IP security over ATM CS 329 Hwajung Lee Computer and Communications Security The George Washington University.

Slides:



Advertisements
Similar presentations
IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Advertisements

Internet Protocol Security (IP Sec)
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.2: IPsec.
IPSec.
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet Security CSCE 813 IPsec
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
IP SECURITY – Chapter 16 IP SECURITY – Chapter 16 Security Mechanisms: – S/MIME, PGP client/server - Kerberos web access - Secure Sockets Layer network.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
IPSec Isaac Ghansah.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 
1 IPsec Youngjip Kim Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
K. Salah1 Security Protocols in the Internet IPSec.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
IP Security: Security Across the Protocol Stack
NETWORK SECURITY.
IPSec in a Multi-OS Environment. What is IPSec? IPSec stands for Internet Protocol Security It is at a most basic level a way of adding security to your.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security
TCP/IP Protocols Contains Five Layers
IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.
Karlstad University IP security Ge Zhang
Network Security David Lazăr.
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
IP Security.  In CERTs 2001 annual report it listed 52,000 security incidents  the most serious involving:  IP spoofing intruders creating packets.
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
1 Virtual Private Networks (VPNs) and IP Security (IPSec) G53ACC Chris Greenhalgh.
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,
Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection.
1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.
By Mau, Morgan Arora, Pankaj Desai, Kiran.  Large address space  Briefing on IPsec  IPsec implementation  IPsec operational modes  Authentication.
Internet Security CSCE 813 IPsec. CSCE813 - Farkas2 TCP/IP Protocol Stack Application Layer Transport Layer Network Layer Data Link Layer.
Authentication Header ● RFC 2402 ● Services – Connectionless integrity – Data origin authentication – Replay protection – As much header authentication.
Security IPsec 1 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Cryptography and Network Security (CS435) Part Thirteen (IP Security)
IPSec  general IP Security mechanisms  provides  authentication  confidentiality  key management  Applications include Secure connectivity over.
IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Network Layer Security Network Systems Security Mort Anvari.
K. Salah1 Security Protocols in the Internet IPSec.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 27 November 23, 2004.
IP Security (IPSec) Authentication Header (AH) Dr Milan Marković.
Lecture 10 Page 1 CS 236 Online Encryption and Network Security Cryptography is widely used to protect networks Relies on encryption algorithms and protocols.
Presentaion on ipsecurity Presentaion given by arun saraswat To lavkush sharma sir arun saraswat1.
UNIT 7- IP Security 1.IP SEC 2.IP Security Architecture
IPSecurity.
CSE 4905 IPsec.
Encryption and Network Security
Chapter 18 IP Security  IP Security (IPSec)
Internet and Intranet Fundamentals
IT443 – Network Security Administration Instructor: Bo Sheng
IPSec IPSec is communication security provided at the network layer.
Virtual Private Networks (VPNs)
Lecture 36.
Lecture 36.
Presentation transcript:

IP security over ATM CS 329 Hwajung Lee Computer and Communications Security The George Washington University

Survey on ATM, IP, and IPsec

Why ATM? High capacity Scalability of link bandwidth and switch capacity Ability to support multiservice traffic. Costs 1-Gbps routers : about $187,000 5-Gbps ATM switch : about $ 41,000

ATM

AAL in ATM Connection oriented Constant bit rate, Real time : AAL 1 Variable bit rate, Real time : AAL 2 Variable bit rate : AAL 3/4*, AAL 5 Connectionless Variable bit rate : AAL 3/4*, AAL 5 * : Multiplexing, overhead

Threats to ATM networks Eavesdropping Equipment to tap a fiber optics cable < $2000 IPv6 ESP(Encrypted Security Payload) Spoofing IPv6 AH(Authentication Header) Denial of Service Fake connection release signal IPv6 ESP

Threats to ATM networks(Cont) Stealing of VCs(Virtual Channels) If A and B alter VPI/VCI in switching table back and forth (Different QoS) Traffic Analysis Encryption doesnt affect Cell header Attacker can encode signalling data User 1User 2 Switch A Switch B VCI/VPI

Why IP? No less capable of supporting real-time and multimedia applications than ATM IP multicast for multimedia Conferencing applications

IP Security Draft-ietf-ipsec-arch-sec-07.txt RFC

IP Security Two modes for AH and ESP Transport mode provide protection primarily for upper layer protocol. Tunnel mode protocols are applied to tunneled IP packets.

IP Security Basic Components AH(Authentication Header) Data origin authentication, connectionless integrity Access control Optional anti-replay service(partial sequence integrity) to help counter denial of service. No Confidentiality Authentication for selected portions of the IP header

IP Security SA(Security Associations) Simplex connection that affords security service to the traffic carried by it. Security services are afforded to an SA by the use of AH, or ESP, but not both. Identified by SPI(Security parameter Index), IP destination address, and a security protocol(AH or ESP) identifier.

