1 / 8

IPsec

IPsec. A brief look at Internet Protocol Security By Jason Breen. What is it?. A method of authenticating and encrypting IP packets within a data stream. Works in the Internet layer

leroy
Download Presentation

IPsec

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IPsec A brief look at Internet Protocol Security By Jason Breen

  2. What is it? • A method of authenticating and encrypting IP packets within a data stream. • Works in the Internet layer • Encapsulates the packet to be sent, and then unpacks it at the destination, so that the application does not need to be modified or designed with IPsec.

  3. Goal of IPsec: “to provide interoperable, high quality, cryptographically-based security for IPv4 and IPv6” and when correctly deployed, “ought to not adversely affect users, hosts, and other internet components that do not employ these security mechanisms for protection of their traffic.” -RFC 2041

  4. How does it work? • Two modes of operation: Transport mode and Tunnel mode. • In transport mode, only the data of the IP packet is encrypted/authenticated. Used for host to host communication • In Tunnel mode, the entire IP packet, both data and header is encapsulated into a new IP packet with a new IP header. Tunnel mode is employed to create Virtual Private Networks (VPN)

  5. How does it work? (p2) • Two protocols are employed to provide traffic security: the Authentication Header and the Encapsulating Security Payload. • AH – Provides connectionless integrity, data origin authentication, and an optional anti-replay protection with a sliding window. • ESP – Provides confidentiality through encryption, limited traffic flow confidentiality, and possibly connectionless integrity along with additional anti-replay protection.

  6. Authentication Header: The pieces • Next header: defines the type of the next payload after the AH • Payload length: contains the size of the AH packet • A reserved space of 16 bits length, for use in future implementations of the AH, until then it is all zeroes. • Security parameter index (SPI): indentifies the security parameters implemented within the packet • Sequence number: a monotonically increasing number used to prevent replay attacks • Authentication data: contains an integrity check value necessary to authenticate the packet

  7. Encapsulating Security Payload: The pieces • Security parameters index: Indentifies the security parameters to be used • Sequence number: a monotonically increasing number used to prevent replay attacks • Payload data: The data to be sent • Padding: Data padding for encryption purposes • Pad length: Contains the length of the padding • Next header: Identifies the protocol of the payload data • Authentication Data: same as AH

  8. Why use IPsec? • Designed with IPv6 in mind • Applications can implement IPsec without being explicitly designed for it, compared to SSL, TLS, and other security protocols. • Allows for secure traffic for all IP traffic, including host to host, gateway to gateway, and host to gateway communcation • Allows for the encryption algorithm of choice to be used, so that different implementations can use whatever method they choose.

More Related