SlideShare a Scribd company logo

Ipsec

Download as PPT, PDF
Rupesh Mishra
Rupesh Mishra

IPSec us a network security protocol

Software
1 of 50
IIPPSSeecc -- OOvveerrvviieeww Mr. Rupesh Mishra St. Francis Institute of Tech 1
OOuuttlliinnee • Introduction • IPSec Architecture • Internet Key Exchange (IKE) • IPSec Policy • Discussion 2
IIPP iiss nnoott SSeeccuurree!! • IP protocol was designed in the late 70s to early 80s o Part of DARPA Internet Project o Very small network • All hosts are known! • So are the users! • Therefore, security was not an issue 3
SSeeccuurriittyy IIssssuueess iinn IIPP • source spoofing - DOS Attack • replay packets - Replay Attack • No data integrity - Modification • No confidentiality - Spying 4
WWhhaatt iiss IIPPSSeecc • A set of protocol and algorithm used to secure IP data and network layer • Open standard for VPN implementation • Inbuilt in IPV6 and compatible with IPV4 5
GGooaallss ooff IIPPSSeecc • to verify sources of IP packets o authentication • to prevent replaying of old packets • to protect integrity and/or confidentiality of packets o data Integrity/Data Encryption 6
OOuuttlliinnee • Why IPsec? • IPSec Architecture • Internet Key Exchange (IKE) • IPsec Policy • Discussion 7
TThhee IIPPSSeecc SSeeccuurriittyy MMooddeell 8 Secure Insecure
IIPPSSeecc AArrcchhiitteeccttuurree 9 ESP AH IPSec Security Policy IKE Encapsulating Security Payload Authentication Header The Internet Key Exchange
IIPPSSeecc AArrcchhiitteeccttuurree • IPSec provides security in three situations: o Host-to-host, host-to-gateway and gateway-to-gateway • IPSec operates in two modes: o Transport mode (for end-to-end) o Tunnel mode (for VPN) 10
IIPPsseecc AArrcchhiitteeccttuurree 11 Transport Mode Router Router Tunnel Mode
VVaarriioouuss PPaacckkeettss 12 IP header Original IP header IP header TCP header TCP header TCP header data data data IPSec header IPSec header IP header Transport mode Tunnel mode
SSeeccuurriittyy AAssssoocciiaattiioonn ((SSAA)) 13 • Specification of security for the communication • Specification of key , algorithm , policy , etc • Unidirectional • SADB
IISSAAKKMMPP 14 • Defines the procedure for security association • SA and Key Management
IIPPSSeecc • A collection of protocols (RFC 2401) o Authentication Header (AH) • RFC 2402 o Encapsulating Security Payload (ESP) • RFC 2406 o Internet Key Exchange (IKE) • RFC 2409 o IP Payload Compression (IPcomp) • RFC 3137 15
AAuutthheennttiiccaattiioonn HHeeaaddeerr ((AAHH)) • Provides source authentication o Protects against source spoofing • Provides data integrity • Protects against replay attacks o Use monotonically increasing sequence numbers o Protects against denial of service attacks • NO protection for confidentiality! 16
AAHH DDeettaaiillss • Use 32-bit monotonically increasing sequence number to avoid replay attacks • Use cryptographically strong hash algorithms to protect data integrity (96-bit) o Use symmetric key cryptography o HMAC-SHA-96, HMAC-MD5-96 17
AAHH PPaacckkeett DDeettaaiillss 18 New IP header Security Parameters Index (SPI) Sequence Number Authentication Data Next header Payload length Reserved Old IP header (only in Tunnel mode) TCP header Authenticated Data Encapsulated TCP or IP packet Hash of everything else
EEnnccaappssuullaattiinngg SSeeccuurriittyy PPaayyllooaadd ((EESSPP)) • Provides all that AH offers, and • in addition provides data confidentiality o Uses symmetric key encryption 19
