Network Security - II: IPSec, System Security

UNIT – VI
Network Security –II
Topics:
Security at Network Layer
IPSec
System Security
DNR COLLEGE OF ENGINEERING & TECHNOLOGY DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING

IP Security
 IP SECURITY OVERVIEW
 IP SECURITY ARCHITECTURE
 AUTHENTICATION HEADER
 ENCAPSULATING SECURITY PAYLOAD
 COMBINING SECURITY ASSOCIATIONS
 KEY MANAGEMENT

IP Security Overview
The standard Internet communication
protocol is completely unprotected, allowing hosts
to inspect or modify data in transit. Adding IPSec to
the system will resolve this limitation by providing
strong encryption, integrity, authentication and
replay protection.

What Security Problem?
Today's Internet is primarily comprised of :
 Public
 Un-trusted
 Unreliable IP networks
Because of this inherent lack of security,
the Internet is subject to various types of threats…

Internet Threats
 Data integrity
The contents of a packet can be accidentally or
deliberately modified.
 Identity spoofing
The origin of an IP packet can be forged.
 Anti-reply attacks
Unauthorized data can be retransmitted.
 Loss of privacy
The contents of a packet can be examined in
transit.

Security at What Level?
Application Layer
Transport Layer
Network Layer
Data Link Layer
PGP, Kerberos, SSH, etc.
Transport Layer Security (TLS)
IP Security
Hardware encryption

IP SECURITY
IP-level security encompasses three functional areas:
 Authentication
 Confidentiality
 Key management

IP SECURITY
Authentication- The authentication mechanism
ensures that the received packet was sent by the
identified source. It also assures that the packet has
not been altered in transit.
Confidentiality- The confidentiality facility enables
communicating nodes to encrypt messages to
prevent eavesdopping by third parties.
Key management- It is concerned with secure
exchange of keys

IP Security Scenario

Applications of IP Security
Secure branch office connectivity over the Internet.
Secure remote access over the Internet.
Establishing extranet and intranet connectivity with
partners.
Enhancing electronic commerce security.

Benefits of IPsec
Provides strong security when implemented in a
firewall or router that can be applied to all traffic
crossing the perimeter.
IPsec is resistant to bypass if all traffic from the
outside must use IP and the firewall is the only
way of entrance from the Internet into the
organization.
 Is below transport layer, hence transparent to
applications.
Can be transparent to end users.
Can provide security for individual users if
needed.

IPsec Documents
 Architecture – Covers the general concept security
requirements, definitions, and mechanisms defining IPsec technology.
 Authentication Header(AH)- An extension header to provide message
authentication. Current specification is RFC 4302.
 Encapsulating Security Payload- Consists of an encapsulating header and
trailer used to provide encryption or combined
encryption/authentication. Current specification is RFC 4303.
 Internet Key Exchange(IKE)- A collection of documents describing the
key management schemes for use with IPsec.
 Cryptographic algorithms- Includes a large set of documents that define
and describe cryptographic algorithms for encryption, message
authentication, pseudo random functions, and cryptographic key
exchange.
 Domain of Interpretation- Contains values needed for the other
documents to relate to each other. These include identifiers for approved
encryption and authentication algorithms, as well as operational
parameters such as key lifetime

IPSec Document Overview

IPSec Security Services
Connectionless integrity
Assurance that received traffic has not been
modified. Integrity includes anti-reply defenses.
 Data origin authentication
Assurance that traffic is sent by legitimate party or parties.
Confidentiality (encryption)
Assurance that user’s traffic is not examined by non-authorized
parties.
Access control
Prevention of unauthorized use of a resource.
Limited traffic flow confidentiality

Security Associations
 A one-way relationship between a sender and a receiver that affords
security services to the traffic carried on it.
A security association is uniquely identified by three parameters:
 Security Parameters Index (SPI): A bit string assigned to this
SA and having local significance only. The SPI is carried in AH and
ESP headers to enable the receiving system to select the SA under
which a received packet will be processed.
 IP Destination Address: Currently, only unicast addresses are
allowed; this is the address of the destination endpoint of the
SA, which may be an end user system or a network system such as a
firewall or router.
 Security Protocol Identifier: This indicates whether the
association is an AH or ESP security association

Security Association Parameters
Security Association Database defines the parameters associated
with each SA. A security association is normally defined by the
following parameters:
 Sequence Number Counter: A 32-bit value used to generate the
Sequence Number field in AH or ESP headers.
 Sequence Counter Overflow: A flag indicating whether overflow
of the Sequence Number Counter should generate an auditable event
and prevent further transmission of packets on this SA (required for
all implementations).
 Anti-Replay Window: Used to determine whether an inbound AH
or ESP packet is a replay.
 AH Information: Authentication algorithm, keys, key
lifetimes, and related parameters being used with AH (required for
AH implementations).

