Scribd
Upload
27 views27 pages

Understanding IPSec for Network Security

IPSec provides security for communications across networks by enabling systems to select security protocols and encryption algorithms. It defines Authentication Header and Encapsulating Security Payload to provide integrity, authentication, and confidentiality services. IPSec supports transport and tunnel modes and uses security associations and key management to establish secure connections.

Uploaded by

Pulkit Tanwar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
27 views27 pages

Understanding IPSec for Network Security

IPSec provides security for communications across networks by enabling systems to select security protocols and encryption algorithms. It defines Authentication Header and Encapsulating Security Payload to provide integrity, authentication, and confidentiality services. IPSec supports transport and tunnel modes and uses security associations and key management to establish secure connections.

Uploaded by

Pulkit Tanwar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

IP SECURITY

*
IPSec

IPSec provides the capability to


secure communications across a
LAN, across private and public
wide area networks (WANs) and
across the Internet

*
SERVICES, MECHANISMS,
ALGORITHMS
A typical security protocol provides

one or more services


Services are built from mechanisms

Mechanisms are implemented using


algorithms

*
SECURITY IN THE INTERNET
ARCHITECTURE
●Lack of security in the Internet
Architecture
●Security was left up to the applications
●With the passage of time it was
realized that universal security at the
IP level will become a need and not a
luxury

*
Security
Protocol
Layers
●The further
down you go,
the more
transparent it is
●The further up
you go, the
easier it is to
deploy
*
WHAT IS IPSEC?
Extensions to the basis Internet

Protocol to provide security functions


at the IP level
Applicable to both IP Version 4 and IP

Version 6
IPSec available in Windows 2000,

Linux, Cisco Routers, etc.

*
HOW DO YOU KNOW IPSEC IS
THERE?
AH/ESP new IP layer protocols (50/51)

with either
●1. an IP datagram encapsulated in them
(tunnel mode)
●2. TCP/UDP and the rest above them
(transport mode)
Every packet may have AH/ESP applied

to them:
●AH for authentication;
●ESP for encryption and authentication, this is
bulk/perpacket encryption/authentication
*
IP Security Usage Scenario

*
APPLICATIONS OF IPSEC
Secure Branch Office Connectivity

Over the Internet


Secure Remote Access Over the

Internet
Establishing Extranet and Intranet

Connectivity with Business partners


Enhancing Electronic Commerce

Security

*
IP SECURITY ARCHITECTURE
Defined by IPSec Documents (RFCs)

IP Security Protocol Working Group of


IETF
IP Security Evolving with the passage

of time
IPSec provides security services at the

IP layer by enabling a system to select


required security protocols, determine
the algorithms to use for the services,
and put in place any cryptographic *
IPSec Documents Overview
● Relevant RFCs
● RFC 1825: An overview of
a security architecture
● RFC 1826: Description of
a packet authentication
extension to IP
● RFC 1828: A specific
authentication mechanism
● RFC 1827: Description of
a packet encryption
extension to IP
● RFC 1829: A specific
encryption mechanism
*
AH AND ESP
AH

●The Authentication Header provides


support for data integrity and
authentication of IP packets
ESP

●The Encapsulating Security Payload


provides confidentiality services, including
confidentiality of message contents and
limited traffic flow confidentiality. As an
optional feature, ESP can also provide the
same authentication service as AH. *
IPSec Services

*
SECURITY ASSOCIATIONS
What is a SA?

●An SA is a one way relationship between


a sender and a received that affords
security services to the traffic carried on
it.
SA Parameters

Security Association Database stores



parameters associated with each of the
SAs
SA Selectors

●Each SPD entry is defined by a set of IP


and upper layer protocol field values
called selectors. *
TRANSPORT AND TUNNEL MODES
Tunnel Mode means that one outgoing

IP packet is encapsulated in another


packet with typically a different IP
destination
Tunnels can be (1) Router to Router

(2) Router to host or host to router (3)


host to host

*
Transport and Tunnel Modes

*
Tunnel Mode and Transport
Mode Functionality

*
Authentication Header

*
SERVICES PROVIDED BY AH
Anti-Replay Service

Integrity Check Value


*
Transport and Tunnel Modes

*
Scope of Authentication Header

*
Scope of Authentication Header

*
ENCAPSULATING SECURITY PAYLOAD
- ESP
ESP Services

●Confidentiality
●Authentication Services

ESP Format

●SPI
●SN
●PD
●Padding
●Pad Length
●Next Header
●Authentication Data

*
ESP

*
ESP Format

*
KEY MANAGEMENT
Involves the determination and

distribution of secret keys


Typically four keys are used between

two applications
Two types of key management

●Manual
●Automated

*
ISAKMP
●The default
automated key
management
protocol from IPSec
is referred to as
ISAKMP/Oakley
●Oakley is a
refinement of Diffie
Hellman Key
Exchange Protocol

You might also like