EESSPP DDeettaaiillss • Same as AH: o Use 32-bit sequence number to counter replaying attacks o Use integrity check algorithms • Only in ESP: o Data confidentiality: • Uses symmetric key encryption algorithms to encrypt packets 20
EESSPP PPaacckkeett DDeettaaiillss 21 Security Parameters Index (SPI) Sequence Number Authentication Data Next header Payload length Reserved TCP header Authenticated IP header Initialization vector Data Pad Pad length Next Encrypted TCP packet
OOuuttlliinnee • Why IPsec? • IPsec Architecture • Internet Key Exchange (IKE) • IPsec Policy • Discussion 22
IInntteerrnneett KKeeyy EExxcchhaannggee ((IIKKEE)) • Exchange and negotiate security policies • Establish security sessions o Identified as Security Associations • Key exchange • Key management • Can be used outside IPsec as well 23
HHooww IItt WWoorrkkss • IKE operates in two phases o Phase 1: negotiate and establish an auxiliary end-to-end secure channel • Used by subsequent phase 2 negotiations • Only established once between two end points! o Phase 2: negotiate and establish custom secure channels • Occurs multiple times o Both phases use Diffie-Hellman key exchange to establish a shared key 24
IIKKEE PPhhaassee 11 • Goal: to establish a secure channel between two end points o This channel provides basic security features: • Source authentication • Data integrity and data confidentiality • Protection against replay attacks 25
IIKKEE PPhhaassee 11 • Rationale: each application has different security requirements • But they all need to negotiate policies and exchange keys! • So, provide the basic security features and allow application to establish custom sessions 26
EExxaammpplleess • All packets sent to address mybank.com must be encrypted using 3DES with HMAC-MD5 integrity check • All packets sent to address www.forum.com must use integrity check with HMAC-SHA1 (no encryption is required) 27
PPhhaassee 11 EExxcchhaannggee • Can operate in two modes: o Main mode • Six messages in three round trips • More options o Quick mode • Four messages in two round trips • Less options 28
PPhhaassee 11 ((MMaaiinn MMooddee)) 29 Initiator Responder [Header, SA1]
PPhhaassee 11 ((MMaaiinn MMooddee)) 30 Initiator Responder [Header, SA1] [Header, SA2] Establish vocabulary for further communication
PPhhaassee 11 ((MMaaiinn MMooddee)) 31 Initiator Responder [Header, SA1] [Header, SA2] [Header, KE, Ni, {Cert_Reg} ]
PPhhaassee 11 ((MMaaiinn MMooddee)) 32 Initiator Responder Header, SA1 [Header, SA1] [Header, KE, Ni { , Cert_Req} ] [Header, KE, Nr {, Cert_Req}] Establish secret key using Diffie-Hellman key exchange Use nonces to prevent replay attacks
PPhhaassee 11 ((MMaaiinn MMooddee)) 33 Initiator Responder [Header, SA1] [Header, SA1] [Header, KE, Ni {,Cert_Req} ] [Header, KE, Nr {,Cert_Req}] [Header, IDi, {CERT} sig]
PPhhaassee 11 ((MMaaiinn MMooddee)) 34 Initiator Responder [Header, SA1] [Header, SA1] [Header, KE, Ni {, Cert_req}] [Header, KE, Nr {, Cert_req}] [Header, IDi, {CERT} sig] [Header, IDr, {CERT} sig] Signed hash of IDi (without Cert_req , just send the hash)
PPhhaassee 11 ((QQuuiicckk MMooddee)) 35 Initiator Responder [Header, SA1, KE, Ni, IDi]
PPhhaassee 11 ((QQuuiicckk MMooddee)) 36 Initiator Responder [Header, SA1, KE, Ni, IDi] [Header, SA2, KE, Nr, IDr, [Cert]sig] [Header, [Cert]sig] First two messages combined into one (combine Hello and DH key exchange)
