SlideShare a Scribd company logo

Multilayer Security Architecture for Internet Protocols

Download as PPTX, PDF
Nasir Bhutta
Nasir Bhutta

A New Security Architecture build on IPsec for IP based networks.

Technology
1 of 47
Multilayer Security Architecture for Internet Protocol (ML-IPSec) 1 October, 2010 Muhammad Nasir Mumtaz Bhutta Centre for Communication Systems Research University of Surrey Guildford, Surrey GU2 7XH Email: m.bhutta@surrey.ac.uk, Tel: 01483 68 3036 www.surrey.ac.uk
Objectives • Demonstrate “Security Architecture for Internet Protocol” (IPSec) protection model. • Highlight the limitations of IPSec. • Demonstrate the working or ML-IPSec. • Demonstrate the detailed experiment plans. 2 www.ee.surrey.ac.uk/CCSR
Introduction • Security Architecture for Internet Protocol (IPSec) provides security services at IP layer in protocol stack. • All upper layers than IP layer can get security services without reengineering the applications. • IPSec operates in two modes, tunnel and transport, to secure path(s) between communicating nodes. 3 www.ee.surrey.ac.uk/CCSR
Path(s) Security • Between Pairs of Gateways – Gateways need to implement IPSec. – Works in Tunnel Mode (complete IP packet is protected & new IP header is appended). – Different source and destination addresses in dual IP headers. Un Protected Subnet Protected Subnet Protected Subnet IPSec Tunnel Tunnel Endpoint Tunnel Endpoint Gateway Gateway 4 www.ee.surrey.ac.uk/CCSR
Path(s) Security • Between Pair of Hosts – End nodes need to implement IPSec. – Works in Transport Mode (Upper layers headers and IP data are protected). – IP addresses are unchanged. Un Protected Subnet IPSec Tunnel OR Transport mode Protected Endpoint Protected Endpoint 5 www.ee.surrey.ac.uk/CCSR
Path(s) Security • Between Host and Gateway – Both end hosts and gateways implement IPSec. – Usually works in tunnel mode to take benefits of hiding external characteristics of communication. Protected Subnet Un Protected Subnet AND/OR IPSec Tunnel Internet Protected Endpoint Protected Endpoint 6 www.ee.surrey.ac.uk/CCSR
Security Goals • Access Control – Prevent unauthorized access to resources. • Connectionless Integrity – Check any modifications in IP datagram without caring about the arrival order of IP datagrams. • Origin Authentication – Identify claimed source of data. 7 www.ee.surrey.ac.uk/CCSR
Security Goals (continued..) • Partial Sequence Integrity – Check for duplicate packets (Replay attacks). • Data Confidentiality – Protect against disclosure of data to unauthorized entities. • Limited Traffic Flow Confidentiality – Protect external characteristics of communications (e.g. source and destination addresses etc.). 8 www.ee.surrey.ac.uk/CCSR
Major IPSec Components • Security Policies – Provides rules for user access and control level. • Security Protocols – Authentication Header (AH) • Provides origin authentication, connectionless integrity and optional partial sequence integrity. – Encapsulating Security Payload (ESP) • Provides all services provided by AH, data confidentiality and limited traffic flow confidentiality as well. 9 www.ee.surrey.ac.uk/CCSR
Major IPSec Components (continued..) • Cryptographic Algorithms – Helps to achieve integrity and confidentiality. • Key Management – All security operations are provided by cryptographic means, so keys are required. – Internet Key Exchange (IKE v2) is used to provide key management. 10 www.ee.surrey.ac.uk/CCSR
Assumptions • To achieve high quality of security services, certain assumptions need to be met: – Good implementation of IPSec. – Security is dependent on many things in over all system (e.g. personnel & physical procedures, security policies etc.), so IPSec just play its role as a part. – Good Implementation of Operating System (OS) security services. 11 www.ee.surrey.ac.uk/CCSR
IPSec Components to Help in Achieving Security Goals • Security Association (SA) – SA is a one way traffic secure connection between communicating parties. – For Bidirectional communication, two SAs are established. – SA, providing actually all security services, is setup by IKE. – Functionality is dependent upon security protocols, mode of IPSec working, endpoints of SA and chosen security services. 12 www.ee.surrey.ac.uk/CCSR
IPSec Components to Help in Achieving Security Goals (continued..) • Security Policy Database (SPD) – Stores security policies. – Provides information about security policy rules to be applied. – At least one SPD implementation must be supported in IPSec. – Three logical components • SPD-Secure (S) contains rules for all IPSec protected traffic. • SPD-Outbound (O) contains rules for all outbound traffic • SPD-Inbound (I) contains rules for all inbound traffic or bypassed. 13 www.ee.surrey.ac.uk/CCSR
IPSec Components to Help in Achieving Security Goals (continued..) • Security Association Database (SAD) – Stores SAs. – Provides information about security associations. – For outbound processing SAD is pointed by SPD-S part. – For inbound processing SAD is pointed by SPD-I part. • Peer Authorization Database (PAD) – Stores information about links between SPD and SAD. – Helps IPSec components in security services practice. 14 www.ee.surrey.ac.uk/CCSR
IPSec Working & Role of IKE • IKE helps in setup of security associations (SAs). – The functionality of all cryptographic protocols is dependent on these SAs. – Control information exchange also requires SA setup. • IKE provides this setup by message exchanges. – IKE_SA_INIT, IKE_AUTH – IKE_CHILD_SA – Informational Exchanges 15 www.ee.surrey.ac.uk/CCSR
IPSec Working & Role of ESP • ESP provides origin authentication, connectionless and sequence integrity, data and limited traffic flow confidentiality. • Security services are offered in three modes by ESP. – Confidentiality Only (may be supported) – Integrity Only (must be supported) – Confidentiality and Integrity (must be supported) 16 www.ee.surrey.ac.uk/CCSR
IPSec Working & Role of ESP (continued..) • Data Confidentiality – Data confidentiality is provided via encryption. – Encryption scheme selection is dependent upon SA out of various encryption algorithms. • Origin Authentication and Connectionless Integrity – Integrity of IP datagram is validated via Message Authentication Code (MAC). – Origin authentication is provided indirectly by binding of the key with the holding entity (origin). 17 www.ee.surrey.ac.uk/CCSR
IPSec Working & Role of ESP (continued..) • Anti-Replay Service (Partial Sequence Integrity) – This is service to detect arrival of duplicate packets. – Provides sequential integrity and may be supported in ESP. • Limited Traffic Flow Confidentiality – This service hides source and destination addresses and usually employed in Tunnel Mode. 18 www.ee.surrey.ac.uk/CCSR
Limitations of IPSec • IPSec follows very strict layering and protection model works end-to-end. • With advancement in wireless technology according to characteristics of networks, certain cross-layer optimizations are performed. • Some examples of wireless technology highlights the functionality of new network applications. 19 www.ee.surrey.ac.uk/CCSR
Limitations of IPSec (continued..) • Conflicts between IPSec and TCP PEPs – TCP PEPs work on two pieces of information, TCP flow identification and sequence numbers. – IPSec encapsulate whole TCP packet. • Traffic Analysis – For functioning of upper layers, some information from headers is required at intermediate nodes. – IPSec hides all upper layer headers. 20 www.ee.surrey.ac.uk/CCSR
Limitations of IPSec (continued..) • Traffic Engineering – Flow classification is essential in providing rich classes of service and QoS (RED, RSVP). – The flow information present in upper layers such ac TCP is hidden by IPSec. • Application Layer Agents/Proxies – Some modern routers can serve the HTTP requests from their local cache in order to improve performance. – They need information from upper layers like HTTP but, that is hidden by IPSec. 21 www.ee.surrey.ac.uk/CCSR
Summary of IPSec Limitations and Conclusion • All above defined mechanisms, try to access upper layers information for their working. • IPSec works on end-to-end basis and encrypts all the upper layer information. • So IPSec has basic functioning conflict with many intermediate devices. • Need to resolve these issues for optimal performance. 22 www.ee.surrey.ac.uk/CCSR
