IP Security

1
 Outline
• Internetworking and Internet Protocols
• IP Security Overview
• IP Security Architecture
• Authentication Header
• Encapsulating Security Payload
• Combinations of Security Associations
• Key Management

http://sce.uhcl.edu/yang/teaching/....../ 2
IPsecurity.ppt
 TCP/IP Example

3
TCP: Transmission Control Protocol, IP: Internet Protocol, LLC: Logical Link Control, MAC: Message Access Control
IPv4 Header

http://sce.uhcl.edu/yang/teaching/....../ 4
IPsecurity.ppt
IPv6 Header

http://sce.uhcl.edu/yang/teaching/....../ 5
IPsecurity.ppt
 IP Security Overview
• IPSec is not a single protocol.
• Instead, IPSec provides a set of security
algorithms plus a general framework that
allows a pair of communicating entities to use
whichever algorithms to provide security
appropriate for the communication.

• Applications of IPSec
– Secure branch office connectivity over the
Internet
– Secure remote access over the Internet
– Establsihing extranet and intranet
connectivity with partners
– Enhancing electronic commerce security
http://sce.uhcl.edu/yang/teaching/....../ 6
IPsecurity.ppt
IP Security Scenario

http://sce.uhcl.edu/yang/teaching/....../ 7
IPsecurity.ppt
 IP Security Overview

• Benefits of IPSec
– Transparent to applications - below
transport layer (TCP, UDP)
– Provide security for individual users

• IPSec can assure that

– A router or neighbor advertisement comes
from an authorized router
– A redirect message comes from the router
to which the initial packet was sent
– A routing update is not forged

http://sce.uhcl.edu/yang/teaching/....../ 8
IPsecurity.ppt
 IP Security Architecture
• IPSec documents: NEW updates in 2005!
– RFC 2401: Security Architecture for the Internet Protocol. S. Kent, R.
Atkinson. November 1998. (An overview of security architecture)  RFC 4301
(12/2005)
– RFC 2402: IP Authentication Header. S. Kent, R. Atkinson. November 1998.
(Description of a packet encryption extension to IPv4 and IPv6)  RFC 4302
(12/2005)
– RFC 2406: IP Encapsulating Security Payload (ESP). S. Kent, R. Atkinson.
November 1998. (Description of a packet emcryption extension to IPv4 and
IPv6)  RFC 4303 (12/2005)
– RFC2407 The Internet IP Security Domain of Interpretation for
ISAKMP D. Piper. November 1998. PROPOSED STANDARD. (Obsoleted by
RFC4306)
– RFC 2408: Internet Security Association and Key Management Protocol
(ISAKMP). D. Maughan, M. Schertler, M. Schneider, J. Turner. November 1998.
(Specification of key managament capabilities) (Obsoleted by RFC4306)
– RFC2409 The Internet Key Exchange (IKE) D. Harkins, D. Carrel. November
1998. PROPOSED STANDARD. (Obsoleted by RFC4306, Updated by
RFC4109)

http://sce.uhcl.edu/yang/teaching/....../ 9
IPsecurity.ppt
 IP Security Architecture
• Internet Key Exchange (IKE)
A method for establishing a security association (SA)
that authenticates users, negotiates the
encryption method and exchanges the secret
key. IKE is used in the IPsec protocol. Derived from
the ISAKMP framework for key exchange and the
Oakley and SKEME key exchange techniques, IKE
uses public key cryptography to provide the secure
transmission of the secret key to the recipient so
that the encrypted data may be decrypted at the
other end. (http://computing-dictionary.thefreedictionary.com/IKE)
• RFC4306 Internet Key Exchange (IKEv2) Protocol C. Kaufman, Ed.
December 2005 (Obsoletes RFC2407, RFC2408, RFC2409) PROPOSED
STANDARD
• RFC4109 Algorithms for Internet Key Exchange version 1
(IKEv1) P. Hoffman. May 2005 (Updates RFC2409) PROPOSED
STANDARD
http://sce.uhcl.edu/yang/teaching/....../ 10
IPsecurity.ppt
IPSec Document Overview

