• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Ipsec vpn v0.1
 

Ipsec vpn v0.1

on

  • 1,064 views

An in depth view of what is IPSEC VPN and how it works

An in depth view of what is IPSEC VPN and how it works

Statistics

Views

Total Views
1,064
Views on SlideShare
1,064
Embed Views
0

Actions

Likes
0
Downloads
70
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Today we will be exploring the concepts of IPSec and its importance to establish a secure end to end communications over the untrusted network (Internet).
  • IPSec is an suite of protocols used for securing the IP communications over the Internet. Internet Protocol Security ( IPSec ) is a suite of protocols for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream. IPSec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPSec can be used to protect data flows between a pair of hosts (e.g. computer users or servers), between a pair of security gateways (e.g. routers or firewalls), or between a security gateway and a host.
  • IPSec is a set of open standard protocols that govern the secure, private exchange of data across public networks, such as the Internet. It was developed by the Internet Engineering Task Force (IETF). IPSec works on Layer 3, the Network layer of the Open Systems Interconnection 7-layer networking model. By running on Layer 3, IPSec is able to function transparently to applications running on Layer 7. The applications do not require any knowledge of IPSec in order to use it. IPSec is used to create tunnels for Virtual Private Networks (VPN), and also provide confidentiality, authenticity, and integrity of data through use of encryption algorithms. Combined with Internet Key Exchange (IKE), IPSec users can exchange keys, authenticate one another, and securely tunnel encrypted data between peers.
  • Data origin authentication verifies that each datagram was originated by the claimed sender. Data integrity verifies that the contents of the datagram were not changed in transit, either deliberately or due to random errors. Data confidentiality conceals the cleartext of a message, typically by using encryption. Replay protection assures that an attacker can not intercept a datagram and play it back at some later time without being detected. Automated management of cryptographic keys and security associations assures that a company's VPN policy can be conveniently and accurately implemented throughout the extended network with little or no manual configuration. These functions make it possible for a VPN's size to be scaled to whatever size a business requires.
  • The concept of a Security Association (SA) is fundamental to IPSec. An SA is a unidirectional (simplex) logical connection between two IPSec systems, uniquely identified by the following triple: -Security Parameter Index -IP Destination Address -Security Protocol The definition of the members is as follows: Security Parameter Index (SPI) This is a 32-bit value used to identify different SAs with the same destination address and security protocol. The SPI is carried in the header of the security protocol (AH or ESP). The SPI has only local significance, as defined by the creator of the SA. The SPI values in the range 1 to 255 are reserved by the Internet Assigned Numbers Authority (IANA). The SPI value of 0 must be used for local implementation-specific purposes only. Generally the SPI is selected by the destination system during the SA establishment. IP Destination Address This address may be a unicast, broadcast or multicast address. However, currently SA management mechanisms are defined only for unicast addresses. Security Protocol This can be either AH or ESP. An SA can be in either of two modes: transport or tunnel, depending on the mode of the protocol in that SA. You can find the explanation of these protocol modes later in this chapter. Because SAs are simplex, for bidirectional communication between two IPSec systems, there must be two SAs defined, one in each direction. An SA gives security services to the traffic carried by it either by using AH or ESP, but not both. In other words, for a connection that should be protected by both AH and ESP, two SAs must be defined for each direction. In this case, the set of SAs that define the connection is referred to as an SA bundle . The SAs in the bundle do not have to terminate at the same endpoint. For example, a mobile host could use an AH SA between itself and a firewall and a nested ESP SA that extends to a host behind the firewall.
  • An IPSec implementation maintains two databases related to SAs: Security Policy Database (SPD) The Security Policy Database specifies what security services are to be offered to the IP traffic, depending on factors such as source, destination, whether it is inbound, outbound, etc. It contains an ordered list of policy entries, separate for inbound and or outbound traffic. These entries might specify that some traffic must not go through IPSec processing, some must be discarded and the rest must be processed by the IPSec module. Entries in this database are similar to the firewall rules or packet filters. Security Association Database (SAD) The Security Association Database contains parameter information about each SA, such as AH or ESP algorithms and keys, sequence numbers, protocol mode and SA lifetime. For outbound processing, an SPD entry points to an entry in the SAD. That is, the SPD determines which SA is to be used for a given packet. For inbound processing, the SAD is consulted to determine how the packet must be processed.