Problem Statement for ML-IPSec • Develop a security scheme with below defined features: – Supports the services and applications which have conflict with IPsec working. – Should grant trusted intermediate nodes a secure, controlled and limited access to a selected portion of IP datagram. – Should preserve the end-to-end security protection for user data. 23 www.ee.surrey.ac.uk/CCSR
Approaches - Transport Layer Security • Using a transport-layer security mechanism as an alternative to IPsec to provide security services. • The transport-layer mechanism, such as secure sockets layer (SSL) or transport layer security (TLS) operates above TCP and works well with TCP PEP: – it encrypts the TCP data while leaving the TCP header in unencrypted and unauthenticated form • Limitations: – Vulnerable to traffic analysis attack – SSL/TLS only works on TCP but not on UDP so the range of applications is limited 24 www.ee.surrey.ac.uk/CCSR
Approaches – Tunnelling one security protocol • This approach tries to use transport layer security protocols, SSL/TLS, inside IPsec. • SSL/TLS will protect the TCP data and IPSec will protect TCP header information • Limitations: – wastage of resources because TCP data will be encrypted twice by SSL/TLS and IPsec, – IPsec still encrypts the whole TCP information including header and data part 25 www.ee.surrey.ac.uk/CCSR
Approaches - Using a Transport Friendly ESP Format • The transport-friendly ESP (TF-ESP) protocol format was proposed: – The TCP state information (such as flow identifications and sequence numbers) are in a disclosure header outside the encryption scope, bbut authenticated. • Limitations: – Vulnerable to traffic analysis attack – it does not work well with TCP spoofing when a write access is needed 26 www.ee.surrey.ac.uk/CCSR
Approaches – Splitting IPsec into Two Segments • IPsec protection can be applied twice, once between sender and security gateway and second time between security gateway and destination. • Limitations: – It exposes the information to intermediate nodes while confidentiality is only meant for end-to-end 27 www.ee.surrey.ac.uk/CCSR
Approaches – Multi - Layer IP Security Protocol • ML-IPsec breaks the IP datagram into different parts and apply different security mechanisms on different parts: – one security mechanism for transport header – different security mechanism for application data • This approach allows the intermediate nodes to co-exist with end-to-end IPsec • Limitations: – More complex than IPsec 28 www.ee.surrey.ac.uk/CCSR
Standardization & Issues • Many meetings were attended at IETF to present the idea of IPSec and internet draft was written. • IETF Concerns: – Application domains is limited (Satellite Networks only). – Implementation complexity is increased. (shown feasible via implementation in IPSec). – Two more implementations required to prove the points. • Key Management Complexity is major issue. 29 www.ee.surrey.ac.uk/CCSR
Applications 30 www.ee.surrey.ac.uk/CCSR
Principle of ML-IPSec Security Protection • Multilayer protection model: • Divides IP datagram into zones • Different protection schemes for different zones (e.g. SA, public/private keys, access control rules etc.) 31 www.ee.surrey.ac.uk/CCSR
General Model of IPSec Processing • . Multicast Key Exchange 32 www.ee.surrey.ac.uk/CCSR
Composite Security Association (CSA) • Security Association • one-way relationship between sender and receiver. • defines set of parameters (e.g. sequence number, anti- replay window, lifetime of SA, Path MTU etc). • Controls outbound, inbound processing. 33 www.ee.surrey.ac.uk/CCSR
CSA Continued.. • CSA has two elements: – Zone Map: defines coverage of each zone in IP datagram. – Zone List: is a list of all SAs for all zones. (all stored in “Security Association Database (SAD)”). 34 www.ee.surrey.ac.uk/CCSR
Zones and Zone Map • A zone is any portion of IP datagram under same security protection. • Entire IP datagram can be broken into zones. • Zones can not overlap. • A zone can be split into multiple sub zones (continuous part of IP datagram). • A zone map is a mapping relationship between IP octets and zones. • Remains Constant for a security relationship. • zones that covers last part of IP datagram (data) should 35 be variable according to size. www.ee.surrey.ac.uk/CCSR
Composite Security Association (CSA) • Zone Map • Zone List – In zone list area we show the SAs, their 36 parameters and access control. www.ee.surrey.ac.uk/CCSR
Zone List continued • SA (designated) – Sequence Number Counter (64 bit) – Sequence Counter Overflow – Anti-Replay Window (64 bit) – Protocol mode (Transport or Tunnel) – Path MTU – Lifetime – Encryption algorithm (DES-CBC) – Encryption Key – Authentication algorithm (HMAC-MD5-32) – Authentication Key 37 www.ee.surrey.ac.uk/CCSR
Outbound Processing (zone by zone) Outbound: IP datagram Zone map Plain Text (masked and concatenated) Encryption (using ESP) AH SA Cipher Text (ESP) Authentication ICV AH or ESP authentication data ESP paylod data 38 www.ee.surrey.ac.uk/CCSR
Inbound Processing (zone by zone) Outbound: IP datagram Zone map Plain Text (masked and concatenated) Decryption (using ESP) AH SA Cipher Text (ESP) Authentication ICV AH or ESP authentication data ESP paylod data 39 www.ee.surrey.ac.uk/CCSR
ESP Header • Security Parameter Index: Identifies Security Association (SA). • Sequence Number: Counts the packet sent. • Encrypted Payload Data for Zone: contains the encrypted payload data (IP payload data, padding, pad length, Next Header). • Authentication Data for Zone: Contains the Integrity Check Values (ICV) for each zone. 40 www.ee.surrey.ac.uk/CCSR
Implementation and Evaluation • Two different evaluations of ML-IPSec shall be performed. – Simulations based, to see the scalability and reliability behaviour. • Impact of network bandwidth on Performance ( SA establishment latency, TCP throughput and delay). • Impact of different data packet size on performance and security protocol behaviour. – Reference Implementation of ML-IPSec to see the overhead on real network. 41 www.ee.surrey.ac.uk/CCSR
Testbed Experiment Requirements • Use Cases – IP Only: running standard IP with no security. – IPSec: running IPSec using ESP with authentication mode enabled. – ML-IPSec (1 Zone) = IPSec – ML-IPSec (2 Zone) – ML-IPSec (3 Zones) • The ML-IPSec experiment will be evaluated for processing delays, CPU overload and bandwidth overhead 42 www.ee.surrey.ac.uk/CCSR
Testbed Experiment Requirements Processing Delay – Network speed will be fixed. • The processing delay will be – Throughput and protocol measured by taking following overhead relationship will be studied parameters into consideration: – One Host pinging other Comparing CPU Overload – Packet size will be fixed. • For evaluation of CPU – Processing Time will be overhead environment will be evaluated. configured as given below: Bandwidth Overhead – One host generate and send packets as fast as it can and – One host generate and send other counting after receiving. packets as fast as it can and other counting after receiving. – CPU speed will be fixed. – Network speed will be fixed. . – CPU speed will be fixed. – Throughput and CPU load relationship will be studied. 43 www.ee.surrey.ac.uk/CCSR
ML-IPSec Testbed • Current Status – Fedora 13 Installed – Computers are configured as shown in diagram. • Future Plans – Need to configure network’s speed. – Need to configure NIST Net according to requirements. 44 www.ee.surrey.ac.uk/CCSR
Simulations & Standalone Implementation Plans • NIST has performed IPSec simulations as part of project “NIIST(NIST IPSec and IKE Simulation Tool”. •SPD: Security Policy Database •SAD: Security Association Database •PF_Key: Generic Socket Key Management API 45 www.ee.surrey.ac.uk/CCSR
Simulations & Standalone Implementation Plans 46 www.ee.surrey.ac.uk/CCSR
Conclusion • Intermediate gateways can have access to partial IP datagram (e.g. TCP header) by partial keys. • Can solve the conflict between IPSec and TCP PEPs being used in satellite networks. • The current new and future networks can improve quality of service using fair queuing, differential services etc. • IPSec problems are solved. 47 www.ee.surrey.ac.uk/CCSR

