Security at the Network Layer: IPSec

Slides:



Advertisements
Similar presentations
IPSec.
Advertisements

Internet Security CSCE 813 IPsec
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Henric Johnson1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Network Security Essentials Chapter 8 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Network Layer Security: IPSec
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 5 Network Security Protocols in Practice Part I
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
1 IPsec Youngjip Kim Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
Internet Security CSCE 813 IPsec. CSCE Farkas2 Reading Today: – Oppliger: IPSec: Chapter 14 – Stalllings: Network Security Essentials, 3 rd edition,
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
Protocol Basics. IPSec Provides two modes of protection –Tunnel Mode –Transport Mode Authentication and Integrity Confidentiality Replay Protection.
What Is Needed to Build a VPN? An existing network with servers and workstations Connection to the Internet VPN gateways (i.e., routers, PIX, ASA, VPN.
IPsec: IKE, Internet Key Exchange IPsec does not use Public Key Infrastructure and exchanging keys before an IPsec connection is established is a problem.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden Revised by Andrew.
An Introduction to Encrypting Messages on the Internet Mike Kaderly INFS 750 Summer 2010.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
IP Security Lawrence Taub IPSEC IP security — security built into the IP layer Provides host-to-host (or router-to-router) encryption and.
CSCE 715: Network Systems Security
Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS CIS 5357 Network Security.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
SMUCSE 5349/49 IP Sec. SMUCSE 5349/7349 Basics Network-level: all IP datagrams covered Mandatory for next-generation IP (v6), optional for current-generation.
Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)
/IPsecurity.ppt 1 - Chapter 6 of William Stallings. Network Security Essentials (2nd edition). Prentice Hall.
Karlstad University IP security Ge Zhang
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
IP Security.  In CERTs 2001 annual report it listed 52,000 security incidents  the most serious involving:  IP spoofing intruders creating packets.
IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427)
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
Attacking IPsec VPNs Charles D George Jr. Overview Internet Protocol Security (IPSec) is a suite of protocols for authenticating and encrypting packets.
IPSec VPN: How does it really work? Yasushi Kono (ComputerLinks Frankfurt)
1 Chapter 6 IP Security. 2 Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
Chapter 32 Internet Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
Cryptography and Network Security (CS435) Part Thirteen (IP Security)
IPSec  general IP Security mechanisms  provides  authentication  confidentiality  key management  Applications include Secure connectivity over.
IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Network Layer Security Network Systems Security Mort Anvari.
8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,
Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter Twelve Network Security.
11 SECURING NETWORK TRAFFIC WITH IPSEC Chapter 6.
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
Chapter 5 Network Security Protocols in Practice Part I
Chapter 18 IP Security  IP Security (IPSec)
UNIT.4 IP Security.
VPNs and IPSec Review VPN concepts Encryption IPSec Lab.
Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls
Presentation transcript:

Security at the Network Layer: IPSec Chapter 18 Security at the Network Layer: IPSec Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Chapter 18 Objectives ❏ To define the architecture of IPSec ❏ To discuss the application of IPSec in transport and tunnel modes ❏ To discuss how IPSec can be used to provide only authentication ❏ To discuss how IPSec can be used to provide both confidentiality and authentication ❏ To define Security Association and explain how it is implemented for IPSec ❏ To define Internet Key Exchange and explain how it is used by IPSec.

Chapter 18 (Continued) Figure 18.1 TCP/IP Protocol Suite and IPSec

Topics discussed in this section: 18-1 TWO MODES IPSec operates in one of two different modes: transport mode or tunnel mode. Topics discussed in this section: 18.1.1 Transport Mode 18.1.2 Tunnel Mode 18.1.3 Comparison

coming from the transport layer. 18.1.1 Transport Mode In transport mode, IPSec protects what is delivered from the transport layer to the network layer. Note IPSec in transport mode does not protect the IP header; it only protects the information coming from the transport layer.

18.1.1 (Continued) Figure 18.2 IPSec in transport mode

18.1.1 (Continued) Figure 18.3 Transport mode in action

IPSec in tunnel mode protects the original IP header. In tunnel mode, IPSec protects the entire IP packet. It takes an IP packet, including the header, applies IPSec security methods to the entire packet, and then adds a new IP header. Note IPSec in tunnel mode protects the original IP header.

18.1.2 (Continued) Figure 18.4 IPSec in tunnel mode

18.1.2 (Continued) Figure 18.5 Tunnel mode in action

18.1.3 Comparison Figure 18.6 Transport mode versus tunnel mode

Topics discussed in this section: 18-2 TWO SECURITY PROTOCOL IPSec defines two protocols—the Authentication Header (AH) Protocol and the Encapsulating Security Payload (ESP) Protocol¾to provide authentication and/or encryption for packets at the IP level. Topics discussed in this section: 18.2.1 Authentication Header (AH) 18.2.2 Encapsulating Security Payload (ESP) 18.2.3 IPv4 and IPv6 18.2.4 AH versus ESP 18.2.5 Services Provided by IPSec

18.2.1 Authentication Header (AH) Note The AH protocol provides source authentication and data integrity, but not privacy.

18.2.1 (Continued) Figure 18.7 Authentication Header (AH) protocol

ESP provides source authentication, data integrity, and privacy. 18.2.2 Encapsulating Security Payload (ESP) Note ESP provides source authentication, data integrity, and privacy.

