryptography
Sahil chawla
 
Crypography in c#
Crypography in c#Crypography in c#
Crypography in c#
Manu Cohen-Yashar
 
Pgp smime
Pgp smimePgp smime
Pgp smime
Tania Agni
 
Hadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxHadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache Knox
Vinay Shukla
 
Pgp1
Pgp1Pgp1
Pgp1
Sanjeevsharma620
 
Cryptography
CryptographyCryptography
Cryptography
JohnsonDaniel JohnsonDaniel
 
Network Security Primer
Network Security PrimerNetwork Security Primer
Network Security Primer
Venkatesh Iyer
 
8.X Sec & I Pv6
8.X Sec & I Pv68.X Sec & I Pv6
8.X Sec & I Pv6
phanleson
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
Pawan Arya
 
Kleptography
KleptographyKleptography
Kleptography
Erfan Mallick
 
5 Cryptography Part1
5 Cryptography Part15 Cryptography Part1
5 Cryptography Part1
Alfred Ouyang
 
IPSec | Computer Network
IPSec | Computer NetworkIPSec | Computer Network
IPSec | Computer Network
shubham ghimire
 
Crypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configurationCrypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configuration
dborsan
 
IPsec
IPsecIPsec
IPsec
Ivandro Ismael
 
ip security
ip securityip security
ip security
Chirag Patel
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
Abdullaziz Tagawy
 
Ipsec
IpsecIpsec
Ipsec
Rupesh Mishra
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overview
davisli
 
Lecture 5 ip security
Lecture 5 ip securityLecture 5 ip security
Lecture 5 ip security
rajakhurram
 
VPN (virtual Private Network)
VPN (virtual Private Network)VPN (virtual Private Network)
VPN (virtual Private Network)
Chandan Jha
 
What Is VPN
What Is VPNWhat Is VPN
What Is VPN
SwitchVPN
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessions
Lena Petsenchuk
 
IPSec VPN Basics
IPSec VPN BasicsIPSec VPN Basics
IPSec VPN Basics
Martin Bratina
 
Ipsec
IpsecIpsec
Ipsec
Baidyanath Dutta
 

More Related Content

What's hot

8.X Sec & I Pv6
8.X Sec & I Pv68.X Sec & I Pv6
8.X Sec & I Pv6
phanleson
 

What's hot (9)

Pgp smime
Pgp smimePgp smime
Pgp smime
 
Hadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxHadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache Knox
 
Pgp1
Pgp1Pgp1
Pgp1
 
Cryptography
CryptographyCryptography
Cryptography
 
Network Security Primer
Network Security PrimerNetwork Security Primer
Network Security Primer
 
8.X Sec & I Pv6
8.X Sec & I Pv68.X Sec & I Pv6
8.X Sec & I Pv6
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
 
Kleptography
KleptographyKleptography
Kleptography
 
5 Cryptography Part1
5 Cryptography Part15 Cryptography Part1
5 Cryptography Part1
 

Viewers also liked

VPN (virtual Private Network)
VPN (virtual Private Network)VPN (virtual Private Network)
VPN (virtual Private Network)
Chandan Jha
 
Virtual private network
Virtual private networkVirtual private network
Virtual private network
Sowmia Sathyan
 
Vpn presentation
Vpn presentationVpn presentation
Vpn presentation
stolentears
 
FireWall
FireWallFireWall
FireWall
rubal_9
 
VPN - Virtual Private Network
VPN - Virtual Private NetworkVPN - Virtual Private Network
VPN - Virtual Private Network
Peter R. Egli
 

Viewers also liked (20)

IPSec | Computer Network
IPSec | Computer NetworkIPSec | Computer Network
IPSec | Computer Network
 
Crypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configurationCrypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configuration
 
IPsec
IPsecIPsec
IPsec
 
ip security
ip securityip security
ip security
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
 
Ipsec
IpsecIpsec
Ipsec
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overview
 
Lecture 5 ip security
Lecture 5 ip securityLecture 5 ip security
Lecture 5 ip security
 
VPN (virtual Private Network)
VPN (virtual Private Network)VPN (virtual Private Network)
VPN (virtual Private Network)
 
What Is VPN
What Is VPNWhat Is VPN
What Is VPN
 
Cookies and sessions
Cookies and sessionsCookies and sessions
Cookies and sessions
 
IPSec VPN Basics
IPSec VPN BasicsIPSec VPN Basics
IPSec VPN Basics
 
Ipsec
IpsecIpsec
Ipsec
 
Virtual private network
Virtual private networkVirtual private network
Virtual private network
 
IP Security
IP SecurityIP Security
IP Security
 
Vpn presentation
Vpn presentationVpn presentation
Vpn presentation
 
Mobile ip
Mobile ipMobile ip
Mobile ip
 
FireWall
FireWallFireWall
FireWall
 
Vpn
VpnVpn
Vpn
 
VPN - Virtual Private Network
VPN - Virtual Private NetworkVPN - Virtual Private Network
VPN - Virtual Private Network
 

Similar to Rooster ipsecindepth

rooster-ipsecindepth.ppt
rooster-ipsecindepth.pptrooster-ipsecindepth.ppt
rooster-ipsecindepth.ppt
ImXaib
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and ssl
Mohd Arif
 
