Downloaded 75 times
More Related Content
IP security
- 1. Presented by: Sonali mali(41) Shraddha Mane (42) Amey Mhatre (43) Omkar Mhatre (44) Riddhish Mhatre (45) IP Security
- 2. IP is notSecure! • IP protocol was designed in the late 70s to early 80s – Part of DARPA Internet Project – Very small network • All hosts are known! • So are the users! • Therefore, security was not an issue 2
- 3. Security Issues inIP • source spoofing • replay packets • no data integrity or confidentiality 3 • DOS attacks • Replay attacks • Spying • and more… Fundamental Issue: Networks are not (and will never be) fully secure
- 4. IP Security Overview •IPSec is not a single protocol. • Instead, IPSec provides a set of security algorithms plus a general framework that allows a pair of communicating entities to use whichever algorithms to provide security appropriate for the communication. 4
- 5. Goals of IPSec •to verify sources of IP packets – authentication • to prevent replaying of old packets • to protect integrity and/or confidentiality of packets – data Integrity/Data Encryption 5
- 6.
- 7. The IPSec SecurityModel 7 Secure Insecure
- 8. IPSec Architecture 8 ESP AH IKE IPSecSecurity Policy Encapsulating Security Payload Authentication Header The Internet Key Exchange
- 9. Architecture & Concepts •Tunnel vs. Transport mode • Security association (SA) – Security parameter index (SPI) – Security policy database (SPD) – SA database (SAD) • Authentication header (AH) • Encapsulating security payload (ESP)
- 10. Transport Mode vs.Tunnel Mode ● Transport mode: host -> host ● Tunnel mode: host->gateway or gateway-> gateway Tunnel Mode Router Router Transport Mode
- 11. Transport Mode • ESPprotects higher layer payload only • AH can protect IP headers as well as higher layer payload IP header IP options IPSec header Higher layer protocol ESP AH Real IP destination
- 12. Tunnel Mode • ESPapplies only to the tunneled packet • AH can be applied to portions of the outer header Outer IP header Inner IP header IP Sec header Higher layer protocol ESP AH Real IP destinationDestination IPSec entity
- 13. Architecture & Concepts •Tunnel vs. Transport mode • Security association (SA) – Security parameter index (SPI) – Security policy database (SPD) – SA database (SAD) • Authentication header (AH) • Encapsulating security payload (ESP) • Practical Issues w/ NAT
- 14. Security Association -SA • Have a database of Security Associations • Determine IPSec processing for senders • Determine IPSec decoding for destination • SAs are not fixed! Generated and customized per traffic flows
- 15. 15 Transport Mode SATunnel Mode SA AH Authenticates IP payload and selected portions of IP header and IPv6 extension headers Authenticates entire inner IP packet plus selected portions of outer IP header ESP Encrypts IP payload and any IPv6 extesion header Encrypts inner IP packet ESP with authentication Encrypts IP payload and any IPv6 extesion header. Authenticates IP payload but no IP header Encrypts inner IP packet. Authenticates inner IP packet.
- 16. Security Parameters Index- SPI • Can be up to 32 bits large • The SPI allows the destination to select the correct SA under which the received packet will be processed – According to the agreement with the sender – The SPI is sent with the packet by the sender • SPI + Dest IP address + IPSec Protocol (AH or ESP) uniquely identifies a SA
- 17. SA Database -SAD • Holds parameters for each SA – Lifetime of this SA – AH and ESP information – Tunnel or transport mode • Every host or gateway participating in IPSec has their own SA database
- 18. Security Policy Database- SPD • What traffic to protect? • Policy entries define which SA or SA bundles to use on IP traffic • Each host or gateway has their own SPD • Index into SPD by Selector fields – Dest IP, Source IP, IPSec Protocol, Transport Protocol, Source & Dest Ports, …
- 19. Architecture & Concepts •Tunnel vs. Transport mode • Security association (SA) – Security parameter index (SPI) – Security policy database (SPD) – SA database (SAD) • Authentication header (AH) • Encapsulating security payload (ESP)
- 20. Authenticated Header • Dataintegrity – Entire packet has not been tampered with • Authentication – Can “trust” IP address source • Anti-replay feature • Integrity check value
- 21. IPSec Authenticated Header •Provides support for data integrity and authentication (MAC code) of IP packets. • Guards against replay attacks.
- 22. AH: Tunnel andTransport Mode • Original • Transport Mode – Cover most of the original packet • Tunnel Mode – Cover entire original packet
- 23. Architecture & Concepts •Tunnel vs. Transport mode • Security association (SA) – Security parameter index (SPI) – Security policy database (SPD) – SA database (SAD) • Authentication header (AH) • Encapsulating security payload (ESP)
- 24. Encapsulating Security Payload(ESP) • Provide message content confidentiality • Provide limited traffic flow confidentiality • Can optionally provide the same authentication services as AH • Supports range of ciphers, modes, padding – Incl. DES, Triple-DES, RC5, IDEA, CAST etc – Pad to meet blocksize, for traffic flow
- 25. ESP: Tunnel andTransport Mode • Original • Transport Mode – Good for host to host traffic • Tunnel Mode – Good for VPNs, gateway to gateway security
- 26. IPSec Pros • Hidesthe identity of your network • Provides secure channel: confidentiality, authenticity, and integrity • Connects sites (e.g., branch offices) with a cost-effective secure network compared with leased lines • Allows user to work from home and mobile hosts
- 27. IPSec Cons • Asingle failure in the path disconnect the entire network. Also cause performance bottlenecks. • Incompatible with NAT/PAT depending on the architecture • Tunneled traffic is undetected by IDS • VPN gateways might be compromised which leads to uncovering protected data
- 28.