Sheila Frankel Systems and Network Security Group, ITL

Slides:



Advertisements
Similar presentations
IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Advertisements

Internet Protocol Security (IP Sec)
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Implementing and Testing IPsec: NIST’s Contributions and Future Developments Sheila Frankel Systems and Network Security Group NIST
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
CSCE 715: Network Systems Security
Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)
IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
Attacking IPsec VPNs Charles D George Jr. Overview Internet Protocol Security (IPSec) is a suite of protocols for authenticating and encrypting packets.
Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.
Cryptography and Network Security (CS435) Part Thirteen (IP Security)
IPSec  general IP Security mechanisms  provides  authentication  confidentiality  key management  Applications include Secure connectivity over.
IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.
Network Layer Security Network Systems Security Mort Anvari.
8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,
11 SECURING NETWORK TRAFFIC WITH IPSEC Chapter 6.
Presentaion on ipsecurity Presentaion given by arun saraswat To lavkush sharma sir arun saraswat1.
第六章 IP 安全. Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
VPNs & IPsec Dr. X Slides adopted by Prof. William Enck, NCSU.
Module 4: Configuring Site to Site VPN with Pre-shared keys
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
IP Security - Chapter 6 of William Stallings. Network Security Essentials (2nd edition). Prentice Hall Slides by Henric Johnson Blekinge Institute.
Chapter 5 Network Security Protocols in Practice Part I
UNIT 7- IP Security 1.IP SEC 2.IP Security Architecture
IPSecurity.
Reviews Rocky K. C. Chang 20 April 2007.
CSE 4905 IPsec.
Chapter 16 – IP Security If a secret piece of news is divulged by a spy before the time is ripe, he must be put to death, together with the man to whom.
Chapter 18 IP Security  IP Security (IPSec)
Somesh Jha University of Wisconsin
SECURING NETWORK TRAFFIC WITH IPSEC
Internet and Intranet Fundamentals
CSE 4905 IPsec II.
IT443 – Network Security Administration Instructor: Bo Sheng
UNIT.4 IP Security.
Agenda CCSDS Network Layer Security IPSec+IKE Profile for CCSDS
CSE565: Computer Security Lecture 23 IP Security
Cryptography and Network Security
No.9: IP Security Network Information Security 网络信息安全
Cryptography and Network Security
CSCE 815 Network Security Lecture 13
IP Security - Chapter 6 of William Stallings. Network Security Essentials (2nd edition). Prentice Hall Slides by Henric Johnson Blekinge Institute.
IP Security - Chapter 6 of William Stallings. Network Security Essentials (2nd edition). Prentice Hall Slides by Henric Johnson Blekinge Institute.
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
Slides have been taken from:
Network Security (contd.)
Virtual Private Networks (VPNs)
Virtual Private Networks (VPNs)
Virtual Private Network zswu
B. R. Chandavarkar CSE Dept., NITK Surathkal
Chapter 6 IP Security.
CSE 5/7349 – February 15th 2006 IPSec.
Cryptography and Network Security
Presentation transcript:

Sheila Frankel Systems and Network Security Group, ITL Crossing the Styx: Taming the Underworld Using Cerberus and PlutoPlus (ITL’s Contributions in the Area of Internet Security) Sheila Frankel Systems and Network Security Group, ITL

Unsolved Problems of the 1990s World Peace A Drinkable Diet Cola Secure Communications over an Insecure Network

Types of Security Protection Data Origin Authentication Connectionless Integrity Replay Protection Confidentiality (Encryption) Traffic Flow Confidentiality

At Which Network Layer Should Security Be Provided? Application Layer Transport (Sockets) Layer Internet Layer

Why Internet Layer Security? Implement once, in a consistent manner, for multiple applications Centrally-controlled access policy Enable multi-level, layered approach to security

Upper Protocol Headers Internet Packet Format IP Header Upper Protocol Headers and Packet Data

Authentication Header (AH) Data origin authentication Connectionless integrity Replay protection (optional) Transport or tunnel mode Mandatory algorithms: HMAC-MD5 HMAC-SHA1 Other algorithms optional

Upper Protocol Headers Internet Packet Format with AH IP Header AH Header Upper Protocol Headers and Packet Data Transport Mode New IP Header Old IP AH Upper Protocol Headers and Packet Data Tunnel Mode