  • Mode : SAs operate using modes. A mode is the method in which the IPSec protocol is applied to the packet. IPSec can be used in tunnel mode or transport mode. Typically, the tunnel mode is used for gateway-to-gateway IPSec tunnel protection, but transport mode is used for host-to-host IPSec tunnel protection. A gateway is a device that monitors and manages incoming and outgoing network traffic and routes the traffic accordingly. A host is a device that sends and receives network traffic. • Transport Mode: The transport mode IPSec implementation encapsulates only the packet’s payload. The IP header is not changed. After the packet is processed with IPSec, the new IP packet contains the old IP header (with the source and destination IP addresses unchanged) and the processed packet payload. Transport mode does not shield the information in the IP header; therefore, an attacker can learn where the packet is coming from and where it is going to. • Tunnel Mode: The tunnel mode IPSec implementation encapsulates the entire IP packet. The entire packet becomes the payload of the packet that is processed with IPSec. A new IP header is created that contains the two IPSec gateway addresses. The gateways perform the encapsulation/ de-capsulation on behalf of the hosts. Tunnel mode ESP prevents an attacker from analyzing the data and deciphering it, as well as knowing who the packet is from and where it is going.
  • IPSec Components IPSec contains the following elements: IKE, AH, ESP. • Internet Key Exchange (IKE) : Provides key management and Security Association (SA) management. The main role of IKE is to be setup Security Association. Also to handle negotiation of protocols and algorithms. • Authentication Header (AH) : Provides authentication and integrity. Provides protection against replay attacks. Does not provide confidentiality. • Encapsulating Security Payload (ESP) : Provides confidentiality, authentication, and integrity.
  • AH provides authentication and integrity, which protect against data tampering. AH also provides optional anti-replay protection, which protects against unauthorized retransmission of packets. The authentication header is inserted into the packet between the IP header and any subsequent packet contents. The payload is not touched. Although AH protects the packet’s origin, destination, and contents from being tampered with, the identity of the sender and receiver is known. In addition, AH does not protect the data’s confidentiality. If data is intercepted and only AH is used, the message contents can be read.
  • AH is used to provide integrity and authentication to IP datagram. Optional replay protection is also possible. Although its usage is optional, the replay protection service must be implemented by any IPSec-compliant system. The mentioned services are connectionless, that is they work on a per-packet basis. AH authenticates as much of the IP datagram as possible. Some fields in the IP header change en-route and their value cannot be predicted by the receiver. These fields are called mutable and are not protected: Type of Service (TOS) Flags Fragment Offset Time to Live (TTL) Header Checksum AH can be used in two ways: tunnel mode and transport mode. With tunnel mode the tunneling concept is applied a new IP datagram is constructed and the original IP datagram is made the payload of it. Then AH in transport mode is applied to the resulting datagram. The tunnel mode is used whenever either end of a security association is a gateway. Thus, between two firewalls the tunnel mode is always used. Although gateways are supposed to support tunnel mode only, often they can also work in transport mode. This mode is allowed when the gateway acts as a host, that is in cases when traffic is destined to itself. In tunnel mode the outer headers' IP addresses does not need to be the same as the inner headers' addresses. For example two security gateways may operate an AH tunnel which is used to authenticate all traffic between the networks they connect together. This is a very typical mode of operation. Hosts are not required to support tunnel mode, but often they do. The advantages of the tunnel mode are total protection of the encapsulated IP datagram and the possibility of using private addresses. However, there is an extra processing overhead associated with this mode. AH is an integral part of IPv6. In an IPv6 environment, AH is considered an end-to-end payload and it appears after hop-by-hop, routing, and fragmentation extension headers. The destination options extension header could appear either before or after the AH header. In transport mode the original IP datagram is taken and the AH header is inserted right after the IP header. If the datagram already has IPSec header, then the AH header is inserted before any of those. The transport mode is used by hosts, not by gateways. Gateways are not even required to support transport mode. The advantage of the transport mode is less processing overhead. The disadvantage is that the mutable fields are not authenticated.
