Your SlideShare is downloading. ×
IPsec with AH
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

IPsec with AH

380
views

Published on

This is a slideshow I made for my Systems Modeling & Simulation class. The presention is intended to be a visual aid in giving a lesson on IPsec and Authentication Headers.

This is a slideshow I made for my Systems Modeling & Simulation class. The presention is intended to be a visual aid in giving a lesson on IPsec and Authentication Headers.


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
380
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • There are many aspects of Ipsec that need to be taken into account when setting it up between two nodes.Transport mode starts at the IP layer. Encrypts the payload but keeps the routing information in the header. Used for host to host connections.Tunnel mode starts at the data link layer. It encrypts the whole packet and generates a new header. Used to create VPNs.
  • IPsec is a set of security algorithms along with a general framework which offers many different combinations of solutions for secure communication. Transport mode starts at the IP layer. Encrypts the payload but keeps the routing information in the header. Used for host to host connections.Tunnel mode starts at the data link layer. It encrypts the whole packet and generates a new header. Used to create VPNs.
  • IPsec is a set of security algorithms along with a general framework which offers many different combinations of solutions for secure communication. Transport mode starts at the IP layer. Encrypts the payload but keeps the routing information in the header. Used for host to host connections.Tunnel mode starts at the data link layer. It encrypts the whole packet and generates a new header. Used to create VPNs.
  • Version (4), Header Length, Service Type – How the datagram should be handled, Packet lengthID – To identify fragmented packets, Flags – used to manage fragmentation, fragment offset – position of this packet in the overall messageTTL- how long the packet is able to live in terms of networkhops, Protocol (TCP), Header Checksum – Used to protect against corruption during transmission.Source IPDestination IP
  • Authentication HeaderNext header - Record the original protocol value, in case IPSec modifies the protocol field in the IP Header.Payload length – Doesn’t specify the size of the payload, instead it specifies the length of the authentication header.Reserved – for future use.SPI – Specifies the security index scheme used (See next slide)Sequence Number – Contains a unique number for each subsequent packet sent. Number is incremented by 1 after each packet. Used to prevent replay attacks.Authentication Data – Contains data for the current security scheme and is used to check integrity
  • A security association is a set of shared security attributes between two devices on a network (list off bullet points under computers)Since all of this cant be contained in the header, IPSec asks for each receiver to collect this information and break it down to a numerical abstraction, which is the SPI. Even if all the attributes are the same, two different SPIs will be generated.So, in order for A to send a packet to B, A must know B’s SPI.
  • Transcript

    • 1. Authentication Headers in IP Security By Jordan Levesque
    • 2. IPsec OverviewSet of security algorithms along with a general frameworkwhich offers many different combinations of solutions forsecure communication.End-to-end security scheme Network-to-network (gateway to gateway) Host-to-host Host-to-networkApplication Independent Doesn’t need to be implemented at Application level, like SSL, TLS, or SSH.
    • 3. Aspects of IPsec (1/3)Key Encryption Internet Key Exchange (IKE) or something weaker such as Diffie-Hellman or Pre-Shared Key.End-to-end security scheme Network-to-network (gateway to gateway) Host-to-host Host-to-network
    • 4. Aspects of IPsec (2/3) Modes of Operation Transport Tunnel Starts at IP Layer Starts at data link layer Encrypts payload but Encrypts whole packet keeps routing Generates new header information in the header Used for VPNs Used for host to hostAPP TCP IPsec IP Ipsec DL P (Transport) (Tunnel) OSI Model
    • 5. Aspects of IPsec (3/3)Traffic Direction Inbound OutboundAuthentication Header or Encapsulating SecurityPayload AH – Provides protection against replay attacks. Verifies the data’s origin. ESP – Masks source and destination. Used to conceal devices on a network.
    • 6. Original IPv4 Datagramver hlen TOS Pkt len ID flags Frag offset TTL Protocol Header cksum Src ip addr Dest ip addr TCP header payload
    • 7. New IPv4 Datagram With AH ver hlen TOS Pkt len ID flags Frag offset TTL Protocol Header cksum Src ip addr Dest ip addr Next header payload len Reserved SPI (Security Parameters Index)AH Sequence Number Authentication Data TCP header payload
    • 8. SPI and Security Associations A B Security Security Association: Association: • Authentication • Authentication Algorithm Algorithm • Key(s) • Key(s) • Key Lifetime • Key Lifetime • Authorized • Authorized Source Source Addresses Addresses SPI: 81365786… SPI: 52465221…