Recommended

Cyber Security: Trends and Globar War
Cyber Security: Trends and Globar WarCyber Security: Trends and Globar War
Cyber Security: Trends and Globar WarNasir Bhutta
 
Cryptography and Network security # Lecture 8
Cryptography and Network security # Lecture 8Cryptography and Network security # Lecture 8
Cryptography and Network security # Lecture 8Kabul Education University
 
Introduction to Secure Delay/Disruption Tolerant Networks (DTN)
Introduction to Secure Delay/Disruption Tolerant Networks (DTN)Introduction to Secure Delay/Disruption Tolerant Networks (DTN)
Introduction to Secure Delay/Disruption Tolerant Networks (DTN)Nasir Bhutta
 
Firewall and its types and function
Firewall and its types and functionFirewall and its types and function
Firewall and its types and functionNisarg Amin
 
CRYPTOGRAPHY & NETWORK SECURITY
CRYPTOGRAPHY & NETWORK SECURITYCRYPTOGRAPHY & NETWORK SECURITY
CRYPTOGRAPHY & NETWORK SECURITYJyothishmathi Institute of Technology and Science Karimnagar
 
Firewall
FirewallFirewall
FirewallNilkanth Shingala
 
Data Network Security
Data Network SecurityData Network Security
Data Network SecurityAtif Rehmat
 
Network Security & Attacks
Network Security & AttacksNetwork Security & Attacks
Network Security & AttacksNetwax Lab
 

Recommended

Cyber Security: Trends and Globar War
Cyber Security: Trends and Globar WarCyber Security: Trends and Globar War
Cyber Security: Trends and Globar WarNasir Bhutta
 
Cryptography and Network security # Lecture 8
Cryptography and Network security # Lecture 8Cryptography and Network security # Lecture 8
Cryptography and Network security # Lecture 8Kabul Education University
 