IIPPSSeecc ((PPhhaassee 11)) • Four different way to authenticate (either mode) o Digital signature o Two forms of authentication with public key encryption o Pre-shared key • NOTE: IKE does use public-key based cryptography for encryption 37
IIPPSSeecc ((PPhhaassee 22)) • Goal: to establish custom secure channels between two end points o End points are identified by <IP, port>: • e.g. <www.mybank.com, 8000> o Or by packet: • e.g. All packets going to 128.124.100.0/24 o Use the secure channel established in Phase 1 for communication 38
IIPPSSeecc ((PPhhaassee 22)) • Only one mode: Quick Mode • Multiple quick mode exchanges can be multiplexed • Generate SAs for two end points • Can use secure channel established in phase 1 39
IIPP PPaayyllooaadd CCoommpprreessssiioonn • Used for compression • Can be specified as part of the IPSec policy 40
OOuuttlliinnee • Why IPsec? • IPsec Architecture • Internet Key Exchange (IKE) • IPSec Policy • Discussion 41
IIPPsseecc PPoolliiccyy • Phase 1 policies are defined in terms of protection suites • Each protection suite o Must contain the following: • Encryption algorithm • Hash algorithm • Authentication method • Diffie-Hellman Group o May optionally contain the following: • Lifetime • … 42
IIPPSSeecc PPoolliiccyy • Phase 2 policies are defined in terms of proposals • Each proposal: o May contain one or more of the following • AH sub-proposals • ESP sub-proposals • IPComp sub-proposals • Along with necessary attributes such as o Key length, life time, etc 43
IIPPSSeecc PPoolliiccyy EExxaammppllee • In English: o All traffic to 128.104.120.0/24 must be: • Use pre-hashed key authentication • DH group is MODP with 1024-bit modulus • Hash algorithm is HMAC-SHA (128 bit key) • Encryption using 3DES • In IPSec: o [Auth=Pre-Hash; DH=MODP(1024-bit); HASH=HMAC-SHA; ENC=3DES] 44
IIPPsseecc PPoolliiccyy EExxaammppllee • In English: o All traffic to 128.104.120.0/24 must use one of the following: • AH with HMAC-SHA or, • ESP with 3DES as encryption algorithm and (HMAC-MD5 or HMAC-SHA as hashing algorithm) • In IPsec: o [AH: HMAC-SHA] or, o [ESP: (3DES and HMAC-MD5) or (3DES and HMAC-SHA)] 45
VViirrttuuaall PPrriivvaattee NNeettwwoorrkkss ((VVPPNNss)) • Protocol o Data Link Later – PPTP , L2F , L2TF o Network Layer - IPSec • Virtual o It is not a physically distinct network • Private o Tunnels are encrypted to provide confidentiality • Computer dept might have a VPN o I can be on this VPN while traveling 46
OOuuttlliinnee • Why IPsec? • IPsec Architecture • Internet Key Exchange (IKE) • IPsec Policy • Discussion 47
DDiissccuussssiioonn • IPSec is not the only solution! o Security features can be added on top of IP! • e.g. Kerberos, SSL o IP, IPSec protocols are very complex! • Two modes, three sub protocols o Complexity is the biggest enemy of security 48
DDiissccuussssiioonn • Has it been used? o Yes—primarily used by some VPN vendors • But not all routers support it o No—it is not really an end-to-end solution • Authentication is too coarse (host based) • Default encryption algorithm too weak (DES) • Too complex for applications to use 49
RReessoouurrcceess • IP, IPsec and related RFCs: o http://www.ietf.org/html.charters/ipsec-charter.html o IPsec: RFC 2401, IKE: RFC 2409 o www.freeswan.org • Google search 50

