IP SECURITY
*
IPSec
IPSec provides the capability to
secure communications across a
LAN, across private and public
wide area networks (WANs) and
across the Internet
*
SERVICES, MECHANISMS,
ALGORITHMS
A typical security protocol provides
●
one or more services
Services are built from mechanisms
●
Mechanisms are implemented using
●
algorithms
*
SECURITY IN THE INTERNET
ARCHITECTURE
●Lack of security in the Internet
Architecture
●Security was left up to the applications
●With the passage of time it was
realized that universal security at the
IP level will become a need and not a
luxury
*
Security
Protocol
Layers
●The further
down you go,
the more
transparent it is
●The further up
you go, the
easier it is to
deploy
*
WHAT IS IPSEC?
Extensions to the basis Internet
●
Protocol to provide security functions
at the IP level
Applicable to both IP Version 4 and IP
●
Version 6
IPSec available in Windows 2000,
●
Linux, Cisco Routers, etc.
*
HOW DO YOU KNOW IPSEC IS
THERE?
AH/ESP new IP layer protocols (50/51)
●
with either
●1. an IP datagram encapsulated in them
(tunnel mode)
●2. TCP/UDP and the rest above them
(transport mode)
Every packet may have AH/ESP applied
●
to them:
●AH for authentication;
●ESP for encryption and authentication, this is
bulk/perpacket encryption/authentication
*
IP Security Usage Scenario
*
APPLICATIONS OF IPSEC
Secure Branch Office Connectivity
●
Over the Internet
Secure Remote Access Over the
●
Internet
Establishing Extranet and Intranet
●
Connectivity with Business partners
Enhancing Electronic Commerce
●
Security
*
IP SECURITY ARCHITECTURE
Defined by IPSec Documents (RFCs)
●
IP Security Protocol Working Group of
●
IETF
IP Security Evolving with the passage
●
of time
IPSec provides security services at the
●
IP layer by enabling a system to select
required security protocols, determine
the algorithms to use for the services,
and put in place any cryptographic *
IPSec Documents Overview
● Relevant RFCs
● RFC 1825: An overview of
a security architecture
● RFC 1826: Description of
a packet authentication
extension to IP
● RFC 1828: A specific
authentication mechanism
● RFC 1827: Description of
a packet encryption
extension to IP
● RFC 1829: A specific
encryption mechanism
*
AH AND ESP
AH
●
●The Authentication Header provides
support for data integrity and
authentication of IP packets
ESP
●
●The Encapsulating Security Payload
provides confidentiality services, including
confidentiality of message contents and
limited traffic flow confidentiality. As an
optional feature, ESP can also provide the
same authentication service as AH. *
IPSec Services
*
SECURITY ASSOCIATIONS
What is a SA?
●
●An SA is a one way relationship between
a sender and a received that affords
security services to the traffic carried on
it.
SA Parameters
●
Security Association Database stores
●
parameters associated with each of the
SAs
SA Selectors
●
●Each SPD entry is defined by a set of IP
and upper layer protocol field values
called selectors. *
TRANSPORT AND TUNNEL MODES
Tunnel Mode means that one outgoing
●
IP packet is encapsulated in another
packet with typically a different IP
destination
Tunnels can be (1) Router to Router
●
(2) Router to host or host to router (3)
host to host
*
Transport and Tunnel Modes
*
Tunnel Mode and Transport
Mode Functionality
*
Authentication Header
*
SERVICES PROVIDED BY AH
Anti-Replay Service
●
Integrity Check Value
●
*
Transport and Tunnel Modes
*
Scope of Authentication Header
*
Scope of Authentication Header
*
ENCAPSULATING SECURITY PAYLOAD
- ESP
ESP Services
●
●Confidentiality
●Authentication Services
ESP Format
●
●SPI
●SN
●PD
●Padding
●Pad Length
●Next Header
●Authentication Data
*
ESP
*
ESP Format
*
KEY MANAGEMENT
Involves the determination and
●
distribution of secret keys
Typically four keys are used between
●
two applications
Two types of key management
●
●Manual
●Automated
*
ISAKMP
●The default
automated key
management
protocol from IPSec
is referred to as
ISAKMP/Oakley
●Oakley is a
refinement of Diffie
Hellman Key
Exchange Protocol