  • This figure shows how the IPSec channel is checked before it passes through the IPSec Channel. AH in transport mode is between 2 end points generally computers. AH in tunnel mode is between gateway to PC or PC to gateway.
  • AH Format Next Header The Next Header is an 8-bit field that identifies the type of the next payload after the Authentication Header. The value of this field is chosen from the set of IP protocol numbers defined in the most recent "Assigned Numbers" RFC from the Internet Assigned Numbers Authority (IANA). Payload Length This field is 8 bits long and contains the length of the AH header expressed in 32-bit words, minus 2. It does not relate to the actual payload length of the IP packet as a whole. If default options are used, the value is 4. (Three 32-bit fixed words plus three 32-bit words of authentication data minus two.) Reserved This field is reserved for future use. Its length is 16 bits and it is set to zero. Security Parameter Index (SPI) This field is 32 bits in length. Sequence Number This 32-bit field is a monotonically increasing counter which is used for replay protection. Replay protection is optional; however, this field is mandatory. The sender always includes this field and it is at the discretion of the receiver to process it or not. At the establishment of an SA the sequence number is initialized to zero. The first packet transmitted using the SA has a sequence number of 1. Sequence numbers are not allowed to repeat. Thus the maximum number of IP packets that can be transmitted on any given SA is 232-1. After the highest sequence number is used, a new SA and consequently a new key is established. Anti-replay is enabled at the sender by default. If upon SA establishment the receiver chooses not to use it, the sender does not concern with the value in this field anymore. Authentication Data This is a variable-length field, also called Integrity Check Value (ICV). The ICV for the packet is calculated with the algorithm selected at the SA initialization. The authentication data length is an integral multiple of 32 bits. As its name tells, it is used by the receiver to verify the integrity of the incoming packet. When doing the ICV calculation, the mutable fields are considered to be filled with zero.
  • Keyed hash algorithm creates a hash based on the message and pre-shared key (between the two end points) Hash is added to the AH packet header IPSec uses Hash Message Authentication Code (HMAC-MD5) and HMAC-SHA-1 Another common MAC algorithm used is AES Cipher Block Chaining MAC IP Header fields that may legitimately change (TTL, IP Header Checksum) are excluded from Integrity Protection process.
  • Internet Key Exchange IPSec works hand-in-hand with ISAKMP, otherwise known as IKE, or Internet Key Exchange. IKE provides a key exchange mechanism, when used in conjunction with IPSec you can encrypt data, create security associations (SA), and operate VPNs. IKE protocol is used to negotiate, create and manage Security Associations (SA) SA is a generic term for a set of values that define the IPSec features and protection applied to a connection. SA can also be manually set by two parties but cannot be updated. IKE uses 5 different types of exchanges to create SA, transfer status and error info and define new Diffie Hellman groups.
  • There are 5 types of IKE Exchanges Out of these five only the two are most widely used i.e. Main Mode or Aggressive Mode for the Phase 1 And Quick Mode for Phase 2 for the IPSec VPN.
  • IKE Phase 1 : 1.To successfully negotiate a secure channel through which an IPSec SA can be negotiated. Channel created is called IKE SA\\ 2.Provides bi-directional encryption and authentication for subsequent IKE exchanges namely Transfer status, error information and creation of Diffie-Hellman group 3.IKE SA can be established through either of the following two modes: Main Mode Aggressive Mode
  • Step 1 Interesting traffic initiates the IPSec process — Traffic is deemed interesting when the IPSec security policy configured in the IPSec peers starts the IKE process.   Step 2 IKE phase one — IKE authenticates IPSec peers and negotiates IKE SAs during this phase, setting up a secure channel for negotiating IPSec SAs in phase two.  Step 3 IKE phase two — IKE negotiates IPSec SA parameters and sets up matching IPSec SAs in the peers.  Step 4 Data transfer — Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database.  Step 5 IPSec tunnel termination — IPSec SAs terminate through deletion or by timing out.