Introduction to Secure Delay/Disruption Tolerant Networks (DTN)
Introduction to Secure Delay/Disruption Tolerant Networks (DTN)Introduction to Secure Delay/Disruption Tolerant Networks (DTN)
Introduction to Secure Delay/Disruption Tolerant Networks (DTN)Nasir Bhutta
 
Firewall and its types and function
Firewall and its types and functionFirewall and its types and function
Firewall and its types and functionNisarg Amin
 
CRYPTOGRAPHY & NETWORK SECURITY
CRYPTOGRAPHY & NETWORK SECURITYCRYPTOGRAPHY & NETWORK SECURITY
CRYPTOGRAPHY & NETWORK SECURITYJyothishmathi Institute of Technology and Science Karimnagar
 
Firewall
FirewallFirewall
FirewallNilkanth Shingala
 
Data Network Security
Data Network SecurityData Network Security
Data Network SecurityAtif Rehmat
 
Network Security & Attacks
Network Security & AttacksNetwork Security & Attacks
Network Security & AttacksNetwax Lab
 
Modern Network Security Issue and Challenge
Modern Network Security Issue and ChallengeModern Network Security Issue and Challenge
Modern Network Security Issue and ChallengeIkhtiar Khan Sohan
 
Network Security 1st Lecture
Network Security 1st LectureNetwork Security 1st Lecture
Network Security 1st Lecturebabak danyal
 
Computer Security Lecture 1: Overview
Computer Security Lecture 1: OverviewComputer Security Lecture 1: Overview
Computer Security Lecture 1: OverviewMohamed Loey
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentationMuhammad Zia
 
Firewall configuration
Firewall configurationFirewall configuration
Firewall configurationNutan Kumar Panda
 
8 Authentication Security Protocols
8 Authentication Security Protocols8 Authentication Security Protocols
8 Authentication Security Protocolsguestfbf635
 
Network Security Issues
Network Security IssuesNetwork Security Issues
Network Security IssuesAfreenYousaf
 
Firewall fundamentals
Firewall fundamentalsFirewall fundamentals
Firewall fundamentalsThang Man
 
Firewalls
FirewallsFirewalls
FirewallsDr.Florence Dayana
 
Gateway and firewall
Gateway and firewallGateway and firewall
Gateway and firewallvinayh.vaghamshi _
 
Wireless security
Wireless securityWireless security
Wireless securityparipec
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentationTayabaZahid
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementationajeet singh
 
Lecture 5 ip security
Lecture 5 ip securityLecture 5 ip security
Lecture 5 ip securityrajakhurram
 
CISSP Week 7
CISSP Week 7CISSP Week 7
CISSP Week 7jemtallon
 
Investigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a SecureInvestigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a SecureFiras Alsayied
 
Firewall and It's Types
Firewall and It's TypesFirewall and It's Types
Firewall and It's TypesHem Pokhrel
 
Firewall
FirewallFirewall
Firewallreddivarihareesh
 
Linux and firewall
Linux and firewallLinux and firewall
Linux and firewallMhmud Khraibene
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network securityPriyadharshiniVS
 
The Security layer
The Security layerThe Security layer
The Security layerSwetha S
 
IP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfIP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfsolimankellymattwe60
 

More Related Content

What's hot

Modern Network Security Issue and Challenge
Modern Network Security Issue and ChallengeModern Network Security Issue and Challenge
Modern Network Security Issue and ChallengeIkhtiar Khan Sohan
 
Network Security 1st Lecture
Network Security 1st LectureNetwork Security 1st Lecture
Network Security 1st Lecturebabak danyal
 
Computer Security Lecture 1: Overview
Computer Security Lecture 1: OverviewComputer Security Lecture 1: Overview
Computer Security Lecture 1: OverviewMohamed Loey
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentationMuhammad Zia
 
8 Authentication Security Protocols
8 Authentication Security Protocols8 Authentication Security Protocols
8 Authentication Security Protocolsguestfbf635
 
Network Security Issues
Network Security IssuesNetwork Security Issues
Network Security IssuesAfreenYousaf
 
Firewall fundamentals
Firewall fundamentalsFirewall fundamentals
Firewall fundamentalsThang Man
 
Wireless security
Wireless securityWireless security
Wireless securityparipec
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentationTayabaZahid
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementationajeet singh
 
Lecture 5 ip security
Lecture 5 ip securityLecture 5 ip security
Lecture 5 ip securityrajakhurram
 
CISSP Week 7
CISSP Week 7CISSP Week 7
CISSP Week 7jemtallon
 
Investigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a SecureInvestigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a SecureFiras Alsayied
 
Firewall and It's Types
Firewall and It's TypesFirewall and It's Types
Firewall and It's TypesHem Pokhrel
 

What's hot (19)

Modern Network Security Issue and Challenge
Modern Network Security Issue and ChallengeModern Network Security Issue and Challenge
Modern Network Security Issue and Challenge
 
Network Security 1st Lecture
Network Security 1st LectureNetwork Security 1st Lecture
Network Security 1st Lecture
 
Computer Security Lecture 1: Overview
Computer Security Lecture 1: OverviewComputer Security Lecture 1: Overview
Computer Security Lecture 1: Overview
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentation
 
Firewall configuration
Firewall configurationFirewall configuration
Firewall configuration
 
8 Authentication Security Protocols
8 Authentication Security Protocols8 Authentication Security Protocols
8 Authentication Security Protocols
 
Network Security Issues
Network Security IssuesNetwork Security Issues
Network Security Issues
 
Firewall fundamentals
Firewall fundamentalsFirewall fundamentals
Firewall fundamentals
 
Firewalls
FirewallsFirewalls
Firewalls
 
Gateway and firewall
Gateway and firewallGateway and firewall
Gateway and firewall
 
Wireless security
Wireless securityWireless security
Wireless security
 
Firewall presentation
Firewall presentationFirewall presentation
Firewall presentation
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementation
 