Security Association Parameters
 ESP Information: Encryption and authentication
algorithm, keys, initialization values, key lifetimes, and related
parameters being used with ESP (required for ESP
implementations).
 Lifetime of This Security Association: A time interval or
byte count after which an SA must be replaced with a new SA
(and new SPI) or terminated, plus an indication of which of these
actions should occur (required for all implementations).
 IPSec Protocol Mode: Tunnel, transport, or wildcard (required
for all implementations).
 Path MTU: Any observed path maximum transmission unit
(maximum size of a packet that can be transmitted without
fragmentation) and aging variables (required for all
implementations).

Security Association Selectors
The means by which IP traffic is related to specific SAs (or no SA in
the case of traffic allowed to bypass IPSec) is the nominal Security
Policy Database (SPD).
The following selectors determine an SPD entry:
Destination IP Address: This may be a single IP address, an
enumerated list or range of addresses, or a wildcard (mask) address.
The latter two are required to support more than one destination
system sharing the same SA (e.g., behind a firewall).
Source IP Address: This may be a single IP address, an
enumerated list or range of addresses, or a wildcard (mask) address.
The latter two are required to support more than one source system
sharing the same SA (e.g., behind a firewall).
UserID: A user identifier from the operating system. This is not a
field in the IP or upper-layer headers but is available if IPSec is
running on the same operating system as the user.

Security Association Selectors
 Data Sensitivity Level: Used for systems
providing information flow security (e.g., Secret or
Unclassified).
 Transport Layer Protocol: Obtained from the
IPv4 Protocol or IPv6 Next Header field. This may be
an individual protocol number, a list of protocol
numbers, or a range of protocol numbers.
 Source and Destination Ports: These may be
individual TCP or UDP port values, an enumerated
list of ports, or a wildcard port.

IPSec Modes of Operation
 Both AH and ESP supports two modes of use:
 Transport mode –Provides protection primarily for
upper layer protocols.ESP in transport mode
encrypts and optionally authenticates the IP payload
but not the IP header. AH authenticates the IP
payload and selected portions of the IP header.
 Tunnel mode - Provides protection to the entire IP
packet. After the AH or ESP fields are added to the IP
packet, the entire packet plus security fields is
treated as payload of new outer packet with a new
outer IP header.

IPSec Modes of Operation
IP
Header
TCP
Header
Data
IP
Header
IPSec
Header
TCP
Header
Data
New IP
Header
IPSec
Header
Original
IP
Header
TCP
Header
Data
 Transport Mode: protect the upper layer protocols
Original IP
Datagram
Transport Mode
protected packet
protected
 Tunnel Mode: protect the entire IP payload
Tunnel Mode
protected packet
protected

Transport mode vs. Tunnel mode functionalities
Transport Mode
SA
Tunnel Mode
SA
AH Authenticates IP payload
and selected portions of
IP header and IPv6
extension headers
Authenticates entire
inner IP packet plus
selected portions of
outer IP header
ESP Encrypts IP payload and
any IPv6 extesion
header
Encrypts inner IP
packet
ESP with
authentication
Encrypts IP payload and
any IPv6 extesion
header. Authenticates
IP payload but no IP
header
Encrypts inner IP
packet.
Authenticates inner
IP packet.

Authentication Header
Provides support for data integrity and
authentication of IP packets.
Authentication is based on the use of a message
authentication code (MAC), hence the two parties
must share a secret key.

The Authentication Header consists of the following fields :
 Next Header (8 bits): Identifies the type of header
immediately following this header.
 Payload Length (8 bits): Length of Authentication
Header in 32-bit words, minus 2.
 Reserved (16 bits): For future use.
 Security Parameters Index (32 bits): Identifies a
security association.
Sequence Number (32 bits): A monotonically
increasing counter value
 Authentication Data (variable): A variable-length field
(must be an integral number of 32-bit words) that
contains the Integrity Check Value (ICV), or MAC

Fig: Authentication Header

Encapsulating Security Payload (ESP)
 provides message content confidentiality & limited
traffic flow confidentiality
 can optionally provide the same authentication
services as AH
 Because message authentication is provided by
ESP, the use of AH is deprecated
 supports range of ciphers, modes, padding
 incl. DES, Triple-DES, RC5, IDEA, CAST etc
 CBC & other modes
 padding needed to fill blocksize, fields, for traffic flow

