Downloaded 20 times
Uploaded byMohd Arif
Ip security in i psec
1) IPsec provides data confidentiality, integrity, and authentication for IPv4 and IPv6 networks through protocols like AH and ESP. 2) It uses security associations to define encryption and authentication parameters for secure communication between hosts or subnets. 3) The Internet Key Exchange (IKE) protocol negotiates security associations and authenticates peers to securely establish IPsec tunnels.
More Related Content
Similar to Ip security in i psec
![[BDD 2025 - Artificial Intelligence] AI for the Underdogs: Innovation for Sma...](https://cdn.slidesharecdn.com/ss_thumbnails/ai-aifortheunderdogsinnovationforsmallbusinesses-251124030839-72a599a4-thumbnail.jpg?width=640&height=640&fit=bounds)
![[DevFest Strasbourg 2025] - NodeJs Can do that !!](https://cdn.slidesharecdn.com/ss_thumbnails/devfeststrasbourg2025-nodejscandothat-251127142731-da65b6fd-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Artificial Intelligence] Building AI Systems That Users (and Comp...](https://cdn.slidesharecdn.com/ss_thumbnails/ai-buildingaisystemsthatusersandcompanieslove-251124030845-038f7732-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Mobile Development] Crafting Immersive UI with E2E and AGSL Shade...](https://cdn.slidesharecdn.com/ss_thumbnails/md-craftingimmersiveuiwithe2eandagslshaderveronicaputrianggraini-251124030840-0c677f44-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...](https://cdn.slidesharecdn.com/ss_thumbnails/fs-agenticaiarchitectureredefiningsystemcommunication-251124030838-e6c70cc2-thumbnail.jpg?width=640&height=640&fit=bounds)
Ip security in i psec
- 1. IP security IPsec Ahmed Serhrouchni ENST’Paris CNRS
- 2. Plan • Présentation • Services • Architecture • Protocole AH • Protocole ESP • L’association de sécurité • Les politiques de sécurité • Protocole IKE • Conclusions
- 3. Présentation: motivations deIPSec • IPSec (IP Security) est intégré dans IPv6 • Motivations de IPv6 – Le protocole est définie pour répondre aux besoins de la future génération de l’Internet – Caractéristiques • Grande capacité d’adressage (128 bytes) avec un apport important pour alléger les tables de routage • Sécurisation des communications (IPSec) • Capacité de mise en œuvre de la qualité de service QoS • Protocole et architecture pour la mobilité • 6bone un réseau mondial d’expérimentation de IPv6 • Stratégie de migration sont en cours de développement
- 4. Présentation: standardisation deIPSec • IPSec = IP security Protocol – Standard développé à l’IETF – Premier RFC en 1995 sans gestion de clés – Deuxième version en Novembre 1998 avec la gestion des clés (IKE) – Partie commune entre IPv4 et IPv6 (obligatoire en IPv6) • Implémentation de IPSec – Implémentation Native (dans la pile IP avec IPSec en native) – BITS (Bump in the Stack) : logiciel additionnel – BITW (Bump in the Wire) : processeur cryptographique externe
- 5. Présentation: bénéfice deIPSec • IPSec – Couche réseau pour le chiffrement et l’authentification – Standards ouvert pour offrir des communications privés et sécurisés – Solution flexible pour déployer des politiques de sécurité à grande échelle • Status de IPSec – Plusieurs RFCs bien définis – Plusieurs implémentations (Nortel, Redcreek, Sun Solaris, Microsoft, DEC, Cisco, HP, Telebit, 6Wind, Freeswan, etc.) – Plusieurs tests de conformance et d’interopérabilité basés sur des implantations de référence • Caractéristiques de IPSec – Standard pour la confidentialité, l’intégrité, et l’authentification pour les échanges sur le réseau Internet – Transparent aux infrastructures du réseau – Solution de sécurité de bout en bout incluant routeurs, firewalls, PCs et serveurs
- 6. Services de sécuritéfournis par IPsec • Confidentialité des données • Integrité des données • Authentification de l’origine des données • Contrôle d’accès control & contre analyse de trafic • Non rejeu
- 7. Architecture Ahmed's PC to Omar Server Encrypted Ahmed's PC Omar Server All Other Traffic Chloe’s PC Cleartext E-Mail Server • Traffic protected on a flow-by-flow basis between specific hosts or subnets • Media and interface independent • Transparent to intermediate network devices • Topology independent
- 8. Protocoles • AH: Authentication Header • ESP: EncapSuled Payload • IKE: Internet Key Exchange • ISAKMP • OAKLEY
- 9. Protocole: encapsulation Interoperable Authentication,Integrity and Encryption IP D (Enc ata r y pt ed) IPSec Header(s) AH/ESP IP He ad er
- 10. Protocole: mode Transport •Dans le cas de la confidentialité seulement les données sont chiffrées • Implémenter au dessus de IP – Special processing (like QoS, Multicast) enabled – Useful for tunneling protocol (like L2TP) IP HDR Données Mode Transport IP HDR IPSec HDR Données Peut être chiffré
- 11. Architecture: IPSec TransportMode Internet Gateway Gateway Security Association Host Host Authenticated Unencrypted Encrypted Orig IP Header IP Header Orig ESP ESP TCP DATA ESP Trailer (any options) options) (any Authentication Authenticated Orig IP Header IP Header Orig AH TCP DATA (any options) options) (any