Encapsulating Security Payload (ESP) Confidentiality Limited traffic flow confidentiality (tunnel mode only) Data origin authentication Connectionless integrity Replay protection (optional) Transport or tunnel mode

Encapsulating Security Payload (ESP) (cont’d) Mandatory algorithms: DES-CBC HMAC-MD5 HMAC-SHA1 Other algorithms optional

Upper Protocol Headers Upper Protocol Headers Internet Packet Format with ESP IP Header ESP Header Upper Protocol Headers and Packet Data Transport Mode New IP Header ESP Header Old IP Header Upper Protocol Headers and Packet Data Tunnel Mode

Transport vs. Tunnel Mode

Constructs Underlying IP Security Security Association (SA) Security Association Database (SAD) Security Parameter Index (SPI)

Internet Key Exchange (IKE) Negotiate: Communication Parameters Security Features Authenticate Communicating Peer Protect Identity Generate, Exchange, and Establish Keys in a Secure Manner Delete Security Associations

Internet Key Exchange (IKE) (cont’d) Threat Mitigation Denial of Service Replay Man in Middle Perfect Forward Secrecy Usable by Ipsec and other domains (e.g., private keys for VPNs)

Internet Key Exchange (IKE) (cont’d) Components: Internet Security Association and Key Management Protocol (ISAKMP) Internet Key Exchange (IKE, aka ISAKMP/Oakley) IP Security Domain of Interpretation (IPsec DOI)

IKE Negotiations - Phase 1 Purpose: Establish ISAKMP SA (“Secure Channel”) Steps (4-6 messages exchanged): Negotiate Security Parameters Diffie-Hellman Exchange Authenticate Identities Main Mode vs. Aggressive Mode

IKE Negotiations - Phase 2 Purpose: Establish IPsec SA Steps (3-5 messages exchanged): Negotiate Security Parameters Optional Diffie-Hellman Exchange Final Verification Quick Mode

Internet Protocol (IP) Transport Protocols (TCP/UDP) IKE Network Placement Application Process DOI Definition Application Protocol IKE Socket Layer Protocol Internet Protocol (IP) Transport Protocols (TCP/UDP) Link Layer Protocol Security Protocol (IPsec)

IKE Peer Negotiation Application Space Application Space Kernel Space 5 1 IKE Application Space IKE Application Space Kernel Space 4 2 4 Kernel Space 3 3 IPSEC IPSEC 5 Physical Network

Current Status of IPsec Most documents in Internet-Draft last call, headed for RFC status IPsec Working Group disbanded IPsecond Working Group starting up Multiple implementations (Sun, IBM, Microsoft, DEC, Cisco, Telebit, others) deployed, in beta test, or under development

Current Status of Ipsec (cont’d) Periodic interoperability/conformance testing using reference implementations Auto Industry eXchange (ANX) pushing for early deployment PKI work underway in IETF, industry, government (NIST et. al.)

The IETF’s Direction in IP Security IETF has mandated use of IPsec and IKE wherever feasible Testing support needed for emerging implementations Need publicly-available sites that are willing to provide IPsec testing Requested at 38th IETF meeting

NIST’s Contributions to IPsec Cerberus - Linux-based reference implementation of Ipsec (http://snad.ncsl.nist.gov/cerberus) PlutoPlus - Linux-based reference implementation of IKE IPsec-WIT - Web-based IPsec interoperability test facility (http://ipsec-wit.antd.nist.gov)

NIST’s Contributions to IPsec (cont’d) Goals: Enable smaller industry vendors to jump-start their entry into IPsec Facilitate ongoing interoperability testing of multiple IPsec implementations

IPsec - Missing Pieces Policy specification and control Communication with CAs

IPsec Internet Drafts - Basic Documents IP Security Document Roadmap (draft-ietf-ipsec-doc-roadmap-02.txt) Security Architecture for the Internet Protocol (draft-ietf-ipsec-arch-sec-04.txt) IP Authentication Header (draft-ietf-ipsec-auth-header-05.txt) IP Encapsulating Security Payload (ESP) (draft-ietf-ipsec-esp-v2-04.txt)