  • In IKE Phase 1 : Phase 1 is where the two ISAKMP peers establish a secure, authenticated channel with which to communicate. This is called the ISAKMP Security Association (SA). "Main Mode" and "Aggressive Mode" each accomplish a phase 1 exchange. "Main Mode" and "Aggressive Mode" MUST ONLY be used in phase 1. The first pair of message is mainly to negotiate Security Association policy. It contains the encryption algorithm and Integrity Protection Algorithm Authentication is mainly accomplished by using pre-shared key or digital signatures or public key encryption. In Main Mode the keys are exchanged only after the tunnel is encrypted so there is no possibility of sniffing the key in the middle.
  • Second Pair of Messages performs key Exchange through Diffie Hellman using the parameters negotiated during first step. IDs are not shared until the third pair of messages so that the keys established through diffie hellman can protect the IDs In third Pair of Messages, each end point authenticate to the other and by this time all messages are encrypted
  • This is the summary. Main Mode is an instantiation of the ISAKMP Identity Protect Exchange: The first two messages negotiate policy; the next two exchange Diffie-Hellman public values and ancillary data (e.g. nonces) necessary for the exchange; and the last two messages authenticate the Diffie-Hellman Exchange. The authentication method negotiated as part of the initial ISAKMP exchange influences the composition of the payloads but not their purpose. The XCHG for Main Mode is ISAKMP Identity Protect.
  • Aggressive Mode is faster than the Main Mode in such a way that there are only three messages that are exchanged in the phase 1. The first message Endpoint A sends all SA parameters, Diffie Hellman key exchange and its ID. The second message Endpoint B sends all SA parameters, Diffie Hellman key exchange and its authentication payload. The final message or the third message authenticates the sender.
  • Key exchange happens before Diffie-Hellman parameters are exchanged Identity information is not always hidden hence adversary can realize the parties involved in the authentication process . If PKI is used then the identity information gets concealed. Susceptible to Man in the middle attacks (Pre-Shared Key Cracking). This is because, keys are exchanged in the very first pair itself. Thus all the keys , usernames are passed in clear-text using IKE Aggressive Mode. Usernames are susceptible to brute-force guessing when using IKE Aggressive Mode.
  • What is IKE Phase 2 exchange ? Used to establish an SA for the actual IPSec connection. This SA is referred to as IPSec SA. IPSec SA is uni-directional. Data encryption takes place here in this phase.
  • ESP is used to provide integrity check, authentication and encryption to IP datagram. Optional replay protection is also possible. These services are connectionless, they operate on a per-packet basis. The set of desired services are selectable upon SA establishment. There are two modes : Transport Mode and Tunnel Mode.
  • Like AH, ESP can be used in two ways: transport mode and tunnel mode. In transport mode the original IP datagram is taken and the ESP header is inserted right after the IP header. If the datagram already has IPSec header, then the ESP header is inserted before any of those. The ESP trailer and the optional authentication data are appended to the payload. ESP in transport mode provides neither authentication nor encryption for the IP header. This is a disadvantage, since false packets might be delivered for ESP processing. The advantage of transport mode the lower processing overhead. As in the case of AH, ESP in transport mode is used by hosts, not gateways. Gateways are not even required to support transport mode. Tunnel mode applies the tunneling principle. A new IP packet is constructed with a new IP header and then ESP in transport mode is applied. Since the original datagram becomes the payload data for the new ESP packet, its protection is total if both encryption and authentication are selected. However, the new IP header is still not protected. The tunnel mode is used whenever either end of a security association is a gateway. Thus, between two firewalls the tunnel mode is always used.