- 12. IPSec Tunnel Mode •Tunnel mode – All IP datagram are encrypted – Implementation above IP – ESP tunnel mode : • can provide more security • less complexity and cost – Ideal for VPN IP HDR Data Tunnel Mode New IP HDR IPSec HDR IP HDR Data May Be Encrypted
- 13. Architecture: IPSec TunnelMode Internet Security Gateway Security Gateway Security Association Host Host Authenticated Unencrypted Encrypted New IP Header Orig IP Header ESP ESP Paylaod ESP Trailer (any options) (any options) Authentication Authenticated New IP Header Orig IP Header AH Paylaod (any options) (any options)
- 14. Authentication Header (AH) • Data integrity • Data origin authentication • Anti-replay protection • Protects the IP header • No confidentiality
- 15. Protocol AH (AuthenticationHeader) • Provides: – Origin Authentication, Integrity, Anti-replay protection, does not provide encryption Authenticated IPv4 Header AH Upper Protocol (i.e. TCP, UDP, ICMP) Data Next Header Length Reserved Security Parameters Index Sequence Number Field Authentication Data (variable length) Contains Integrity Check Value (ICV) 32 bits
- 16. Protocol ESP: (EncapsulatingSecurity Payload) • Data confidentiality • Limited traffic flow confidentiality • Data integrity • Data origin authentication • Anti-replay protection • Does not protect IP Header
- 17. Protocol ESP (EncapsulatingSecurity Payload) • Provides: – Confidentiality (Encryption), Origin Authentication, Integrity, Anti- replay protection Authenticated Encrypted Unencrypted Orig IP Header ESP ESP ESP Payload (any options) Trailer Authentication Security Parameters Index Sequence Number Field 32 bits Variable length (depending on encryption transform used)
- 18. Security Association (SA) •Defines a secure and unidirectional relationship • Data structure containing the security parameters : – SPI (Security Parameter Index) – SNF (Sequence Number Field) used to avoid anti-replay – Anti-replay sequence number receive window – Authentication parameters (algorithms, keys, initialization vector) – Encryption parameters (algorithms, keys, length, initialization vector) – Key lifetime – SA lifetime – Protocol mode – PMTU • For a typical bi-directional communication, two SAs (one in each direction) are needed)
- 19. Mechanisms: IPSec SecurityAssociations • A relationship between two or more entities that describes how the entities will use security services to communicate securely • Simplex "connection" that affords security services to the traffic carried by it • Bi-directional traffic requires one SA in each direction • Security services provided by either AH or ESP • If both AH and ESP required two SAs are formed • Uniquely identified by • a SPI (Security Parameter Index) • IP destination address • Security Protocol Identifier (AH or ESP) Security Gateway Security Gateway Security Association Host Internet Host
- 20. Security Association (SA) •Agreement between two entities on a security policy, including: – Encryption algorithm – Authentication algorithm – Shared session keys – SA lifetime • Unidirectional – Two-way communication consists of two Sas • Key management – Manual mode – Automatic mode (via IKE)
- 21. Combining Security Associations Transport SA (A& B) Mode SA (R1&R2) Tunnel Aicha Brahim Mode R1 R2 Internet IP inner header AH/ESP header Data IP outer header AH/ESP header IP inner header AH/ESP header Data IP inner header AH/ESP header Data
- 22. Security Policy Database(SPD) • The SPD is the recipient for the system administrator’s specification, of the security policies to be applied to outbound and inbound traffic • The nominal form of the SPD includes for each entry : – The selectors that defines the traffic to which the policy should be applied – The security policy to be applied to the packet matching the associated selectors • Per interface, inbound and outbound SPDs
- 23. Security Association Database(SAD) • The SAD contains the list of all inbound and outbound established SAs • Each entry in the SAD defines the parameters associated with one SA. The entry is characterized by a set of values given to the field selectors. This defines the traffic flows to which the SA should be applied. • For outbound processing, SAD entries are pointed to by entries in the SPD • For inbound processing, each SAD entry is indexed by : – Outer header’s destination IP address – IPSec protocol (AH or ESP) in the IP header (Protocol or Next Header fields) – SPI (Security Parameters Index) in the AH/ESP header : a 32-bit value used to distinguish among different SAs terminating at the same destination and using the same IPSec protocol
- 24. Mechanisms : Principle Administrator Applications DOI Oakley (ftp, http,…) IKE ISAKMP SPD TCP/UDP IP / IPSec (AH, ESP) SAD NAP