Lecture 5 ip security
Lecture 5 ip securityLecture 5 ip security
Lecture 5 ip security
 
CISSP Week 7
CISSP Week 7CISSP Week 7
CISSP Week 7
 
Investigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a SecureInvestigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a Secure
 
Firewall and It's Types
Firewall and It's TypesFirewall and It's Types
Firewall and It's Types
 
Firewall
FirewallFirewall
Firewall
 
Linux and firewall
Linux and firewallLinux and firewall
Linux and firewall
 

Similar to Multilayer Security Architecture for Internet Protocols

Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network securityPriyadharshiniVS
 
The Security layer
The Security layerThe Security layer
The Security layerSwetha S
 
IP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfIP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfsolimankellymattwe60
 
Network Security_3rd Module_Dr. Shivashankar
Network Security_3rd Module_Dr. ShivashankarNetwork Security_3rd Module_Dr. Shivashankar
Network Security_3rd Module_Dr. ShivashankarDr. Shivashankar
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6limsh
 
I psec cisco
I psec ciscoI psec cisco
I psec ciscoDeepak296
 
college assignment on Applications of ipsec
college assignment on Applications of ipsec college assignment on Applications of ipsec
college assignment on Applications of ipsec bigchill29
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network SecurityKathirvel Ayyaswamy
 
Module 8 - Ccna - Pre.pptx
Module 8 - Ccna - Pre.pptxModule 8 - Ccna - Pre.pptx
Module 8 - Ccna - Pre.pptxAliMohamed855266
 
ICS PPT Unit 4.ppt
ICS PPT Unit 4.pptICS PPT Unit 4.ppt
ICS PPT Unit 4.pptDEEPAK948083
 
CCNAv5 - S4: Chapter 7: Securing Site-to-site Connectivity
CCNAv5 - S4: Chapter 7: Securing Site-to-site ConnectivityCCNAv5 - S4: Chapter 7: Securing Site-to-site Connectivity
CCNAv5 - S4: Chapter 7: Securing Site-to-site ConnectivityVuz Dở Hơi
 

Similar to Multilayer Security Architecture for Internet Protocols (20)

Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network security
 
The Security layer
The Security layerThe Security layer
The Security layer
 
IP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfIP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdf
 
Network Security_3rd Module_Dr. Shivashankar
Network Security_3rd Module_Dr. ShivashankarNetwork Security_3rd Module_Dr. Shivashankar
Network Security_3rd Module_Dr. Shivashankar
 
crypto.pptx
crypto.pptxcrypto.pptx
crypto.pptx
 
crypto.pptx
crypto.pptxcrypto.pptx
crypto.pptx
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6
 
IP Security
IP SecurityIP Security
IP Security
 
I psec cisco
I psec ciscoI psec cisco
I psec cisco
 
college assignment on Applications of ipsec
college assignment on Applications of ipsec college assignment on Applications of ipsec
college assignment on Applications of ipsec
 
Ip security
Ip security Ip security
Ip security
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 
Ip Security.pptx
Ip Security.pptxIp Security.pptx
Ip Security.pptx
 
Module 8 - Ccna - Pre.pptx
Module 8 - Ccna - Pre.pptxModule 8 - Ccna - Pre.pptx
Module 8 - Ccna - Pre.pptx
 
Ipsecurity
IpsecurityIpsecurity
Ipsecurity
 
IPsec for IMS
IPsec for IMSIPsec for IMS
IPsec for IMS
 
ICS PPT Unit 4.ppt
ICS PPT Unit 4.pptICS PPT Unit 4.ppt
ICS PPT Unit 4.ppt
 
Lecture14..pdf
Lecture14..pdfLecture14..pdf
Lecture14..pdf
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
 
CCNAv5 - S4: Chapter 7: Securing Site-to-site Connectivity
CCNAv5 - S4: Chapter 7: Securing Site-to-site ConnectivityCCNAv5 - S4: Chapter 7: Securing Site-to-site Connectivity
CCNAv5 - S4: Chapter 7: Securing Site-to-site Connectivity
 

More from Nasir Bhutta

Blockchain for Interdisciplinary Research
Blockchain for Interdisciplinary ResearchBlockchain for Interdisciplinary Research
Blockchain for Interdisciplinary ResearchNasir Bhutta
 
Basics of Blockchain Technology
Basics of Blockchain TechnologyBasics of Blockchain Technology
Basics of Blockchain TechnologyNasir Bhutta
 
secure smart cities
secure smart cities secure smart cities
secure smart citiesNasir Bhutta
 
Ccsit cyberlympics 2017 workshop 3 - presentation
Ccsit cyberlympics 2017 workshop 3 - presentationCcsit cyberlympics 2017 workshop 3 - presentation
Ccsit cyberlympics 2017 workshop 3 - presentationNasir Bhutta
 
Introduction to Ethical Hacking
Introduction to Ethical Hacking Introduction to Ethical Hacking
Introduction to Ethical Hacking Nasir Bhutta
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases Nasir Bhutta
 
Different types of networks
Different types of networksDifferent types of networks
Different types of networksNasir Bhutta
 
Cyber security laws
Cyber security lawsCyber security laws
Cyber security lawsNasir Bhutta
 
Topics in network security
Topics in network securityTopics in network security
Topics in network securityNasir Bhutta
 
Introduction to Delay/Disruption Tolerant Networking and Applications
Introduction to Delay/Disruption Tolerant Networking and ApplicationsIntroduction to Delay/Disruption Tolerant Networking and Applications
Introduction to Delay/Disruption Tolerant Networking and ApplicationsNasir Bhutta
 
Cloud computing overview & current research
Cloud computing overview & current researchCloud computing overview & current research
Cloud computing overview & current researchNasir Bhutta
 

More from Nasir Bhutta (11)

Blockchain for Interdisciplinary Research
Blockchain for Interdisciplinary ResearchBlockchain for Interdisciplinary Research
Blockchain for Interdisciplinary Research
 