Recommended

Ipsec
IpsecIpsec
IpsecBaidyanath Dutta
 
IP Security
IP SecurityIP Security
IP SecurityDr.Florence Dayana
 
DES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentationDES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentationsarhadisoftengg
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.pptUday Meena
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overviewdavisli
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPNAbdullaziz Tagawy
 
Key Management and Distribution
Key Management and DistributionKey Management and Distribution
Key Management and DistributionSyed Bahadur Shah
 
IP Sec - Basic Concepts
IP Sec - Basic ConceptsIP Sec - Basic Concepts
IP Sec - Basic ConceptsAvadhesh Agrawal
 

Recommended

Ipsec
IpsecIpsec
IpsecBaidyanath Dutta
 
IP Security
IP SecurityIP Security
IP SecurityDr.Florence Dayana
 
DES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentationDES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentationsarhadisoftengg
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.pptUday Meena
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overviewdavisli
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPNAbdullaziz Tagawy
 
Key Management and Distribution
Key Management and DistributionKey Management and Distribution
Key Management and DistributionSyed Bahadur Shah
 
IP Sec - Basic Concepts
IP Sec - Basic ConceptsIP Sec - Basic Concepts
IP Sec - Basic ConceptsAvadhesh Agrawal
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)Arun Shukla
 
Key management
Key managementKey management
Key managementSujata Regoti
 
IP Security
IP SecurityIP Security
IP SecurityKeshab Nath
 
Ssl and tls
Ssl and tlsSsl and tls
Ssl and tlsRana assad ali
 
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1RAMESHBABU311293
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
Network security
Network securityNetwork security
Network securityEstiak Khan
 
IP Security and its Components
IP Security and its ComponentsIP Security and its Components
IP Security and its ComponentsMohibullah Saail
 
Encryption
EncryptionEncryption
Encryptionvasanthimuniasamy
 
DES
DESDES
DESNaga Srimanyu Timmaraju
 
Lecture 5 ip security
Lecture 5 ip securityLecture 5 ip security
Lecture 5 ip securityrajakhurram
 
IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1CAS
 
IPv4
IPv4IPv4
IPv4Dhiraj Mishra
 
Ch11 Basic Cryptography
Ch11 Basic CryptographyCh11 Basic Cryptography
Ch11 Basic CryptographyInformation Technology
 
IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1Shobhit Sharma
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
IPsec
IPsecIPsec
IPsecabdullah roomi
 
5. message authentication and hash function
5. message authentication and hash function5. message authentication and hash function
5. message authentication and hash functionChirag Patel
 
Man in The Middle Attack
Man in The Middle AttackMan in The Middle Attack
Man in The Middle AttackDeepak Upadhyay
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.pptkusum sharma
 
IPsec for IMS
IPsec for IMSIPsec for IMS
IPsec for IMSHossein Yavari
 
05 06 ike
05 06 ike05 06 ike
05 06 ikeBabaa Naya
 

More Related Content

What's hot

Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)Arun Shukla
 
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1RAMESHBABU311293
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
Network security
Network securityNetwork security
Network securityEstiak Khan
 
IP Security and its Components
IP Security and its ComponentsIP Security and its Components
IP Security and its ComponentsMohibullah Saail
 
Lecture 5 ip security
Lecture 5 ip securityLecture 5 ip security
Lecture 5 ip securityrajakhurram
 
IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1CAS
 
IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1Shobhit Sharma
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
5. message authentication and hash function
5. message authentication and hash function5. message authentication and hash function
5. message authentication and hash functionChirag Patel
 
Man in The Middle Attack
Man in The Middle AttackMan in The Middle Attack
Man in The Middle AttackDeepak Upadhyay
 

What's hot (20)

Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
 
Key management
Key managementKey management
Key management
 
IP Security
IP SecurityIP Security
IP Security
 
Ssl and tls
Ssl and tlsSsl and tls
Ssl and tls
 
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
 
Network security
Network securityNetwork security
Network security
 
IP Security and its Components
IP Security and its ComponentsIP Security and its Components
IP Security and its Components
 
Encryption
EncryptionEncryption
Encryption
 
DES
DESDES
DES
 
Lecture 5 ip security
Lecture 5 ip securityLecture 5 ip security
Lecture 5 ip security
 
IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1
 
IPv4
IPv4IPv4
IPv4
 
Ch11 Basic Cryptography
Ch11 Basic CryptographyCh11 Basic Cryptography
Ch11 Basic Cryptography
 
IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
 
IPsec
IPsecIPsec
IPsec
 
5. message authentication and hash function
5. message authentication and hash function5. message authentication and hash function
5. message authentication and hash function
 
Man in The Middle Attack
Man in The Middle AttackMan in The Middle Attack
Man in The Middle Attack
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
 

Similar to Ipsec

Ip sec talk
Ip sec talkIp sec talk
Ip sec talkanoean
 
The Security layer
The Security layerThe Security layer
The Security layerSwetha S
 