18.2.2 (Continued) Figure 18.8 ESP

18.2.3 IPv4 and IPv6 IPSec supports both IPv4 and IPv6. In IPv6, however, AH and ESP are part of the extension header.

18.2.4 AH versus ESP The ESP protocol was designed after the AH protocol was already in use. ESP does whatever AH does with additional functionality (privacy).

18.2.5 Services Provided by IPSec Table 18.1 IPSec services

18.2.5 (Continued) Figure 18.9 Replay window

Topics discussed in this section: 18-3 SECURITY ASSOCIATION Security Association is a very important aspect of IPSec. IPSec requires a logical relationship, called a Security Association (SA), between two hosts. This section first discusses the idea and then shows how it is used in IPSec. Topics discussed in this section: 18.3.1 Idea of Security Association 18.3.2 Security Association Database (SAD)

18.3.1 Idea of Security Association Figure 18.10 Simple SA

18.3.2 Security Association Database (SAD) Figure 18.11 SAD

18.3.2 (Continued) Table 18.2 Typical SA Parameters Parameters Description

Topics discussed in this section: 18-4 SECURITY POLICY Another import aspect of IPSec is the Security Policy (SP), which defines the type of security applied to a packet when it is to be sent or when it has arrived. Before using the SAD, discussed in the previous section, a host must determine the predefined policy for the packet. Topics discussed in this section: 18.4.1 Security Policy Database

18.4.1 (Continued) Figure 18.12 Connection identifiers

18.4.1 (Continued) Figure 18.13 Outbound processing

18.4.1 (Continued) Figure 18.14 Inbound processing

Topics discussed in this section: 18-5 INTERNET KEY EXCHANGE (IKE) The Internet Key Exchange (IKE) is a protocol designed to create both inbound and outbound Security Associations. Topics discussed in this section: 18.5.1 Improved Diffie-Hellman Key Exchange 18.5.2 IKE Phases 18.5.3 Phases and Modes 18.5.4. Phase I: Main Mode 18.5.5 Phase I: Aggressive Mode 18.5.6 Phase II: Quick Mode 18.5.7 SA Algorithms

IKE creates SAs for IPSec. 18.5 (Continued) Note IKE creates SAs for IPSec.

18.5 (Continued) Figure 18.15 IKE components

18.5.1 Improved Diffie-Hellman Figure 18.16 Diffie-Hellman key exchange

18.5.1 (Continued) Figure 18.17 Diffie-Hellman with cookies

18.5.1 Continued Note Note Note To protect against a clogging attack, IKE uses cookies. Note To protect against a replay attack, IKE uses nonces. Note To protect against man-in-the-middle attack, IKE requires that each party shows that it possesses a secret.

18.5.2 IKE Phases Note IKE is divided into two phases: phase I and phase II. Phase I creates SAs for phase II; phase II creates SAs for a data exchange protocol such as IPSec..

18.5.3 Phases and Modes Figure 18.18 IKE Phases

18.5.3 (Continued) Figure 18.19 Main-mode or aggressive-mode methods

18.5.4 Phase I: Main Mode Figure 18.20 Main mode, preshared secret-key method

18.5.4 (Continued) Figure 18.21 Main mode, original public-key method

18.5.4 (Continued) Figure 18.22 Main mode, revised public-key method

18.5.4 (Continued) Figure 18.23 Main mode, digital signature method

18.5.5 Phase I: Aggressive Mode Figure 18.24 Aggressive mode, preshared-key method

18.5.5 (Continued) Figure 18.25 Aggressive mode, original public-key method

18.5.5 (Continued) Figure 18.26 Aggressive mode, revised public-key method

18.5.5 (Continued) Figure 18.27 Aggressive mode, digital signature method

18.5.6 Phase II: Quick Mode Figure 18.28 Quick mode

18.5.7 SA Algorithms Table 18.3 Diffie-Hellman groups

18.5.7 Continued Table 18.4 Hash Algorithms

18.5.7 Continued Table 18.5 Encryption algorithms

Topics discussed in this section: 18-6 ISKAMP The ISAKMP protocol is designed to carry messages for the IKE exchange. Topics discussed in this section: 18.6.1 General Header 18.6.2 Payloads

18.6.1 General Header Figure 18.29 ISAKMP general header

18.6.2 Payloads Table 18.6 Payloads

18.6.2 (Continued) Figure 18.30 Generic payload header Figure 18.31 SA payload Figure 18.32 Proposal payload

18.6.2 (Continued) Figure 18.33 Transform payload

18.6.2 (Continued) Figure 18.34 Key-exchange payload Figure 18.35 Identification payload Figure 18.36 Certification payload

18.6.2 Continued Table 18.7 Certification types

18.6.2 (Continued) Figure 18.37 Certification request payload Figure 18.38 Hash payload Figure 18.39 Signature payload

18.6.2 (Continued) Figure 18.40 Nonce payload Figure 18.41 Notification payload

18.6.2 Continued Table 18.8 Notification types

18.6.2 Continued Table 18.8 Notification types (Continued)

18.6.2 Continued Table 18.9 Status notification values

18.6.2 Continued Figure 18.42 Delete payload Figure 18.43 Vendor payload

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.