Encapsulating Security Payload
Fig ESP Format

Encapsulating Security Payload
 Security Parameters Index (32 bits): Identifies a security association
 Sequence Number (32 bits): A monotonically increasing counter value; this
provides an anti-replay function
 Payload Data (variable): This is a transport-level segment (transport mode) or
IP packet (tunnel mode) that is protected by encryption
 Padding (0–255 bytes): for various reasons
 Pad Length (8 bits): Indicates the number of pad bytes immediately preceding
this field
 Next Header (8 bits): Identifies the type of data contained in the payload data
field by identifying the first header in that payload
 Integrity Check Value (variable): A variable-length field that contains the
Integrity Check Value computed over the ESP packet minus the Authentication
Data field

Transport vs Tunnel Mode ESP
 transport mode is used to encrypt & optionally
authenticate IP data
 data protected but header left in clear
 can do traffic analysis but is efficient
 good for ESP host to host traffic
 tunnel mode encrypts entire IP packet
 add new header for next hop
 good for VPNs, gateway to gateway security

Fig: Transport-Mode vs. Tunnel-Mode Encryption

Fig: Scope of ESP Encryption and Authentication

Combining Security Associations
 SA’s can implement either AH or ESP
 to implement both need to combine SA’s
 form a security association bundle
 may terminate at different or same endpoints
 combined by
 transportadjacency
 iterated tunneling
 issue of authentication & encryption order

Authentication Plus Confidentiality
Transmitting IP packet that has both confidentiality and authentication between
hosts
1) ESP with Authentication Option: Authentication after encryption using
Transport mode ESP or Tunnel mode ESP.
2) Transport Adjacency: Another way to apply Authentication after encryption
 Use two bundled transport SAs, with the inner being an ESP SA and the outer
being an AH SA.
 Here ESP is used without authentication option.
Advantage: Authentication covers more fields, including the source and
destination IP addresses.
Disadvantage: Overhead of two SAs vs one SA.
3) Transport-Tunnel Bundle: Authentication before encryption
 Use a bundle consisting of an inner AH transport SA and an outer ESP tunnel
SA.
Advantages:
a) Impossible to intercept the message and alter the authentication data without
detection.
b) Authentication information with the message may be stored at the destination
for later references.

Basic Combinations of Security Associations
Fig: Basic Combinations of Security Associations

Key Management
 handles key generation & distribution
 typically need 2 pairs of keys
 2 per direction for AH & ESP
 manual key management
 System administrator manually configures every system
 automated key management
 automated system for on demand creation of keys for
SA’s in large systems
 has Oakley & ISAKMP elements

Internet Security Association and Key
Management Protocol (ISAKMP)
 ISAKMP provides a framework for Internet key
management and provides the specific protocol.
 support, including formats, for negotiation of
security attributes.

ISAKMP Header Format
 An ISAKMP message consists of an ISAKMP header followed by one
or more payloads. All of this is
 carried in a transport protocol. The specification dictates that
implementations must support the use of UDP for the transport
protocol.

ISAKMP consists of the following fields:
 Initiator Cookie (64 bits): Cookie of entity that initiated SA
establishment, SA notification, or SA deletion.
 Responder Cookie (64 bits): Cookie of responding entity; null in
first message from initiator.
 Next Payload (8 bits): Indicates the type of the first payload in
the message
 Major Version (4 bits): Indicates major version of ISAKMP in use.
 Minor Version (4 bits): Indicates minor version in use.
 Exchange Type (8 bits): Indicates the type of exchange.
 Flags (8 bits): Indicates specific options set for this ISAKMP
exchange.
 Message ID (32 bits):Unique ID for this message.
 Length (32 bits): Length of total message (header plus all
payloads) in octets.

Objective type questions
The ……………. is used to provide integrity check, authentication, and encryption to IP
datagram.
A) SSL B) ESP
C) TSL D) PSL B) ESP
 In ……………………. mode, a common technique in packet-switched networks consist
of wrapping a packet in a new one.
A) Tunneling
B) Encapsulation
C) Both A and B
D) None of the above C) Both A and B
The …………………………. is a collection of protocols designed by Internet Engineering
Task Force(IETF) to provide security for a packet at the Network level.
A) Ipsec B) Netsec
C) Packetsec D) Protocolsec
A) IPsec