I psec
I psecI psec
I psecnlekh
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network SecurityKathirvel Ayyaswamy
 
rpsec-4 (1).ppt
rpsec-4 (1).pptrpsec-4 (1).ppt
rpsec-4 (1).pptDeep Rajan
 
IP Security Part 2
IP Security Part 2IP Security Part 2
IP Security Part 2CAS
 
ICS PPT Unit 4.ppt
ICS PPT Unit 4.pptICS PPT Unit 4.ppt
ICS PPT Unit 4.pptDEEPAK948083
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and sslMohd Arif
 
WebRTC security+more @ KamailioWorld 2018
WebRTC security+more @ KamailioWorld 2018WebRTC security+more @ KamailioWorld 2018
WebRTC security+more @ KamailioWorld 2018Lorenzo Miniero
 
Information and network security 28 blowfish
Information and network security 28 blowfishInformation and network security 28 blowfish
Information and network security 28 blowfishVaibhav Khanna
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Svetlin Nakov
 

Similar to Ipsec (20)

IPsec for IMS
IPsec for IMSIPsec for IMS
IPsec for IMS
 
05 06 ike
05 06 ike05 06 ike
05 06 ike
 
Ip sec talk
Ip sec talkIp sec talk
Ip sec talk
 
Lecture14..pdf
Lecture14..pdfLecture14..pdf
Lecture14..pdf
 
IP SEC.ptx
IP SEC.ptxIP SEC.ptx
IP SEC.ptx
 
The Security layer
The Security layerThe Security layer
The Security layer
 
I psec
I psecI psec
I psec
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 
rpsec-4 (1).ppt
rpsec-4 (1).pptrpsec-4 (1).ppt
rpsec-4 (1).ppt
 
IP Security Part 2
IP Security Part 2IP Security Part 2
IP Security Part 2
 
IS Unit-4 .ppt
IS Unit-4 .pptIS Unit-4 .ppt
IS Unit-4 .ppt
 
I psec
I psecI psec
I psec
 
Wireless LAN Security Fundamentals
Wireless LAN Security FundamentalsWireless LAN Security Fundamentals
Wireless LAN Security Fundamentals
 
ICS PPT Unit 4.ppt
ICS PPT Unit 4.pptICS PPT Unit 4.ppt
ICS PPT Unit 4.ppt
 
Cyber forensics
Cyber forensicsCyber forensics
Cyber forensics
 
Ip Sec
Ip SecIp Sec
Ip Sec
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and ssl
 
WebRTC security+more @ KamailioWorld 2018
WebRTC security+more @ KamailioWorld 2018WebRTC security+more @ KamailioWorld 2018
WebRTC security+more @ KamailioWorld 2018
 
Information and network security 28 blowfish
Information and network security 28 blowfishInformation and network security 28 blowfish
Information and network security 28 blowfish
 
Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)Cryptography for Absolute Beginners (May 2019)
Cryptography for Absolute Beginners (May 2019)
 

More from Rupesh Mishra

Cloud Computing - Introduction
Cloud Computing - IntroductionCloud Computing - Introduction
Cloud Computing - IntroductionRupesh Mishra
 
Computer Graphics - Output Primitive
Computer Graphics - Output PrimitiveComputer Graphics - Output Primitive
Computer Graphics - Output PrimitiveRupesh Mishra
 
Modern symmetric cipher
Modern symmetric cipherModern symmetric cipher
Modern symmetric cipherRupesh Mishra
 

More from Rupesh Mishra (6)

Cloud Computing - Introduction
Cloud Computing - IntroductionCloud Computing - Introduction
Cloud Computing - Introduction
 
Computer Graphics - Output Primitive
Computer Graphics - Output PrimitiveComputer Graphics - Output Primitive
Computer Graphics - Output Primitive
 
Structure & union
Structure & unionStructure & union
Structure & union
 
Modern symmetric cipher
Modern symmetric cipherModern symmetric cipher
Modern symmetric cipher
 
Security
SecuritySecurity
Security
 
Cryptology
CryptologyCryptology
Cryptology
 

Recently uploaded

Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfkalichargn70th171
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...confluent
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 

Recently uploaded (20)