- 25. Internet Key Exchange(IKE) • IKE protocol – Negotiates policy to protect communication – Authenticated Diffie-Hellman key exchange – Negotiates (possibly multiple) security associations for IPSec – Hybrid of three earlier protocols • ISAKMP (payload, syntax and encoding) • OAKLEY (based on Diffie-Hellman) – Objective : offer a secure and automated IPSec SA negotiation – Two phase • Establishment of a secure channel between the two peers – Called ISAKMP Security Association – Negotiation of the ISAKMP parameters ( Authentication method, Algorithms used for encryption and authentication) – Key exchange • Ipsec negotiation inside the ISAKMP secure channel – Negotiation of the IPSec parameters : security protocols, algorithms and keys used for data authentication and encryption
- 26. Initiating new connections IKE IPSec Data • Establish IKE SA—“Main mode/Phase 1” • Establish IPSec SA—“Quick mode/Phase 2” • Send protected data
- 27. How IPSec UsesIKE 1. Outbound packet from 4. Packet is sent from Astrid to Astrid to Barnabe. No IPSec SA Barnabe protected by IPSec SA IPSec IPSec Barnabe’s Astrid’s router router IKE IKE Tunnel IKE 2. Astrid’s IKE begins 3. Negotiation complete. negotiation with Barnabe’s Astrid and Barnabe now have complete set of SAs in place
- 28. Creating IPSec SA—QuickMode IKE SA DES DES DES MD5 SHA MD5 DH1 DH1 DH1 YA YB Data • Requires IKE SA to be in place • Negotiate IPSec parameters • Create shared session key Local Policy { Exchange DH numbers for PFS or Exchange nonces for quick rekey
- 29. Conclusions • IPSec isa whole system which can answer needs of security and could be adapted in a lot of situations • The implementation of IPSec in IPv6 and his efficient adaptation in IPv4 assures IPSec to become one of the major security solutions of the Internet and Intranet in the future • but some improvements have to be done … – Treatment packet by packet – Interoperability • NAT • Dynamic allocation address • Multicast • all IPSec implementations 29
Editor's Notes
- #12 In transport mode the protocols provide protection primarily for upper layer protocols. A transport mode SA is a security association between two hosts. In IPv4, a transport mode security protocol header appears immediately after the IP header and any options, and before any higher layer protocols (for example, TCP or UDP). In IPv6, the security protocol header appears after the base IP header and extensions, but may appear before or after destination options, and before higher layer protocols. In the case of ESP, a transport mode SA provides security services only for these higher layer protocols, not for the IP header or any extension headers preceding the ESP header. In the case of AH, the protection is also extended to selected portions of the IP header, selected portions of extension headers, and selected options (contained in the IPv4 header, IPv6 Hop-by-Hop extension header, or IPv6 Destination extension headers).
- #14 Security protocols may be applied alone or in combination with each other to provide a desired set of security services in IPv4 and IPv6. Each protocol supports two modes of use: tunnel mode and transport mode. A tunnel mode SA is essentially an SA applied to an IP tunnel. Whenever either end of a security association is a security gateway, the SA MUST be tunnel mode. Thus, an SA between two security gateways is always a tunnel mode SA. Note that for the case where traffic is destined for a security gateway, for example, SNMP commands, the security gateway is acting as a host and transport mode is allowed. But in that case, the security gateway is not acting as a gateway, that is, not transiting traffic. Two hosts MAY establish a tunnel mode SA between themselves. The requirement for any (transit traffic) SA involving a security gateway to be a tunnel SA arises due to the need to avoid potential problems with regard to fragmentation and reassembly of IPSec packets, and in circumstances where multiple paths (for example, via different security gateways) exist to the same destination behind the security gateways. For a tunnel mode SA, there is an "outer" IP header that specifies the IPSec processing destination, plus an "inner" IP header that specifies the (apparently) ultimate destination for the packet. The security protocol header appears after the outer IP header, and before the inner IP header. If AH is employed in tunnel mode, portions of the outer IP header are afforded protection (as above), as well as all of the tunneled IP packet (that is, all of the inner IP header is protected, as well as higher layer protocols). If ESP is employed, the protection is afforded only to the tunneled packet, not to the outer header.
- #25 Besides manual, there is the Internet Key Exchange protocol. ISAKMP provides a framework for authentication and key exchange but does not define them. ISAKMP is designed to be key exchange independent; that is, it is designed to support many different key exchanges. Oakley describes a series of key exchanges -- called ”modes"-- and details the services provided by each (for example, perfect forward secrecy for keys, identity protection, and authentication). SKEME describes a versatile key exchange technique which provides anonymity, repudiability, and quick key refreshment. IKE uses part of Oakley and part of SKEME in conjunction with ISAKMP to obtain authenticated keying material for use with ISAKMP, and for other security associations such as AH and ESP for the IETF IPSec DOI.