  • Security Parameter Index (SPI) This field is 32 bits in length. Sequence Number This 32-bit field is a monotonically increasing counter. Same as in AH. Payload Data The Payload Data field is mandatory. It consists of a variable number of bytes of data described by the Next Header field. This field is encrypted with the cryptographic algorithm selected during SA establishment. Padding Most encryption algorithms require that the input data must be an integral number of blocks. Also, the resulting ciphertext (including the Padding, Pad Length and Next Header fields) must terminate on a 4-byte boundary, so that Next Header field is right aligned. That's why this variable length field is included. It can be used to hide the length of the original messages too. However, this could adversely impact the effective bandwidth. Padding is an optional field. Note: The encryption covers the Payload Data, Padding, Pad Length and Next Header fields. Pad Length This 8-bit field contains the number of the preceding padding bytes. It is always present, and the value of 0 indicates no padding. Next Header The Next Header is an 8-bit mandatory field that shows the data type carried in the payload, for example an upper-level protocol identifier such as TCP. The values are chosen from the set of IP Protocol Numbers defined by the IANA. Authentication Data This field is variable in length and contains the ICV calculated for the ESP packet from the SPI to the Next Header field inclusive. The Authentication Data field is optional. It is included only when integrity check and authentication have been selected at SA initialization time. The ESP specifications require two authentication algorithms to be supported: HMAC with MD5 and HMAC with SHA-1. Often the simpler keyed versions are also supported by the IPSec implementations.
  • The above are the differences between the AH and ESP.
  • Why two protocols? Knowing about the security services of ESP, one might ask if there is really a requirement for AH. Why does ESP authentication not cover the IP header as well? There is no official answer to these questions, but here are some points that justify the existence of two different IPSec authentication protocols: ESP requires strong cryptographic algorithms to be implemented, whether it will actually be used or not. Strong cryptography is an over-hyped and sensitive topic in some countries, with restrictive regulations in place. It might be troublesome to deploy ESP-based solutions in such areas. However, authentication is not regulated and AH can be used freely around the world. Often only authentication is needed. While ESP could have been specified to cover the IP header as well, AH is more performant compared to ESP with authentication only, because of the simpler format and lower processing overhead. It makes sense to use AH in these cases. Having two different protocols means finer-grade control over an IPSec network and more flexible security options. By nesting AH and ESP for example, one can implement IPSec tunnels that combine the strengths of both protocols.
  • IPSec is the prevalent network layer VPN protocol. There are scenarios where-in other VPN protocols are required to be implemented Data Link Layer VPN protocol; example PPTP , L2TP, L2F Transport Layer VPN protocol ; example SSL Application Layer VPN protocol ;example SSH
  • Types of VPN : 1. Site to site VPN : in which there are two VPN devices at two different locations. And encryption and decryption takes place in these boxes.
  • VPN connectivity would be transparent to the users. Labor costs for configuring clients/ gateways reduces. Deployment would be easy as only the gateways needs to be configured. Existent Routers could be used as VPN gateway, only if it supports VPN. Hardware cost of gateway might be high.
  • Client to Site VPN: In this type of VPN, one end is a VPN device other end is a client. So encryption and decryption takes place at external client as well as at the vpn device.
  • Different VPN PROTOCOL with their strength and weakness can be understood from the above slide.

Ipsec vpn v0.1 Ipsec vpn v0.1 Presentation Transcript

  • IPSec - VPN
  • Introduction
    • IPSec is an suite of protocols used for securing IP Communications
    • Provides Confidentiality, Data Integrity, and replay protection.
    • Provides Mutual Authentication between two entities
    • Can be used for communication between
      • Pair of Hosts (Computer Users or Servers or both)
      • Pair of Network Devices (Routers or Firewall)
      • Network Devices and Hosts
  • Features
    • Part of an Open Standard
    • Operates at Layer 3 (Internet Layer) of OSI stack
      • Other encryption protocols e.g. SSL, SSH etc., operate at layers above Layer 3
    • It does not require applications to be modified for compatibility purpose
      • Implementation of SSL, SSH requires additional changes to be carried out on the applications
  • IPSec Services
    • Data origin authentication
    • Data integrity
    • Data confidentiality
    • Replay protection
    • Automated management of cryptographic keys and security associations
  • Concepts
    • Security Association (SA)
    • Security Parameter Index (SPI)
    • IP Destination Address
    • Security Protocol
  • Database maintained by IPSec
    • Security Policy Database (SPD)
    • Security Association Database (SAD)
  • IPSec Modes
    • Tunnel Mode
    • Transport Mode
  • Key Components of IPSec
    • There are three key components of IPSec
      • I nternet K ey E xchange (IKE) to setup a S ecurity A ssociation (SA)
        • Handling negotiation of protocol and algorithms
        • Generating the encryption and authentication keys
      • A uthentication H eader (AH)
        • Provides integrity and data origin authentication
        • Provides protection against replay attacks
      • E ncapsulating S ecurity P ayload (ESP)
        • Provides confidentiality, data origin authentication and integrity
  • Authentication Header [AH]
    • Provides Data Origin Authentication
    • Provides Data Integrity
    • AH gets appended to the Packet Header
    • Does not provide confidentiality.