Odoo Development Company in India | Devintelle Consulting Service
Odoo Development Company in India | Devintelle Consulting ServiceOdoo Development Company in India | Devintelle Consulting Service
Odoo Development Company in India | Devintelle Consulting Service
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
Catch the Wave: SAP Event-Driven and Data Streaming for the Intelligence Ente...
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 

Ipsec

  • 1. IIPPSSeecc -- OOvveerrvviieeww Mr. Rupesh Mishra St. Francis Institute of Tech 1
  • 2. OOuuttlliinnee • Introduction • IPSec Architecture • Internet Key Exchange (IKE) • IPSec Policy • Discussion 2
  • 3. IIPP iiss nnoott SSeeccuurree!! • IP protocol was designed in the late 70s to early 80s o Part of DARPA Internet Project o Very small network • All hosts are known! • So are the users! • Therefore, security was not an issue 3
  • 4. SSeeccuurriittyy IIssssuueess iinn IIPP • source spoofing - DOS Attack • replay packets - Replay Attack • No data integrity - Modification • No confidentiality - Spying 4
  • 5. WWhhaatt iiss IIPPSSeecc • A set of protocol and algorithm used to secure IP data and network layer • Open standard for VPN implementation • Inbuilt in IPV6 and compatible with IPV4 5
  • 6. GGooaallss ooff IIPPSSeecc • to verify sources of IP packets o authentication • to prevent replaying of old packets • to protect integrity and/or confidentiality of packets o data Integrity/Data Encryption 6
  • 7. OOuuttlliinnee • Why IPsec? • IPSec Architecture • Internet Key Exchange (IKE) • IPsec Policy • Discussion 7
  • 8. TThhee IIPPSSeecc SSeeccuurriittyy MMooddeell 8 Secure Insecure
  • 9. IIPPSSeecc AArrcchhiitteeccttuurree 9 ESP AH IPSec Security Policy IKE Encapsulating Security Payload Authentication Header The Internet Key Exchange
  • 10. IIPPSSeecc AArrcchhiitteeccttuurree • IPSec provides security in three situations: o Host-to-host, host-to-gateway and gateway-to-gateway • IPSec operates in two modes: o Transport mode (for end-to-end) o Tunnel mode (for VPN) 10
  • 11. IIPPsseecc AArrcchhiitteeccttuurree 11 Transport Mode Router Router Tunnel Mode
  • 12. VVaarriioouuss PPaacckkeettss 12 IP header Original IP header IP header TCP header TCP header TCP header data data data IPSec header IPSec header IP header Transport mode Tunnel mode
  • 13. SSeeccuurriittyy AAssssoocciiaattiioonn ((SSAA)) 13 • Specification of security for the communication • Specification of key , algorithm , policy , etc • Unidirectional • SADB
  • 14. IISSAAKKMMPP 14 • Defines the procedure for security association • SA and Key Management
  • 15. IIPPSSeecc • A collection of protocols (RFC 2401) o Authentication Header (AH) • RFC 2402 o Encapsulating Security Payload (ESP) • RFC 2406 o Internet Key Exchange (IKE) • RFC 2409 o IP Payload Compression (IPcomp) • RFC 3137 15
  • 16. AAuutthheennttiiccaattiioonn HHeeaaddeerr ((AAHH)) • Provides source authentication o Protects against source spoofing • Provides data integrity • Protects against replay attacks o Use monotonically increasing sequence numbers o Protects against denial of service attacks • NO protection for confidentiality! 16
  • 17. AAHH DDeettaaiillss • Use 32-bit monotonically increasing sequence number to avoid replay attacks • Use cryptographically strong hash algorithms to protect data integrity (96-bit) o Use symmetric key cryptography o HMAC-SHA-96, HMAC-MD5-96 17
  • 18. AAHH PPaacckkeett DDeettaaiillss 18 New IP header Security Parameters Index (SPI) Sequence Number Authentication Data Next header Payload length Reserved Old IP header (only in Tunnel mode) TCP header Authenticated Data Encapsulated TCP or IP packet Hash of everything else