IPsec Internet Drafts - Authentication Algorithms The Use of HMAC-MD5-96 within ESP and AH (draft-ietf-ipsec-auth-hmac-md5-96-03.txt) The Use of HMAC-SHA-1-96 within ESP and AH (draft-ietf-ipsec-auth-hmac-sha1-96-03.txt) The Use of HMAC-RIPEMD-160-96 within ESP and AH (draft-ietf-ipsec-auth-hmac-ripemd-160-96-01.txt)

IPsec Internet Drafts - Cryptographic Transforms The ESP ARCFOUR Algorithm (draft-ietf-ipsec-ciph-arcfour-00.txt) The ESP Blowfish-CBC Algorithm Using an Explicit IV (draft-ietf-ipsec-ciph-blowfish-cbc-00.txt) The ESP CAST128-CBC Algorithm (draft-ietf-ipsec-ciph-cast128-cbc-00.txt) The ESP CAST5-128-CBC Transform (draft-ietf-ipsec-ciph-cast-div-00.txt)

IPsec Internet Drafts - Cryptographic Transforms (cont’d) The ESP CBC-Mode Cipher Algorithms (draft-ietf-ipsec-ciph-cbc-02.txt) ESP with Cipher Block Chaining (CBC) (draft-ietf-ipsec-cbc-00.txt) The ESP DES-CBC Transform (draft-ietf-ipsec-ciph-des-derived-00.txt) The ESP DES-CBC Cipher Algorithm With Explicit IV (draft-ietf-ipsec-ciph-des-expiv-02.txt)

IPsec Internet Drafts - Cryptographic Transforms (cont’d) The ESP Triple DES Transform (draft-ietf-ipsec-ciph-des3-00.txt) The ESP 3DES-CBC Algorithm Using an Explicit IV (draft-ietf-ipsec-ciph-3des-expiv-00.txt) The ESP DES-XEX3-CBC Transform (draft-ietf-ipsec-ciph-desx-00.txt) The ESP IDEA-CBC Algorithm Using Explicit IV (draft-ietf-ipsec-ciph-idea-cbc-00.txt)

IPsec Internet Drafts - Cryptographic Transforms (cont’d) The ESP RC5-CBC Algorithm (draft-ietf-ipsec-ciph-rc5-cbc-00.txt) The NULL Encryption Algorithm and Its Use With Ipsec (draft-ietf-ipsec-ciph-null-00.txt)

IPsec Internet Drafts - Key Management Internet Security Association and Key Management Protocol (ISAKMP) (draft-ietf-ipsec-isakmp-09.txt, .ps) The OAKLEY Key Determination Protocol (draft-ietf-ipsec-oakley-02.txt) The Internet Key Exchange (IKE) (draft-ietf-ipsec-isakmp-oakley-07.txt)

IPsec Internet Drafts - Key Management (cont’d) The Internet IP Security Domain of Interpretation for ISAKMP (draft-ietf-ipsec-ipsec-doi-08.txt) Inline Keying within the ISAKMP Framework (draft-ietf-ipsec-inline-isakmp-01.txt)

IPsec Internet Drafts - Additional Key Management Modes Extended Authentication Within ISAKMP/Oakley (draft-ietf-ipsec-isakmp-xauth-01.txt) A GSS-API Authentication Mode for ISAKMP/Oakley (draft-ietf-ipsec-isakmp-gss-auth-00.txt) The ISAKMP Configuration Method (draft-ietf-ipsec-isakmp-mode-cfg-02.txt)

IPsec Internet Drafts - Additional Key Mgmt Modes (cont’d) A revised encryption mode for ISAKMP/Oakley (draft-ietf-ipsec-revised-enc-mode-01.txt) Revised SA negotiation mode for ISAKMP/Oakley (draft-ietf-ipsec-isakmp-SA-revised-00.txt)

IPsec Internet Drafts - Additional Documents Implementation of Virtual Private Network (VPNs) with IP Security (draft-moskowitz-ipsec-vpn-00.txt) Dynamic remote host configuration over IPSEC using DHCP (draft-ietf-ipsec-dhcp-00.txt) IPSec Policy Data Model (draft-ietf-ipsec-policy-model-00.txt)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.