Basics of Blockchain Technology
Basics of Blockchain TechnologyBasics of Blockchain Technology
Basics of Blockchain Technology
 
secure smart cities
secure smart cities secure smart cities
secure smart cities
 
Ccsit cyberlympics 2017 workshop 3 - presentation
Ccsit cyberlympics 2017 workshop 3 - presentationCcsit cyberlympics 2017 workshop 3 - presentation
Ccsit cyberlympics 2017 workshop 3 - presentation
 
Introduction to Ethical Hacking
Introduction to Ethical Hacking Introduction to Ethical Hacking
Introduction to Ethical Hacking
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases
 
Different types of networks
Different types of networksDifferent types of networks
Different types of networks
 
Cyber security laws
Cyber security lawsCyber security laws
Cyber security laws
 
Topics in network security
Topics in network securityTopics in network security
Topics in network security
 
Introduction to Delay/Disruption Tolerant Networking and Applications
Introduction to Delay/Disruption Tolerant Networking and ApplicationsIntroduction to Delay/Disruption Tolerant Networking and Applications
Introduction to Delay/Disruption Tolerant Networking and Applications
 
Cloud computing overview & current research
Cloud computing overview & current researchCloud computing overview & current research
Cloud computing overview & current research
 

Recently uploaded

Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 

Recently uploaded (20)

Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 

Multilayer Security Architecture for Internet Protocols

  • 1. Multilayer Security Architecture for Internet Protocol (ML-IPSec) 1 October, 2010 Muhammad Nasir Mumtaz Bhutta Centre for Communication Systems Research University of Surrey Guildford, Surrey GU2 7XH Email: m.bhutta@surrey.ac.uk, Tel: 01483 68 3036 www.surrey.ac.uk
  • 2. Objectives • Demonstrate “Security Architecture for Internet Protocol” (IPSec) protection model. • Highlight the limitations of IPSec. • Demonstrate the working or ML-IPSec. • Demonstrate the detailed experiment plans. 2 www.ee.surrey.ac.uk/CCSR
  • 3. Introduction • Security Architecture for Internet Protocol (IPSec) provides security services at IP layer in protocol stack. • All upper layers than IP layer can get security services without reengineering the applications. • IPSec operates in two modes, tunnel and transport, to secure path(s) between communicating nodes. 3 www.ee.surrey.ac.uk/CCSR
  • 4. Path(s) Security • Between Pairs of Gateways – Gateways need to implement IPSec. – Works in Tunnel Mode (complete IP packet is protected & new IP header is appended). – Different source and destination addresses in dual IP headers. Un Protected Subnet Protected Subnet Protected Subnet IPSec Tunnel Tunnel Endpoint Tunnel Endpoint Gateway Gateway 4 www.ee.surrey.ac.uk/CCSR
  • 5. Path(s) Security • Between Pair of Hosts – End nodes need to implement IPSec. – Works in Transport Mode (Upper layers headers and IP data are protected). – IP addresses are unchanged. Un Protected Subnet IPSec Tunnel OR Transport mode Protected Endpoint Protected Endpoint 5 www.ee.surrey.ac.uk/CCSR
  • 6. Path(s) Security • Between Host and Gateway – Both end hosts and gateways implement IPSec. – Usually works in tunnel mode to take benefits of hiding external characteristics of communication. Protected Subnet Un Protected Subnet AND/OR IPSec Tunnel Internet Protected Endpoint Protected Endpoint 6 www.ee.surrey.ac.uk/CCSR
  • 7. Security Goals • Access Control – Prevent unauthorized access to resources. • Connectionless Integrity – Check any modifications in IP datagram without caring about the arrival order of IP datagrams. • Origin Authentication – Identify claimed source of data. 7 www.ee.surrey.ac.uk/CCSR
  • 8. Security Goals (continued..) • Partial Sequence Integrity – Check for duplicate packets (Replay attacks). • Data Confidentiality – Protect against disclosure of data to unauthorized entities. • Limited Traffic Flow Confidentiality – Protect external characteristics of communications (e.g. source and destination addresses etc.). 8 www.ee.surrey.ac.uk/CCSR
  • 9. Major IPSec Components • Security Policies – Provides rules for user access and control level. • Security Protocols – Authentication Header (AH) • Provides origin authentication, connectionless integrity and optional partial sequence integrity. – Encapsulating Security Payload (ESP) • Provides all services provided by AH, data confidentiality and limited traffic flow confidentiality as well. 9 www.ee.surrey.ac.uk/CCSR
  • 10. Major IPSec Components (continued..) • Cryptographic Algorithms – Helps to achieve integrity and confidentiality. • Key Management – All security operations are provided by cryptographic means, so keys are required. – Internet Key Exchange (IKE v2) is used to provide key management. 10 www.ee.surrey.ac.uk/CCSR
  • 11. Assumptions • To achieve high quality of security services, certain assumptions need to be met: – Good implementation of IPSec. – Security is dependent on many things in over all system (e.g. personnel & physical procedures, security policies etc.), so IPSec just play its role as a part. – Good Implementation of Operating System (OS) security services. 11 www.ee.surrey.ac.uk/CCSR
  • 12. IPSec Components to Help in Achieving Security Goals • Security Association (SA) – SA is a one way traffic secure connection between communicating parties. – For Bidirectional communication, two SAs are established. – SA, providing actually all security services, is setup by IKE. – Functionality is dependent upon security protocols, mode of IPSec working, endpoints of SA and chosen security services. 12 www.ee.surrey.ac.uk/CCSR
  • 13. IPSec Components to Help in Achieving Security Goals (continued..) • Security Policy Database (SPD) – Stores security policies. – Provides information about security policy rules to be applied. – At least one SPD implementation must be supported in IPSec. – Three logical components • SPD-Secure (S) contains rules for all IPSec protected traffic. • SPD-Outbound (O) contains rules for all outbound traffic • SPD-Inbound (I) contains rules for all inbound traffic or bypassed. 13 www.ee.surrey.ac.uk/CCSR
  • 14. IPSec Components to Help in Achieving Security Goals (continued..) • Security Association Database (SAD) – Stores SAs. – Provides information about security associations. – For outbound processing SAD is pointed by SPD-S part. – For inbound processing SAD is pointed by SPD-I part. • Peer Authorization Database (PAD) – Stores information about links between SPD and SAD. – Helps IPSec components in security services practice. 14 www.ee.surrey.ac.uk/CCSR
  • 15. IPSec Working & Role of IKE • IKE helps in setup of security associations (SAs). – The functionality of all cryptographic protocols is dependent on these SAs. – Control information exchange also requires SA setup. • IKE provides this setup by message exchanges. – IKE_SA_INIT, IKE_AUTH – IKE_CHILD_SA – Informational Exchanges 15 www.ee.surrey.ac.uk/CCSR
  • 16. IPSec Working & Role of ESP • ESP provides origin authentication, connectionless and sequence integrity, data and limited traffic flow confidentiality. • Security services are offered in three modes by ESP. – Confidentiality Only (may be supported) – Integrity Only (must be supported) – Confidentiality and Integrity (must be supported) 16 www.ee.surrey.ac.uk/CCSR
  • 17. IPSec Working & Role of ESP (continued..) • Data Confidentiality – Data confidentiality is provided via encryption. – Encryption scheme selection is dependent upon SA out of various encryption algorithms. • Origin Authentication and Connectionless Integrity – Integrity of IP datagram is validated via Message Authentication Code (MAC). – Origin authentication is provided indirectly by binding of the key with the holding entity (origin). 17 www.ee.surrey.ac.uk/CCSR
  • 18. IPSec Working & Role of ESP (continued..) • Anti-Replay Service (Partial Sequence Integrity) – This is service to detect arrival of duplicate packets. – Provides sequential integrity and may be supported in ESP. • Limited Traffic Flow Confidentiality – This service hides source and destination addresses and usually employed in Tunnel Mode. 18 www.ee.surrey.ac.uk/CCSR
  • 19. Limitations of IPSec • IPSec follows very strict layering and protection model works end-to-end. • With advancement in wireless technology according to characteristics of networks, certain cross-layer optimizations are performed. • Some examples of wireless technology highlights the functionality of new network applications. 19 www.ee.surrey.ac.uk/CCSR
  • 20. Limitations of IPSec (continued..) • Conflicts between IPSec and TCP PEPs – TCP PEPs work on two pieces of information, TCP flow identification and sequence numbers. – IPSec encapsulate whole TCP packet. • Traffic Analysis – For functioning of upper layers, some information from headers is required at intermediate nodes. – IPSec hides all upper layer headers. 20 www.ee.surrey.ac.uk/CCSR
  • 21. Limitations of IPSec (continued..) • Traffic Engineering – Flow classification is essential in providing rich classes of service and QoS (RED, RSVP). – The flow information present in upper layers such ac TCP is hidden by IPSec. • Application Layer Agents/Proxies – Some modern routers can serve the HTTP requests from their local cache in order to improve performance. – They need information from upper layers like HTTP but, that is hidden by IPSec. 21 www.ee.surrey.ac.uk/CCSR
  • 22. Summary of IPSec Limitations and Conclusion • All above defined mechanisms, try to access upper layers information for their working. • IPSec works on end-to-end basis and encrypts all the upper layer information. • So IPSec has basic functioning conflict with many intermediate devices. • Need to resolve these issues for optimal performance. 22 www.ee.surrey.ac.uk/CCSR