  • AH – Packet Structure… TUNNEL MODE TRANSPORT MODE Provides Integrity Protection to entire packet irrespective of the mode New IP Header AH Header Original IP Header Payload Authenticated (Integrity Protection) Original IP Header AH Header Payload Authenticated (Integrity Protection
  • AH …
    • Host – to – Host (without gateway)
    • Host – to – Host (with gateway)
    TRANSPORT MODE TUNNEL MODE PACKET New IP Header PACKET PACKET PACKET PACKET PACKET
  • Authentication Header - Packet Identifies the protocol of the payload data. Size of AH Packet For Future Use Contains the MAC output used for verifying whether the packet has been altered or not Ensures that only packets within a sliding window of sequence numbers are accepted. Prevents replay attack Unique identifier set by each endpoint of IPSec connection. Used to determine which SA is in use Next Header Payload Length Reserved Security Parameters Index (SPI) Sequence Number Authentication Data
  • AH – Data Integrity Process
    • Keyed hash algorithm creates a hash and pre-shared key.
    • Hash is added to the AH packet header.
    • IPSec uses Hash Message Authentication Code (HMAC-MD5) and HMAC-SHA-1)
    • IP Header fields that may change are excluded from Integrity Protection process
  • Internet Key Exchange
    • Importance of IKE
    • What is a SA ?
    • IKE uses 5 different types of exchanges to create SA, transfer status and error info and define new Diffie Hellman groups
  • Internet Key Exchange…
    • Five types of IKE exchanges
      • Main Mode
      • Aggressive Mode
      • Quick Mode
      • Informational
      • Group
  • IKE – Phase One Exchange
    • To successfully negotiate a secure channel
    • Provides bi-directional encryption and authentication for subsequent IKE exchanges
    • IKE SA can be established through either of the following two modes:
      • Main Mode
      • Aggressive Mode
  • How IPSec Works
    • Interesting traffic initiates the IPSec process
    • IKE phase one
    • IKE phase two
    • Data transfer
    • IPSec tunnel termination
  • IKE–Phase 1 Exchange – Main Mode
    • Establishes IKESA through three pair of messages:
    • First pair of message contains
      • Encryption Algorithm: DES, 3DES, RC5, AES etc
      • Integrity Protection Algorithm: HMAC-MD5, HMAC-SHA1 etc
      • Authentication Method
        • Pre-shared Keys
        • Digital Signatures
        • Public Key Encryption
      • Diffie Hellman Group number
    • Second Pair of Messages performs
      • Key Exchange through Diffie Hellman using the parameters negotiated during first step
    • Third Pair of Messages performs
      • Each end point authenticate to the other
      • By this time all messages are encrypted
    IKE–Phase 1 Exchange – Main Mode
  • IKE-Phase1-Main Mode Summary
    • First Pair of Messages
      • Negotiates the IKE SA parameters
    • Second Pair of Messages
      • Performs key exchange
    • Third Pair of Messages
      • Authenticates the endpoints to each other
  • IKE–Phase 1 Exchange– Aggressive Mode
    • Faster than Main Mode. Uses three messages instead of three pairs of messages
    • First Message
      • Endpoint A sends all SA parameters, Diffie-Hellman key exchange and its ID
    • Second Message
      • Endpoint B sends all SA parameters, Diffie-Hellman key exchange and its authentication payload
    • Third Message
      • Endpoint A sends its authentication payload
  • Security Issues – Aggressive Mode
    • Key exchange happens before Diffie-Hellman parameters are exchanged
    • Identity information is not always hidden hence adversary can realize the parties involved in the authentication process
      • If PKI is used then the identity information gets concealed
    • Susceptible to Man in the middle attacks (Pre-Shared Key Cracking)
  • IKE-Phase2 Exchange
    • Used to establish an SA for the actual IPSec connection
    • This SA is referred to as IPSec SA
