3. IPsecurityIP security encompasses four functional areas
• Authentication:- The mechanism assures that the packet not
modified in the way of transition.
• Confidentiality:- Communicating nodes to encrypt messages to
prevent eavesdropping.
• Key management:- Concerned with the secure of exchange of keys.
• Integrity:- The assurance that data received are exactly as sent by an
authorized entity.
4. .
The IPSec protocol implemented in two protocols.
• Authentication Header(AH).
Authentication along with Integrity.
• Encapsulating security payload(ESP).
ESP has two types
ESP with optional authentication.
ESP with authentication.
6. Security Association(SA)
• Communication between client and server.
• This is one-way communication.
• This is a temporary message/communication link between the sender
and receiver.
• Both parties wants to communicate, in both side SA should be
established.
7. Parameters for identifying SA
• Security Parameter Index:- This carried out a unique number to the
particular security association.
• IP Destination Address:- If the clients/sender wants to communicate
with server/receiver the client should have the server address.
• Protocol Identifier:- whether the protocol is ESP or AH.
8. Parameters Associated to SA
All security association maintained in SA database
• Security Parameter index(SPI).
• Sequence number counter.
• Sequence number overflow.
• Anti replay window.
• AH Information.
• ESP Information.
• Life time of SA.
9. IPsecurity protocol mode
• Transport mode:- The transport mode encrypts only the payload so
the IP header of the original packet is not encrypted. IPSec Transport
mode can be used when encrypting traffic between two hosts or
between a host and a VPN gateway.
• Tunnel mode:- The original IP packet is encapsulated within another
packet. In IPSec tunnel mode the original IP diagram from is
encapsulated with AH or ESP header and additional IP header. The
original IP diagram is encrypted inside IPSec packet.
12. IPv6(transport mode)
Before applying AH:-
Original IP
header
Extension
header
TCP Data
After applying AH:-
Original
IP header
Extension
header
AH TCP Data
14. IPv6(tunnel mode)
Before applying AH:-
Original IP
header
Extend
header
TCP Data
After applying AH:-
New IP
header
Extend
header
AH Original
IP
header
Extend
header
TCP Data
16. IPv4(transport mode)
Original IP
header
ESP header TCP Data ESP trailer ESP
authenticati
on trailer
IPv6(transport mode)
Original IP
header
Extension
header
ESP
Header
TCP Data ESP
trailer
ESP
authentic
ation
trailer
17. IPv4(tunnel mode)
New IP
header
ESP
header
Original
IP header
TCP Data ESP
trailer
ESP
authentic
ation
trailer
IPv6 (tunnel mode)
New IP
header
Extensi
on
header
ESP
header
Origina
l IP
header
Extensi
on
header
TCP Data ESP
trailer
ESP
authen
tication
trailer
18. Key Management
• Manual:- A system administrator manually configures each system
with its own keys. This is practical for small network, and relatively
static environments.
• Automated:- An automated system enables the on-demand
creation of keys foe Sas and facilitates the use of keys in large
distributed system with an evolving configuration.
19. .
IPsec referred to as ISAKMP or Oakley protocols
Oakley key determination protocol:- its is key exchange protocol based
on the Diffie-Hellman algorithm but provided added security.
Internet Security Association and Key Management Protocol(ISAKMP)
:- It provides a framework for internet key management,
And provides specific protocol support, including formats, for
negotiation of security attributes