  • 19. EEnnccaappssuullaattiinngg SSeeccuurriittyy PPaayyllooaadd ((EESSPP)) • Provides all that AH offers, and • in addition provides data confidentiality o Uses symmetric key encryption 19
  • 20. EESSPP DDeettaaiillss • Same as AH: o Use 32-bit sequence number to counter replaying attacks o Use integrity check algorithms • Only in ESP: o Data confidentiality: • Uses symmetric key encryption algorithms to encrypt packets 20
  • 21. EESSPP PPaacckkeett DDeettaaiillss 21 Security Parameters Index (SPI) Sequence Number Authentication Data Next header Payload length Reserved TCP header Authenticated IP header Initialization vector Data Pad Pad length Next Encrypted TCP packet
  • 22. OOuuttlliinnee • Why IPsec? • IPsec Architecture • Internet Key Exchange (IKE) • IPsec Policy • Discussion 22
  • 23. IInntteerrnneett KKeeyy EExxcchhaannggee ((IIKKEE)) • Exchange and negotiate security policies • Establish security sessions o Identified as Security Associations • Key exchange • Key management • Can be used outside IPsec as well 23
  • 24. HHooww IItt WWoorrkkss • IKE operates in two phases o Phase 1: negotiate and establish an auxiliary end-to-end secure channel • Used by subsequent phase 2 negotiations • Only established once between two end points! o Phase 2: negotiate and establish custom secure channels • Occurs multiple times o Both phases use Diffie-Hellman key exchange to establish a shared key 24
  • 25. IIKKEE PPhhaassee 11 • Goal: to establish a secure channel between two end points o This channel provides basic security features: • Source authentication • Data integrity and data confidentiality • Protection against replay attacks 25
  • 26. IIKKEE PPhhaassee 11 • Rationale: each application has different security requirements • But they all need to negotiate policies and exchange keys! • So, provide the basic security features and allow application to establish custom sessions 26
  • 27. EExxaammpplleess • All packets sent to address mybank.com must be encrypted using 3DES with HMAC-MD5 integrity check • All packets sent to address www.forum.com must use integrity check with HMAC-SHA1 (no encryption is required) 27
  • 28. PPhhaassee 11 EExxcchhaannggee • Can operate in two modes: o Main mode • Six messages in three round trips • More options o Quick mode • Four messages in two round trips • Less options 28
  • 29. PPhhaassee 11 ((MMaaiinn MMooddee)) 29 Initiator Responder [Header, SA1]
  • 30. PPhhaassee 11 ((MMaaiinn MMooddee)) 30 Initiator Responder [Header, SA1] [Header, SA2] Establish vocabulary for further communication
  • 31. PPhhaassee 11 ((MMaaiinn MMooddee)) 31 Initiator Responder [Header, SA1] [Header, SA2] [Header, KE, Ni, {Cert_Reg} ]
  • 32. PPhhaassee 11 ((MMaaiinn MMooddee)) 32 Initiator Responder Header, SA1 [Header, SA1] [Header, KE, Ni { , Cert_Req} ] [Header, KE, Nr {, Cert_Req}] Establish secret key using Diffie-Hellman key exchange Use nonces to prevent replay attacks
  • 33. PPhhaassee 11 ((MMaaiinn MMooddee)) 33 Initiator Responder [Header, SA1] [Header, SA1] [Header, KE, Ni {,Cert_Req} ] [Header, KE, Nr {,Cert_Req}] [Header, IDi, {CERT} sig]
  • 34. PPhhaassee 11 ((MMaaiinn MMooddee)) 34 Initiator Responder [Header, SA1] [Header, SA1] [Header, KE, Ni {, Cert_req}] [Header, KE, Nr {, Cert_req}] [Header, IDi, {CERT} sig] [Header, IDr, {CERT} sig] Signed hash of IDi (without Cert_req , just send the hash)
  • 35. PPhhaassee 11 ((QQuuiicckk MMooddee)) 35 Initiator Responder [Header, SA1, KE, Ni, IDi]