IP Security Two types of SAs Transport mode SA Security Association btw two hosts ESP : only for higher layer protocol, not IP header. AH : protection includes IP header. Tunnel mode SA SA btw Security gateways (MUST) SA btw a host and Security gateway (MUST) Solve fragmentation and reassembly problem.

Applicable IPv6 Functions Goal of IPv6 Fast, flexible, protocol with plenty of address space. IP over AAL 5(ATM Adaptation Layer 5)

Applicable IPv6 Functions Where IPsec May be implemented? Integration of IPsec into the native IP implementation. Bump-in-the-stack(BITS) Underneath IP implementations Usually in host. Bump-in-the-wire(BITW) Outboard crypto processor Either a host or a gateway(or both)

Applicable IPv6 Functions Header Header

Applicable IPv6 Functions Header Version 6:IPv6 4:IPv4 Priority 0<…<7 : capable of slowing down(congestion) 8<…<15: Real time traffic Std Suggestion : 1(News), 4(FTP), 6(Telnet)

Applicable IPv6 Functions Header Flow label To allow a source and destination to set up a pseudoconnection with particular properties and requirements. (Flow number, Src address, Dst Address) Payload length Exclude 40 bytes header. cf. IPv4 : Total length

Applicable IPv6 Functions Header Next header Which of the six extension header, if any, follows this IP header. If this header is the last IP header, the Next header field tells which transport protocol handler (e.g.,TCP, UDP) to pass the packet to. Hop limit cf. IPv4:Time to live

Applicable IPv6 Functions Header Source address, Destination address 16 Bytes For IPv4 : 80 zeros + IPv4 address Notation 8000:0000:0000:0000:0123:4567:89AB:CDEF 8000::123:4567:89AB:CDEF For IPv4, ::192:31:20:46

Applicable IPv6 Functions Extension Header Extension Header Six kinds of extension header. Must appear directly after the fixed header.

Applicable IPv6 Functions Extension Header Extension Header (Cont) Preferably in the order listed.

Applicable IPv6 Functions Extension Header Hop-by-hop header Support of Jumbograms (diagrams exceeding 64K)

Applicable IPv6 Functions Extension Header Routing header Lists one more routers that must be visited on the way to the destination Strict routing Loose routing

Applicable IPv6 Functions Extension Header Fragment header Datagram identifier, fragment number, a bit telling whether more fragment will follow. IPv6 : Only the source host can fragment a packet. Cf. IPv4

Applicable IPv6 Functions Extension Header Destination option header Fields that need only be interpreted at the destination host. Not used yet.

Applicable IPv6 Functions Extension Header Authentication Header (AH) Data origin authentication, connectionless integrity Optional anti-replay service(partial sequence integrity) to help counter denial of service. No Confidentiality

Applicable IPv6 Functions Extension Header Authentication Header (AH)

Applicable IPv6 Functions Extension Header Authentication Header - To send Constructs a packet (IP header + Payload) Pads out the packet with zeros to multiple of 16 bytes Computes cryptographic checksum (default : MD5)

Applicable IPv6 Functions Extension Header ESP(Encapsulating Security Payload) Confidentiality(encryption)* Data origin authentication < that of AH Not include outer IPsec header Connectionless integrity An anti-replay service

Applicable IPv6 Functions Extension Header ESP(Encapsulating Security Payload ESP payload padding To hide the size of the packets. Encryption Algorithm : DES (Default)

IP Security over ATM

IPv6 over ATM IPv6 packet encapsulation PVC (Permanent Virtual Circuit) environment Default : LLC encapsulation (RFC 1483)

IPv6 over ATM IPv6 packet encapsulation(Cont) PVC environment (Cont) Optional null encapsulation IPv6 packet is passed directly to the AAL5 layer Both ends of the PVC must be configured to use null encapsulation.

IPv6 over ATM IPv6 packet encapsulation(Cont) SVC (Switched Virtual Circuit) environment Default : LLC encapsulation

IPv6 over ATM IPv6 packet encapsulation(Cont) SVC environment (Cont) Unicast Packet Encapsulation

IPv6 over ATM IPv6 packet encapsulation(Cont) SVC environment (Cont) Multicast Packet Encapsulation

IPv6 over ATM IPv6 packet encapsulation(Cont) SVC environment (Cont) Optional null encapsulation IPv6 packet is passed directly to the AAL5 layer Both ends of the SVC must be configured to use null encapsulation.

IPv6 over ATM MTU(Maximun Transmission Unit) Size 9180 Octets (Default), RFC 1626 Other values may be used

IPv6 over ATM Neighbor Discovery Protocol Must not discard a Neighbor Solicitation message nor a Neighbor Advertisement without a link layer address option or with an unknown format.

Conclusions Despite the fundamental difference between ATM(Connection oriented service) and IP(Connectionless service), IPv6 can be used for ATM security without modifying basic IPv6 concepts. AAL 5 plays a crucial role in that connection.

Thank you.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.