1 / 27

IPSec

IPSec. Access control Connectionless integrity Data origin authentication Rejection of replayed packets Confidentiality. Sheng-Liang Song ssl@cisco.com. IPSec. Complexity Security worst “enemy” “best practice”. Sheng-Liang Song ssl@cisco.com. Agenda. IPSec Overview

julio
Download Presentation

IPSec

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IPSec • Access control • Connectionless integrity • Data origin authentication • Rejection of replayed packets • Confidentiality Sheng-Liang Song ssl@cisco.com

  2. IPSec • Complexity • Security worst “enemy” • “best practice” Sheng-Liang Song ssl@cisco.com

  3. Agenda • IPSec Overview • IPSec (Network Layer) • Modes (Tunnel/Transport) • Protocols (ESP/AH) • IKE (Internet Key Exchange) • IPSec Cases • IPSec Discussion • Q&A

  4. Key Words • ISAKMP (Internet Security Association • and Key Management Protocol) • SA (Security Associations) • SPD (Security Policy Database) • IKE (Internet Key Exchange) • AH (Authentication Header) • ESP (Encapsulating Security Payload) • HMAC (Keyed-Hashing for Message Authentication) • H(K XOR opad_5C, H(K XOR ipad_36, text))

  5. application transport network link physical IPSec (Network Layer) • lives at the network layer • transparent to applications User SSL OS IPSec NIC

  6. IPv4 Header Format Mutable, predictable, Immutable

  7. IPv6 Header Format

  8. IPSec Modes (Tunnel and Transport) • Transport Mode • Tunnel Mode • Transport Mode IP header data data IP header ESP/AH • Tunnel Mode IP header data IP header new IP hdr ESP/AH data

  9. IP HDR IP HDR IP HDR IP HDR IP HDR IP HDR Data Data Data Data Data Data IPSec Authenticated session Original IP Layer Original IP Layer IP HDR AH HDR Data IPSec Encrypted session Original IP Layer Original IP Layer IP HDR ESP HDR Data encrypted IPSec Tunnel Original IP Layer Original IP Layer IP HDR Data New IP HDR ESP HDR encrypted IPSec Protocols (ESP and AH) • ESP (Encapsulating Security Payload) • Integrity and confidentiality (HMAC/DES-CBC) • Integrity only by using NULL encryption • AH (Authentication Header) • Integrityonly

  10. AH Format The sender's counter is initialized to 0 when an SA is established.

  11. AH/Transport

  12. AH/Transport

  13. ESP Format The sender's counter is initialized to 0 when an SA is established.

  14. ESP/Transport

  15. ESP/Tunnel

  16. Set TOS IP header TOS IP Payload Classified IP packet TOS copy New IP header built by tunnel entry point TOS byte is copied TOS IP new hdr IP new hdr TOS ESP header IP IP Payload IPSec packet IPSec Tunnels IP header TOS IP Payload Original IP Packet

  17. Anti-Replay in IPSec • Both ESP and AH have an anti-reply mechanism • based on sequence numbers • sender increment the sequence number after each transmission • receiver optionally checks the sequence number and rejects if it is out of window

  18. How IPSec uses IKE

  19. IPSec and IKE in Practice • Sets up a keying channel • Sets up data channels Internal Network Certificate Authority Digital Certificate ISAKMP Session Digital Certificate SA Authenticated Encrypted Tunnel ISAKMP (Internet Security Association and Key Management Protocol) SA (Security Associations) SPD (Security Policy Database) Discard,bypass IPsec, apply IPSec (Overhead) Clear Text Internal Network Encrypted

  20. IPSec (IKE1 Phase1) • Authenticated with Signatures • Authenticated with Shared key • Authenticated with Public Key Encryption • Authenticated with Public Key Encryption (Revised)

  21. IPSec (Cases)

  22. IPSec Case1

  23. IPSec Case2

  24. IPSec Case3

  25. IPSec Case4

  26. IPSec Discussion • IPSec authenticates machines, not users • Does not stop denial of service attacks • Easier to do DoS • Order of operations: Encryption/Authentication • Q & A

  27. Reference • Information Security: Principles and Practice, Mark Stamp, Jan 29,2005 • http://www.ietf.org/ • Cisco IOS IPsec www.cisco.com/go/ipsec/ • Cisco White Paper, IPsec, http://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/ipsec_wp.htm • N. Ferguson and B. Schneier, A Cryptographic Evaluation of IPsec, http://www.schneier.com/paper-ipsec.html • IPsec, Security for the Internet Protocol, http://www.freeswan.org/freeswan_trees/freeswan-2.06/doc/intro.html

More Related