    • Unlike IKESA (bidirectional), IPSec SA is unidirectional
      • i.e. IPSec connection requires two security associations
  • Encapsulating Security Payload
    • ESP is the second core IPSec security protocol
    • Provides Data Origin Authentication
    • Provides Data Integrity (Not for the outermost IP Header)
    • Provides Encryption features
    • ESP has two modes:
    • - Transport & Tunnel Mode
  • ESP – Packet Structure TUNNEL MODE TRANSPORT MODE New IP Header ESP Header Original IP Header Payload ESP Trailer ESP Auth (Optional) Encrypted Authentication (Integrity Protection) Original IP Header ESP Header Payload ESP Trailer ESP Auth (Optional) Encrypted Authenticated (Integrity Protection)
  • ESP - Packet Contains the data used to authenticate the packet Unique identifier set by each endpoint of IPSec connection. Used to determine which SA is in use Ensures that only packets within a sliding window of sequence numbers are accepted. Prevents replay attack Used with some block ciphers to pad the data to the full length of a block. Size of Padding in Bytes Identifies the protocol of the payload data. Security Parameters Index (SPI) Sequence Number Payload Data Padding Pad Length Next Header Authentication Data (Variable)
    • Authentication Header
    • Provides Integrity protection for all packet headers and data.
    • Often incompatible with NATing since Srce and dest IP header integrity maintained
    • Does not provide encryption options
    • Use of AH has significantly declined. Some IPSec implementations do not support AH
    • Encapsulation Security Payload
    • ESP does not provide integrity protection for the outermost IP header
    • Provides encryption option
    • In ESP tunnel mode, the true srce and dest IP is encrypted. Hence ESP tunnel mode is the most commonly used for IPSec VPN
    • Padding feature makes it complicated for an adversary to carry out traffic analysis
    Summarize AH & ESP
  • Why two protocols ?
    • ESP or AH ?
    • If ESP provides encryption and authentication, then why then AH ?
  • VPN - Protocols
    • IPSec is the prevalent network layer VPN protocol.
    • There are scenarios where-in other VPN protocols are required to be implemented
      • Data Link Layer VPN protocols
        • PPTP , L2TP, L2F
      • Transport Layer VPN protocols
        • SSL
      • Application Layer VPN protocols
        • SSH
  • Types of VPN
    • Site to Site VPN
  • Site to Site VPN
    • VPN connectivity would be transparent to the users
    • Labor costs for configuring clients/ gateways reduces
    • Deployment would be easy as only the gateways needs to be configured
    • Existent Routers could be used as VPN gateway
      • Hardware cost of gateway might be high
  • Types of VPN
    • Client to Site VPN
  • VPN protocols – Pros & Cons Protocol Strengths Weaknesses PPTP Can protect Non-IP protocols since the layer is operating below the network layer Requires client software (if there is no built-in client) Has known security weaknesses Does not offer strong authentication Supports one session per tunnel L2TP Can protect Non-IP protocols Can support multiple sessions per tunnel Can support RADIUS Can use IPSec to provide encryption and key mgmt service Requires client software (if there is no built-in client)
  • VPN protocols – Pros & Cons Protocol Strengths Weaknesses SSL Already supported by all major web browser Can provide strong encryption Can only protect TCP based communications Requires application servers & clients to support SSL/TLS Typically implemented to authenticate the server to the client and not vice-versa Application Layer VPNs Can provide granular protection for application communications Can only protect some or all of the communications for a single application Often cannot be incorporated in off-the shelf software Uses proprietary encryption or authentication mechanisms that may have unknown flaws