  • 23. Problem Statement for ML-IPSec • Develop a security scheme with below defined features: – Supports the services and applications which have conflict with IPsec working. – Should grant trusted intermediate nodes a secure, controlled and limited access to a selected portion of IP datagram. – Should preserve the end-to-end security protection for user data. 23 www.ee.surrey.ac.uk/CCSR
  • 24. Approaches - Transport Layer Security • Using a transport-layer security mechanism as an alternative to IPsec to provide security services. • The transport-layer mechanism, such as secure sockets layer (SSL) or transport layer security (TLS) operates above TCP and works well with TCP PEP: – it encrypts the TCP data while leaving the TCP header in unencrypted and unauthenticated form • Limitations: – Vulnerable to traffic analysis attack – SSL/TLS only works on TCP but not on UDP so the range of applications is limited 24 www.ee.surrey.ac.uk/CCSR
  • 25. Approaches – Tunnelling one security protocol • This approach tries to use transport layer security protocols, SSL/TLS, inside IPsec. • SSL/TLS will protect the TCP data and IPSec will protect TCP header information • Limitations: – wastage of resources because TCP data will be encrypted twice by SSL/TLS and IPsec, – IPsec still encrypts the whole TCP information including header and data part 25 www.ee.surrey.ac.uk/CCSR
  • 26. Approaches - Using a Transport Friendly ESP Format • The transport-friendly ESP (TF-ESP) protocol format was proposed: – The TCP state information (such as flow identifications and sequence numbers) are in a disclosure header outside the encryption scope, bbut authenticated. • Limitations: – Vulnerable to traffic analysis attack – it does not work well with TCP spoofing when a write access is needed 26 www.ee.surrey.ac.uk/CCSR
  • 27. Approaches – Splitting IPsec into Two Segments • IPsec protection can be applied twice, once between sender and security gateway and second time between security gateway and destination. • Limitations: – It exposes the information to intermediate nodes while confidentiality is only meant for end-to-end 27 www.ee.surrey.ac.uk/CCSR
  • 28. Approaches – Multi - Layer IP Security Protocol • ML-IPsec breaks the IP datagram into different parts and apply different security mechanisms on different parts: – one security mechanism for transport header – different security mechanism for application data • This approach allows the intermediate nodes to co-exist with end-to-end IPsec • Limitations: – More complex than IPsec 28 www.ee.surrey.ac.uk/CCSR
  • 29. Standardization & Issues • Many meetings were attended at IETF to present the idea of IPSec and internet draft was written. • IETF Concerns: – Application domains is limited (Satellite Networks only). – Implementation complexity is increased. (shown feasible via implementation in IPSec). – Two more implementations required to prove the points. • Key Management Complexity is major issue. 29 www.ee.surrey.ac.uk/CCSR
  • 30. Applications 30 www.ee.surrey.ac.uk/CCSR
  • 31. Principle of ML-IPSec Security Protection • Multilayer protection model: • Divides IP datagram into zones • Different protection schemes for different zones (e.g. SA, public/private keys, access control rules etc.) 31 www.ee.surrey.ac.uk/CCSR
  • 32. General Model of IPSec Processing • . Multicast Key Exchange 32 www.ee.surrey.ac.uk/CCSR
  • 33. Composite Security Association (CSA) • Security Association • one-way relationship between sender and receiver. • defines set of parameters (e.g. sequence number, anti- replay window, lifetime of SA, Path MTU etc). • Controls outbound, inbound processing. 33 www.ee.surrey.ac.uk/CCSR
  • 34. CSA Continued.. • CSA has two elements: – Zone Map: defines coverage of each zone in IP datagram. – Zone List: is a list of all SAs for all zones. (all stored in “Security Association Database (SAD)”). 34 www.ee.surrey.ac.uk/CCSR
  • 35. Zones and Zone Map • A zone is any portion of IP datagram under same security protection. • Entire IP datagram can be broken into zones. • Zones can not overlap. • A zone can be split into multiple sub zones (continuous part of IP datagram). • A zone map is a mapping relationship between IP octets and zones. • Remains Constant for a security relationship. • zones that covers last part of IP datagram (data) should 35 be variable according to size. www.ee.surrey.ac.uk/CCSR
  • 36. Composite Security Association (CSA) • Zone Map • Zone List – In zone list area we show the SAs, their 36 parameters and access control. www.ee.surrey.ac.uk/CCSR
  • 37. Zone List continued • SA (designated) – Sequence Number Counter (64 bit) – Sequence Counter Overflow – Anti-Replay Window (64 bit) – Protocol mode (Transport or Tunnel) – Path MTU – Lifetime – Encryption algorithm (DES-CBC) – Encryption Key – Authentication algorithm (HMAC-MD5-32) – Authentication Key 37 www.ee.surrey.ac.uk/CCSR
  • 38. Outbound Processing (zone by zone) Outbound: IP datagram Zone map Plain Text (masked and concatenated) Encryption (using ESP) AH SA Cipher Text (ESP) Authentication ICV AH or ESP authentication data ESP paylod data 38 www.ee.surrey.ac.uk/CCSR
  • 39. Inbound Processing (zone by zone) Outbound: IP datagram Zone map Plain Text (masked and concatenated) Decryption (using ESP) AH SA Cipher Text (ESP) Authentication ICV AH or ESP authentication data ESP paylod data 39 www.ee.surrey.ac.uk/CCSR
  • 40. ESP Header • Security Parameter Index: Identifies Security Association (SA). • Sequence Number: Counts the packet sent. • Encrypted Payload Data for Zone: contains the encrypted payload data (IP payload data, padding, pad length, Next Header). • Authentication Data for Zone: Contains the Integrity Check Values (ICV) for each zone. 40 www.ee.surrey.ac.uk/CCSR
  • 41. Implementation and Evaluation • Two different evaluations of ML-IPSec shall be performed. – Simulations based, to see the scalability and reliability behaviour. • Impact of network bandwidth on Performance ( SA establishment latency, TCP throughput and delay). • Impact of different data packet size on performance and security protocol behaviour. – Reference Implementation of ML-IPSec to see the overhead on real network. 41 www.ee.surrey.ac.uk/CCSR
  • 42. Testbed Experiment Requirements • Use Cases – IP Only: running standard IP with no security. – IPSec: running IPSec using ESP with authentication mode enabled. – ML-IPSec (1 Zone) = IPSec – ML-IPSec (2 Zone) – ML-IPSec (3 Zones) • The ML-IPSec experiment will be evaluated for processing delays, CPU overload and bandwidth overhead 42 www.ee.surrey.ac.uk/CCSR
  • 43. Testbed Experiment Requirements Processing Delay – Network speed will be fixed. • The processing delay will be – Throughput and protocol measured by taking following overhead relationship will be studied parameters into consideration: – One Host pinging other Comparing CPU Overload – Packet size will be fixed. • For evaluation of CPU – Processing Time will be overhead environment will be evaluated. configured as given below: Bandwidth Overhead – One host generate and send packets as fast as it can and – One host generate and send other counting after receiving. packets as fast as it can and other counting after receiving. – CPU speed will be fixed. – Network speed will be fixed. . – CPU speed will be fixed. – Throughput and CPU load relationship will be studied. 43 www.ee.surrey.ac.uk/CCSR
  • 44. ML-IPSec Testbed • Current Status – Fedora 13 Installed – Computers are configured as shown in diagram. • Future Plans – Need to configure network’s speed. – Need to configure NIST Net according to requirements. 44 www.ee.surrey.ac.uk/CCSR
  • 45. Simulations & Standalone Implementation Plans • NIST has performed IPSec simulations as part of project “NIIST(NIST IPSec and IKE Simulation Tool”. •SPD: Security Policy Database •SAD: Security Association Database •PF_Key: Generic Socket Key Management API 45 www.ee.surrey.ac.uk/CCSR
  • 46. Simulations & Standalone Implementation Plans 46 www.ee.surrey.ac.uk/CCSR
  • 47. Conclusion • Intermediate gateways can have access to partial IP datagram (e.g. TCP header) by partial keys. • Can solve the conflict between IPSec and TCP PEPs being used in satellite networks. • The current new and future networks can improve quality of service using fair queuing, differential services etc. • IPSec problems are solved. 47 www.ee.surrey.ac.uk/CCSR