…………….. mode is used whenever either end of a security the association is
the gateway.
A) Tunnel
B) Encapsulating
C) Transport
D) Gateway
A) Tunnel
IPSec defines two protocols: _______ and ________.
A) AH; SSL B) PGP; ESP
C) AH; ESP D) all of the above
A) AH; SSL
In the ______ mode, IPSec protects information delivered from the transport
layer to the network layer.
A) transport B) tunnel
C) either (a) or (b) D) neither (a) nor (b)
A) transport

An _________ is a network that allows authorized access from outside users.
A) intranet B) internet
C) extranet D) none of the above
C) extranet
_________ is a collection of protocols designed by the IETF (Internet
Engineering Task Force) to provide security for a packet at the network level.
A) IPSec B) SSL
C) PGP D) none of the above
A) IPSec
IPSec uses a set of SAs called the ________.
A) SAD B) SAB
C) SADB D) none of the above
C) SADB
IPSec in the ______ mode does not protect the IP header.
A) transport

________ provides privacy, integrity, and authentication in e-mail.
A) IPSec B) SSL
C) PGP D) none of the above
C) PGP
______ provides authentication at the IP level.
A) AH B) ESP
C) PGP D) SSL
A) AH
______ is designed to provide security and compression services to data generated
from the application layer.
A) SSL B) TLS
C) either (a) or (b) D) both (a) and (b)
D) both (a) and (b)
In the _______ mode, IPSec protects the whole IP packet, including the original IP
header.
B) tunnel

IPSec is designed to provide security at the _________
a) Transport layer b) Network layer
c) Application layer d) Session layer
b) Network layer
In tunnel mode, IPSec protects the ______
a) Entire IP packet b) IP header
c) IP payload d) IP trailer
a) Entire IP packet
Which component is included in IP security?
a) Authentication Header (AH) b) Encapsulating Security Payload (ESP)
c) Internet key Exchange (IKE) d) All of the mentioned
d) All of the mentioned
 An attempt to make a computer resource unavailable to its intended users is
called ______
a) Denial-of-service attack b) Virus attack
c) Worms attack d) Botnet process
a) Denial-of-service attack

_________ is a collection of protocols designed by the IETF (Internet
Engineering Task Force) to provide security for a packet at the network level.
A)IPSec B)SSL
C) PGP D)none of the above
A)IPSec
_________ operates in the transport mode or the tunnel mode.
A)IPSec B)SSL
C)PGP D)none of the above
A)IPSec
In the ______ mode, IPSec protects information delivered from the transport
layer to the network layer.
A)Transport B)tunnel
C)either (a) or (b) D)neither (a) nor (b)
A)Transport

IPSec in the ______ mode does not protect the IP header.
A)transport B)tunnel
A)transport
In the _______ mode, IPSec protects the whole IP packet, including the
original IP header.
A)Transport B)tunnel
B)tunnel
IPSec defines two protocols: _______ and ________.
A)AH; SSL B)PGP; ESP
C)AH; ESP D)none of the above
C)AH; ESP
______ provides either authentication or encryption, or both, for packets at
the IP level.
A)AH B)ESP
C)PGP D)SSL
B)ESP

Previous Questions
1. Illustrate the services provided by IPSec. [3] Oct/Nov - 2018
2. Write short note on tunnel mode in IP security. [3] Oct/Nov - 2018
3. What is Internet key management in IPSec? [3] Oct/Nov - 2018
4. Write about ESP? [3] Oct/Nov - 2018
5. Draw the IP security authentication header and describe the
functions of each field. [8] Oct/Nov - 2018
6. What is transport mode and tunnel mode authentication in IP?
Describe how ESP is applied to both these modes. [8] Oct/Nov -
2018
7. Describe IP security Architecture. [8] Oct/Nov - 2018

1. 8. Define security policy and explain its purpose with relation to
IPsec. [3] Oct/Nov - 2019
2. 9. Distinguish two modes of IPsec. [2] Oct/Nov - 2019
3. 10. What is IPSec? Explain the operation of IPSec in transport
mode and tunnel mode. [7] Explain ISAKMP protocol. [7]
Oct/Nov - 2019
4. 11. What is IPSec? Explain AH and ESP protocols of IPsec. [14]
Oct/Nov - 2019
5. 12. Explain Authentication Header protocol of IPSec. [7]
Oct/Nov - 2019
6. 13. Explain Security Policy of IPSec. [7] Oct/Nov - 2019

Network Security - II: IPSec, System Security

Recommended

Recommended

More Related Content

Similar to Network Security - II: IPSec, System Security

Similar to Network Security - II: IPSec, System Security (20)

Recently uploaded

Recently uploaded (20)

Network Security - II: IPSec, System Security