Cryptography
CryptographyCryptography
Cryptography
Rohan04
 
I psec
I psecI psec
I psec
nlekh
 
Cryptography101
Cryptography101Cryptography101
Cryptography101
NCC Group
 

Similar to Rooster ipsecindepth (20)

rooster-ipsecindepth.ppt
rooster-ipsecindepth.pptrooster-ipsecindepth.ppt
rooster-ipsecindepth.ppt
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and ssl
 
05 06 ike
05 06 ike05 06 ike
05 06 ike
 
IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1
 
IPsec with AH
IPsec with AHIPsec with AH
IPsec with AH
 
I psec
I psecI psec
I psec
 
I psec
I psecI psec
I psec
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RS
 
Cryptography
CryptographyCryptography
Cryptography
 
Introduction to Cryptography.pptx
Introduction to Cryptography.pptxIntroduction to Cryptography.pptx
Introduction to Cryptography.pptx
 
I psec
I psecI psec
I psec
 
I psec
I psecI psec
I psec
 
Cryptography101
Cryptography101Cryptography101
Cryptography101
 
Ip Sec
Ip SecIp Sec
Ip Sec
 
Ip security
Ip securityIp security
Ip security
 
Ip Sec
Ip SecIp Sec
Ip Sec
 
Ip Sec Rev1
Ip Sec Rev1Ip Sec Rev1
Ip Sec Rev1
 
IP security
IP securityIP security
IP security
 
SSL intro
SSL introSSL intro
SSL intro
 
IPsec for IMS
IPsec for IMSIPsec for IMS
IPsec for IMS
 

Recently uploaded

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Recently uploaded (20)

FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 

Rooster ipsecindepth

  • 2. Encapsulated Security Payload (ESP) • Must encrypt and/or authenticate in each packet • Encryption occurs before authentication • Authentication is applied to data in the IPSec header as well as the data contained as payload
  • 3. IPSec Encapsulating Security Payload (ESP) in Transport Mode Orig IP Hdr TCP Hdr Data Insert Append Orig IP Hdr ESP Hdr TCP Hdr Data ESP Trailer ESP Auth Usually encrypted integrity hash coverage SecParamIndex Seq# InitVector Keyed Hash 22-36 bytes total Padding PadLength NextHdr ESP is IP protocol 50 © 2000 Microsoft Corporation
  • 4. IPSec ESP Tunnel Mode Orig IP Hdr TCP Hdr Data IPHdr ESP Hdr IP Hdr TCP Hdr Data ESP Trailer ESP Auth Usually encrypted integrity hash coverage New IP header with source & destination IP address © 2000 Microsoft Corporation
  • 5. Authentication Header (AH) • Authentication is applied to the entire packet, with the mutable fields in the IP header zeroed out • If both ESP and AH are applied to a packet, AH follows ESP
  • 6. IPSec Authentication Header (AH) in Transport Mode Orig IP Hdr TCP Hdr Data Insert Orig IP Hdr AH Hdr TCP Hdr Data Integrity hash coverage (except for mutable fields in IP hdr) Next Hdr Payload Len Rsrv SecParamIndex Seq# Keyed Hash AH is IP protocol 51 24 bytes total © 2000 Microsoft Corporation
  • 7. IPSec AH Tunnel Mode Orig IP Hdr TCP Hdr Data IP Hdr AH Hdr Orig IP Hdr TCP Hdr Data Integrity hash coverage (except for mutable new IP hdr fields) New IP header with source & destination IP address © 2000 Microsoft Corporation
  • 8. Internet Key Exchange (IKE) • Phase I – Establish a secure channel(ISAKMP SA) – Authenticate computer identity • Phase II – Establishes a secure channel between computers intended for the transmission of data (IPSec SA)
  • 9. Main Mode • Main mode negotiates an ISAKMP SA which will be used to create IPSec Sas • Three steps – SA negotiation – Diffie-Hellman and nonce exchange – Authentication
  • 10. Main Mode (Kerberos) Initiator Responder Header, SA Proposals Header, Selected SA Proposal Header, D-H Key Exchange, Noncei, Kerberos Tokeni Header, D-H Key Exchange, Noncer, Kerberos Tokenr Encrypted Header, Idi, Hashi Header, Idr, Hashr
  • 11. Main Mode (Certificate) Initiator Responder Header, SA Proposals Header, Selected SA Proposal Header, D-H Key Exchange, Noncei Header, D-H Key Exchange, Noncer,Certificate Request Encrypted Header, Idi, Certificatei, Signaturei, Certificate Request Header, Idr, Certificater, Signaturer
  • 12. Main Mode (Pre-shared Key) Initiator Responder Header, SA Proposals Header, Selected SA Proposal Header, D-H Key Exchange, Noncei Header, D-H Key Exchange, Noncer Encrypted Header, Idi, Hashi Header, Idr, Hashr
  • 13. Quick Mode • All traffic is encrypted using the ISAKMP Security Association • Each quick mode negotiation results in two IPSec Security Associations (one inbound, one outbound)
  • 14. Quick Mode Negotiation Initiator Responder Encrypted Header, IPSec Proposed SA Header, IPSec Selected SA Header, Hash Header, Connected Notification