ESP: Encapsulating Security Payload, AH: Authentication Header, DOI: Domain of Interpretation
 IPSec Services
• Access Control
• Connectionless integrity
• Data origin authentication
• Rejection of replayed packets
• Confidentiality (encryption)

http://sce.uhcl.edu/yang/teaching/....../ 12
IPsecurity.ppt
 Security Associations
(SA)
• A one way relationsship between a
sender and a receiver.
• Identified by three parameters:
– Security Parameter Index (SPI)
– IP Destination address
– Security Protocol Identifier

http://sce.uhcl.edu/yang/teaching/....../ 13
IPsecurity.ppt
 Transport Mode Tunnel Mode SA
SA
AH Authenticates IP payload Authenticates entire
and selected portions of IP inner IP packet plus
header and IPv6 extension selected portions of outer
headers IP header

ESP Encrypts IP payload and Encrypts inner IP packet

any IPv6 extesion header

ESP with Encrypts IP payload and Encrypts inner IP packet.

any IPv6 extesion header. Authenticates inner IP
authenticatio Authenticates IP payload packet.
n but no IP header

http://sce.uhcl.edu/yang/teaching/....../ 14
IPsecurity.ppt
Before applying AH

http://sce.uhcl.edu/yang/teaching/....../ 15
IPsecurity.ppt
 Transport Mode
(AH Authentication)

http://sce.uhcl.edu/yang/teaching/....../ 16
IPsecurity.ppt
 Tunnel Mode
(AH Authentication)

http://sce.uhcl.edu/yang/teaching/....../ 17
IPsecurity.ppt
 Authentication Header
• Provides support for data integrity and
authentication (MAC code) of IP packets.
• Guards against replay attacks.

http://sce.uhcl.edu/yang/teaching/....../ 18
IPsecurity.ppt
 End-to-end versus End-to-
Intermediate Authentication

http://sce.uhcl.edu/yang/teaching/....../ 19
IPsecurity.ppt
 Encapsulating Security
Payload
• ESP provides confidentiality services

http://sce.uhcl.edu/yang/teaching/....../ 20
IPsecurity.ppt
 Encryption and
Authentication Algorithms
• Encryption:
– Three-key triple DES
– RC5
– IDEA
– Three-key triple IDEA
– CAST
– Blowfish

• Authentication:
– HMAC-MD5-96
– HMAC-SHA-1-96

http://sce.uhcl.edu/yang/teaching/....../ 21
IPsecurity.ppt
ESP Encryption and
Authentication

http://sce.uhcl.edu/yang/teaching/....../ 22
IPsecurity.ppt
ESP Encryption and
Authentication

Trlr: Trailer 23
 Combinations of
Security Associations

http://sce.uhcl.edu/yang/teaching/....../ 24
IPsecurity.ppt
 Combinations of
Security Associations

http://sce.uhcl.edu/yang/teaching/....../ 25
IPsecurity.ppt
 Combinations of
Security Associations

http://sce.uhcl.edu/yang/teaching/....../ 26
IPsecurity.ppt
 Combinations of
Security Associations

http://sce.uhcl.edu/yang/teaching/....../ 27
IPsecurity.ppt
 Key Management
• Two types:
– Manual
– Automated
• Oakley Key Determination Protocol
• Internet Security Association and Key
Management Protocol (ISAKMP)

http://sce.uhcl.edu/yang/teaching/....../ 28
IPsecurity.ppt
 Oakley
• Three authentication methods:
– Digital signatures
– Public-key encryption
– Symmetric-key encryption (aka.
Preshare key)

http://sce.uhcl.edu/yang/teaching/....../ 29
IPsecurity.ppt
 ISAKMP

http://sce.uhcl.edu/yang/teaching/....../ 30
IPsecurity.ppt
Recommended Reading
• Comer, D. Internetworking with TCP/IP,
Volume I: Principles, Protocols and
Architecture. Prentic Hall, 1995
• Stevens, W. TCP/IP Illustrated, Volume
1: The Protocols. Addison-Wesley,
1994

http://sce.uhcl.edu/yang/teaching/....../ 31
IPsecurity.ppt