1 / 38

IPSec

IPSec. IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet. . Convenience / Usability. 0. Security. . Usability and Security. Determine where on this line your organization needs lie.

riley-bullock
Download Presentation

IPSec

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet

  2. Convenience / Usability 0 Security  Usability and Security Determine where on this line your organization needs lie

  3. SSL/IPSec/PPTP, etc Services (Security Protocols) Signatures Encryption Hashing Mechanisms DSA RSA RSA DES SHA1 MD5 Algorithms Services, Mechanisms, Algorithms • A typical security protocol provides one or more security services (authentication, secrecy, integrity, etc.) • Services are built from mechanisms. • Mechanisms are implemented using algorithms.

  4. Security in the Internet Architecture • Lack of security in the Internet Architecture • Security was left up to the applications • With the passage of time it was realized that universal security at the IP level will become a need and not a luxury

  5. Security Protocol Layers • The further down you go, the more transparent it is • The further up you go, the easier it is to deploy

  6. Some Pros of Security at the IP Level • Can be end to end or at least multi­link unlike link layer • Could be hw/sw supported (hw support for encryption) • Can shield unmodified host apps giving them crypto/security at the level of nets/hosts/and possibly users • Can extend secure enclave across insecure areas

  7. What is IPSec? • Extensions to the basis Internet Protocol to provide security functions at the IP level • Applicable to both IP Version 4 and IP Version 6 • IPSec available in Windows 2000, Linux, Cisco Routers, etc.

  8. How do you know IPSec is there? • AH/ESP new IP layer protocols (50/51) with either • 1. an IP datagram encapsulated in them (tunnel mode) • 2. TCP/UDP and the rest above them (transport mode) • Every packet may have AH/ESP applied to them: • AH for authentication; • ESP for encryption and authentication, this is bulk/per­packet encryption/authentication

  9. IP Security Usage Scenario

  10. Applications of IPSec • Secure Branch Office Connectivity Over the Internet • Secure Remote Access Over the Internet • Establishing Extranet and Intranet Connectivity with Business partners • Enhancing Electronic Commerce Security

  11. IP Security Architecture • Defined by IPSec Documents (RFCs) • IP Security Protocol Working Group of IETF • IP Security Evolving with the passage of time • IPSec provides security services at the IP layer by enabling a system to select required security protocols, determine the algorithms to use for the services, and put in place any cryptographic keys required.

  12. IPSec Documents Overview • Relevant RFCs • RFC 1825: An overview of a security architecture • RFC 1826: Description of a packet authentication extension to IP • RFC 1828: A specific authentication mechanism • RFC 1827: Description of a packet encryption extension to IP • RFC 1829: A specific encryption mechanism

  13. AH and ESP • AH • The Authentication Header provides support for data integrity and authentication of IP packets • ESP • The Encapsulating Security Payload provides confidentiality services, including confidentiality of message contents and limited traffic flow confidentiality. As an optional feature, ESP can also provide the same authentication service as AH.

  14. IPSec Services

  15. IPSec Framework Protocols Authentication Header R1 R2 All data is in plaintext. • AH provides the following: • Authentication • Integrity Encapsulating Security Payload R1 R2 Data payload is encrypted. • ESP provides the following: • Encryption • Authentication • Integrity

  16. IPSec Framework Diffie-Hellman DH7

  17. Confidentiality Least secure Most secure Key length: - 56-bits Key length: - 56-bits (3 times) • Key lengths: • 128-bits • 192 bits • 256-bits Diffie-Hellman DH7 Key length: - 160-bits

  18. Integrity Least secure Most secure Key length: - 128-bits Key length: - 160-bits) Diffie-Hellman DH7

  19. Authentication Diffie-Hellman DH7

  20. Security Associations • What is a SA? • An SA is a one way relationship between a sender and a received that affords security services to the traffic carried on it. • SA Parameters • Security Association Database stores parameters associated with each of the SAs • SA Selectors • Each SPD entry is defined by a set of IP and upper layer protocol field values called selectors.

  21. Security Association (SA) • A simplex (uni-directional) logical connection, created for security purposes • All traffic traversing an SA is provided the same security processing • In IPsec, an SA is an Internet-layer abstraction implemented through the use of AH or ESP • State data associated with an SA is represented in the SA Database (SAD)

  22. Security Parameters Index (SPI) • An arbitrary 32-bit value that is used by a receiver to identify the SA to which an incoming packet should be bound. • For a unicast SA, the SPI can be used by itself to specify an SA, or it may be used in conjunction with the IPsec protocol type. • Additional IP address information is used to identify multicast SAs. • The SPI is carried in AH and ESP protocols to enable the receiving system to select the SA under which a received packet will be processed. • An SPI has only local significance, as defined by the creator of the SA • (usually the receiver of the packet carrying the SPI); thus an SPI is generally viewed as an opaque bit string. • However, the creator of an SA may choose to interpret the bits in an SPI to facilitate local processing.

  23. Security Association Database Parameters • Security Parameters Index (SPI) • • sequence number counter • • sequence number overflow • • anti-replay window • • AH information • • ESP information • • lifetime of SA • • IPSec protocol mode • • Path MTU • • other information

  24. SA Selector • IPSec provides flexibility • • SAs can be combined • • Security Policy Database (SPD) specifies mapping of IP • traffic to SAs • • mapping is done according to field values of selectors • – destination IP address • – source IP address • – user ID • – data sensitivity level • – transport layer protocol • – source and destination ports

  25. Transport and Tunnel Modes • Tunnel Mode means that one outgoing IP packet is encapsulated in another packet with typically a different IP destination • Tunnels can be (1) Router to Router (2) Router to host or host to router (3) host to host

  26. Transport and Tunnel Modes

  27. Tunnel Mode and Transport Mode Functionality

  28. Authentication Header

  29. Services Provided by AH • Anti-Replay Service • Integrity Check Value

  30. Anti-Replay Service

  31. Transport and Tunnel Modes

  32. Scope of Authentication Header

  33. Scope of Authentication Header

  34. Encapsulating Security Payload - ESP • ESP Services • Confidentiality • Authentication Services • ESP Format • SPI • SN • PD • Padding • Pad Length • Next Header • Authentication Data

  35. ESP

  36. ESP Format

  37. Transport-level security

  38. A virtual private network via Tunnel Mode

More Related