1 / 18

IPSec – IP Security Protocol

IPSec – IP Security Protocol. By Archis Raje. What is IPSec. IP Security – set of extensions developed by IETF to provide privacy and authentication to IP. To protect the contents of an IP datagram, the data is transformed using cryptography. Why do we need IPSec?.

job
Download Presentation

IPSec – IP Security Protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IPSec – IP Security Protocol By Archis Raje

  2. What is IPSec • IP Security – set of extensions developed by IETF to provide privacy and authentication to IP. • To protect the contents of an IP datagram, the data is transformed using cryptography.

  3. Why do we need IPSec? Because IP is insecure – you can • Forge IP address • modify packet contents • replay old content • inspect packet content during transit

  4. How does it work? combination of - • Cryptographic protocols • Security mechanisms

  5. What Does IPSec Provide? • Access control to network elements. • Data origin authentication. • Connectionless integrity for protocols such as UDP. • Detection and rejection of replayed packets. • Use of encryption to provide data confidentiality. • Limited traffic flow confidentiality.

  6. Since the IPSec services are offered at the network layer of the TCP/IP protocol stack, these services can be used by any of the upper-layer protocols such as TCP, UDP, ICMP and IGMP or any application layer protocol. • IPSec provides cryptographic based security for ipv4 and ipv6 datagrams.

  7. How? Using two traffic security protocols: • Authentication header (AH). • Encapsulating security payload (ESP). And through the use of cryptographic-key management procedures and protocols such as - • Internet key exchange (IKE) protocol.

  8. Together, the security protocols provide - • Data confidentiality • Limited traffic flow confidentiality • Connectionless integrity • Data origin authentication • Anti-replay service

  9. Modes of Operation of AH and ESP • Transport mode • Tunnel mode

  10. Transport Mode AH transformation: Upper layer payload TCP/UDP Header IP Header TCP/UDP Header Upper layer payload IP Header AH Header Authenticated

  11. Transport Mode ESP transformation: Upper layer payload IP Header TCP/UDP Header ESP Header TCP/UDP Header Upper layer payload ESP Trailer ESP auth IP Header Encrypted Authenticated

  12. Tunnel Mode AH transformation: Upper layer payload TCP/UDP Header IP Header TCP/UDP Header Upper layer payload IP Header AH Header IP Header Authenticated

  13. Tunnel Mode ESP transformation: TCP/UDP Header Upper layer payload IP Header ESP Header ESP Trailer ESP auth TCP/UDP Header Upper layer payload IP Header IP Header Encrypted Authenticated

  14. Communication • The IKE protocol is used to negotiate the cryptographic algorithm choices, to be utilized by AH and ESP, and put in place the necessary cryptographic keys that the algorithms require. • IPSec can implement different security policy/encryption algorithm for different subnets, nodes, etc. • It does this by the use of Security Association (SA).

  15. Security Association An agreement between communicating peers on factors such as - • IPSec protocol • Mode of operation of the protocols (transport mode or tunnel mode) • Cryptographic algorithms • Cryptographic keys • Lifetime of the keys SAs are simplex (unidirectional)

  16. SAD – Security Association Database • Stores SA parameters communicated by IKE. • Contents are – • Sequence number counter. • Sequence counter overflow flag • Anti-replay window • IPSec protocol mode • Path maximum transfer unit (PMTU) • Lifetime of the SA

  17. SPD - Security Policy Database • Contains policies that are to be applied to the traffic destined to or originated from a given host or network. • Contents are – • Destination IP address • Source IP address • Transport layer protocol • System name: FQDN or email id • User ID

  18. Drawbacks • Complex - has too many options. • Prone to Initialization Vector attacks.

More Related