  • 36. PPhhaassee 11 ((QQuuiicckk MMooddee)) 36 Initiator Responder [Header, SA1, KE, Ni, IDi] [Header, SA2, KE, Nr, IDr, [Cert]sig] [Header, [Cert]sig] First two messages combined into one (combine Hello and DH key exchange)
  • 37. IIPPSSeecc ((PPhhaassee 11)) • Four different way to authenticate (either mode) o Digital signature o Two forms of authentication with public key encryption o Pre-shared key • NOTE: IKE does use public-key based cryptography for encryption 37
  • 38. IIPPSSeecc ((PPhhaassee 22)) • Goal: to establish custom secure channels between two end points o End points are identified by <IP, port>: • e.g. <www.mybank.com, 8000> o Or by packet: • e.g. All packets going to 128.124.100.0/24 o Use the secure channel established in Phase 1 for communication 38
  • 39. IIPPSSeecc ((PPhhaassee 22)) • Only one mode: Quick Mode • Multiple quick mode exchanges can be multiplexed • Generate SAs for two end points • Can use secure channel established in phase 1 39
  • 40. IIPP PPaayyllooaadd CCoommpprreessssiioonn • Used for compression • Can be specified as part of the IPSec policy 40
  • 41. OOuuttlliinnee • Why IPsec? • IPsec Architecture • Internet Key Exchange (IKE) • IPSec Policy • Discussion 41
  • 42. IIPPsseecc PPoolliiccyy • Phase 1 policies are defined in terms of protection suites • Each protection suite o Must contain the following: • Encryption algorithm • Hash algorithm • Authentication method • Diffie-Hellman Group o May optionally contain the following: • Lifetime • … 42
  • 43. IIPPSSeecc PPoolliiccyy • Phase 2 policies are defined in terms of proposals • Each proposal: o May contain one or more of the following • AH sub-proposals • ESP sub-proposals • IPComp sub-proposals • Along with necessary attributes such as o Key length, life time, etc 43
  • 44. IIPPSSeecc PPoolliiccyy EExxaammppllee • In English: o All traffic to 128.104.120.0/24 must be: • Use pre-hashed key authentication • DH group is MODP with 1024-bit modulus • Hash algorithm is HMAC-SHA (128 bit key) • Encryption using 3DES • In IPSec: o [Auth=Pre-Hash; DH=MODP(1024-bit); HASH=HMAC-SHA; ENC=3DES] 44
  • 45. IIPPsseecc PPoolliiccyy EExxaammppllee • In English: o All traffic to 128.104.120.0/24 must use one of the following: • AH with HMAC-SHA or, • ESP with 3DES as encryption algorithm and (HMAC-MD5 or HMAC-SHA as hashing algorithm) • In IPsec: o [AH: HMAC-SHA] or, o [ESP: (3DES and HMAC-MD5) or (3DES and HMAC-SHA)] 45
  • 46. VViirrttuuaall PPrriivvaattee NNeettwwoorrkkss ((VVPPNNss)) • Protocol o Data Link Later – PPTP , L2F , L2TF o Network Layer - IPSec • Virtual o It is not a physically distinct network • Private o Tunnels are encrypted to provide confidentiality • Computer dept might have a VPN o I can be on this VPN while traveling 46
  • 47. OOuuttlliinnee • Why IPsec? • IPsec Architecture • Internet Key Exchange (IKE) • IPsec Policy • Discussion 47
  • 48. DDiissccuussssiioonn • IPSec is not the only solution! o Security features can be added on top of IP! • e.g. Kerberos, SSL o IP, IPSec protocols are very complex! • Two modes, three sub protocols o Complexity is the biggest enemy of security 48
  • 49. DDiissccuussssiioonn • Has it been used? o Yes—primarily used by some VPN vendors • But not all routers support it o No—it is not really an end-to-end solution • Authentication is too coarse (host based) • Default encryption algorithm too weak (DES) • Too complex for applications to use 49
  • 50. RReessoouurrcceess • IP, IPsec and related RFCs: o http://www.ietf.org/html.charters/ipsec-charter.html o IPsec: RFC 2401, IKE: RFC 2409 o www.freeswan.org • Google search 50

Editor's Notes

  1. Many security associations are passed in VPN, ISAKMP manages it.