IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.

Slides:



Advertisements
Similar presentations
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Advertisements

Internet Security CSCE 813 IPsec
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
ISAKMP RFC 2408 Internet Security Association & Key Management Protocol Protocol Establish, modify, and delete SAs Negotiate crypto keys Procedures Authentication.
Security at the Network Layer: IPSec
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Network Layer Security: IPSec
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 5 Network Security Protocols in Practice Part I
1 IP Security (IPSec) Thomas Lee Chief Technologist –QA
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
IPSec Access control Connectionless integrity
1 IPsec Youngjip Kim Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access.
Internet Security CSCE 813 IPsec. CSCE Farkas2 Reading Today: – Oppliger: IPSec: Chapter 14 – Stalllings: Network Security Essentials, 3 rd edition,
Protocol Basics. IPSec Provides two modes of protection –Tunnel Mode –Transport Mode Authentication and Integrity Confidentiality Replay Protection.
1 Chapter 8 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
IP Security: Security Across the Protocol Stack
Implementing Secure Converged Wide Area Networks (ISCW) Module 3.2.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
IP Security Lawrence Taub IPSEC IP security — security built into the IP layer Provides host-to-host (or router-to-router) encryption and.
Practical Aspects of Modern Cryptography Josh Benaloh & Brian LaMacchia.
Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS CIS 5357 Network Security.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
SMUCSE 5349/49 IP Sec. SMUCSE 5349/7349 Basics Network-level: all IP datagrams covered Mandatory for next-generation IP (v6), optional for current-generation.
Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 4: Securing IP.
Karlstad University IP security Ge Zhang
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
Network Security7-1 Today r Reminder Ch7 HW due Wed r Finish Chapter 7 (Security) r Start Chapter 8 (Network Management)
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
IPSec VPN: How does it really work? Yasushi Kono (ComputerLinks Frankfurt)
1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection.
1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.
IPSec VPN Chapter 13 of Malik. 2 Outline Types of IPsec VPNs IKE (or Internet Key Exchange) protocol.
Authentication Header ● RFC 2402 ● Services – Connectionless integrity – Data origin authentication – Replay protection – As much header authentication.
Cryptography and Network Security (CS435) Part Thirteen (IP Security)
IPSec  general IP Security mechanisms  provides  authentication  confidentiality  key management  Applications include Secure connectivity over.
IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
IPSec The Wonder Protocol Anurag Vij Microsoft IT.
K. Salah1 Security Protocols in the Internet IPSec.
Security Data Transmission and Authentication Lesson 9.
8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,
@Yuan Xue CS 285 Network Security IP Security Yuan Xue Fall 2013.
11 SECURING NETWORK TRAFFIC WITH IPSEC Chapter 6.
VPNs & IPsec Dr. X Slides adopted by Prof. William Enck, NCSU.
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
Chapter 5 Network Security Protocols in Practice Part I
CSE 4905 IPsec.
IT443 – Network Security Administration Instructor: Bo Sheng
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
Virtual Private Networks (VPNs)
CSE 5/7349 – February 15th 2006 IPSec.
Presentation transcript:

IPSec In Depth

Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication is applied to data in the IPSec header as well as the data contained as payload

IPSec Encapsulating Security Payload (ESP) in Transport Mode Data TCP Hdr Orig IP Hdr Data TCP Hdr ESP Hdr Orig IP Hdr ESP Trailer ESP Auth Usually encrypted integrity hash coverage SecParamIndex Padding PaddingPadLengthNextHdr Seq# Keyed Hash bytes total InitVector ESP is IP protocol 50 Insert Append © 2000 Microsoft Corporation

IPSec ESP Tunnel ModeData TCP Hdr Orig IP Hdr ESP Auth Usually encrypted integrity hash coverage Data TCP Hdr ESP Hdr IP Hdr IP HdrIPHdr New IP header with source & destination IP address © 2000 Microsoft Corporation ESP Trailer

Authentication Header (AH) Authentication is applied to the entire packet, with the mutable fields in the IP header zeroed out If both ESP and AH are applied to a packet, AH follows ESP

IPSec Authentication Header (AH) in Transport Mode Data TCP Hdr Orig IP Hdr Data TCP Hdr AH Hdr Orig IP Hdr Next Hdr Payload Len RsrvSecParamIndex Keyed Hash Integrity hash coverage (except for mutable fields in IP hdr) Seq# 24 bytes total AH is IP protocol 51 Insert © 2000 Microsoft Corporation

IPSec AH Tunnel ModeData TCP Hdr Orig IP Hdr Integrity hash coverage (except for mutable new IP hdr fields) IP Hdr AH Hdr AH HdrData TCP Hdr Orig IP Hdr New IP header with source & destination IP address © 2000 Microsoft Corporation

Internet Key Exchange (IKE) Phase I –Establish a secure channel(ISAKMP SA) –Authenticate computer identity Phase II –Establishes a secure channel between computers intended for the transmission of data (IPSec SA)

Main Mode Main mode negotiates an ISAKMP SA which will be used to create IPSec Sas Three steps –SA negotiation –Diffie-Hellman and nonce exchange –Authentication

Main Mode (Kerberos) Initiator Responder Header, SA Proposals Header, Selected SA Proposal Header, D-H Key Exchange, Nonce i, Kerberos Token i Header, D-H Key Exchange, Nonce r, Kerberos Token r Header, Id i, Hash i Header, Id r, Hash r Encrypted

Main Mode (Certificate) Initiator Responder Header, D-H Key Exchange, Nonce i Header, Id i, Certificate i, Signature i, Certificate Request Header, D-H Key Exchange, Nonce r,Certificate Request Header, Id r, Certificate r, Signature r Encrypted Header, SA Proposals Header, Selected SA Proposal

Main Mode (Pre-shared Key) Initiator Responder Header, D-H Key Exchange, Nonce i Header, Id i, Hash i Header, D-H Key Exchange, Nonce r Header, Id r, Hash r Encrypted Header, SA Proposals Header, Selected SA Proposal

Quick Mode All traffic is encrypted using the ISAKMP Security Association Each quick mode negotiation results in two IPSec Security Associations (one inbound, one outbound)

Quick Mode Negotiation Header, Hash Header, Connected Notification Encrypted Initiator Responder Header, IPSec Selected SA Header, IPSec Proposed SA