1 © 2002, Cisco Systems, Inc. All rights reserved. Protocol /IPSec Securing Routing/Signaling Protocols w/ IPSec David Ward

Slides:



Advertisements
Similar presentations
IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Advertisements

Internet Protocol Security (IP Sec)
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet Security CSCE 813 IPsec
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
Network Security Essentials Chapter 8 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
IP Security. IPSEC Objectives n Band-aid for IPv4 u Spoofing a problem u Not designed with security or authentication in mind n IP layer mechanism for.
VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.
K. Salah1 Security Protocols in the Internet IPSec.
Dynamic Routing Inside IPsec VPNs
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Advanced Unix 25 Oct 2005 An Introduction to IPsec.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security
TCP/IP Protocols Contains Five Layers
IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 4: Securing IP.
Karlstad University IP security Ge Zhang
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
IP Security.  In CERTs 2001 annual report it listed 52,000 security incidents  the most serious involving:  IP spoofing intruders creating packets.
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
1 Virtual Private Networks (VPNs) and IP Security (IPSec) G53ACC Chris Greenhalgh.
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
1 IPv6 Security & QoS Babu Ram Dawadi. 2 Outline IP Security Overview IP Security Architecture Authentication Header Encapsulating Security Payload Combinations.
1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.
Virtual Private Network Chapter 4. Lecturer : Trần Thị Ngọc Hoa2 Objectives  VPN Overview  Tunneling Protocol  Deployment models  Lab Demo.
V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.
Virtual Private Network Configuration
Internet Security CSCE 813 IPsec. CSCE813 - Farkas2 TCP/IP Protocol Stack Application Layer Transport Layer Network Layer Data Link Layer.
Security IPsec 1 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Cryptography and Network Security (CS435) Part Thirteen (IP Security)
IPSec  general IP Security mechanisms  provides  authentication  confidentiality  key management  Applications include Secure connectivity over.
IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
RPSEC WG Issues with Routing Protocols security mechanisms Vishwas Manral, SiNett Russ White, Cisco Sue Hares, Next Hop IETF 63, Paris, France.
1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Network Layer Security Network Systems Security Mort Anvari.
K. Salah1 Security Protocols in the Internet IPSec.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 27 November 23, 2004.
Securing Access to Data Using IPsec Josh Jones Cosc352.
8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,
Lecture 10 Page 1 CS 236 Online Encryption and Network Security Cryptography is widely used to protect networks Relies on encryption algorithms and protocols.
Dynamic Routing Inside IPsec VPNs
CSE 4905 IPsec.
Encryption and Network Security
Internet and Intranet Fundamentals
IT443 – Network Security Administration Instructor: Bo Sheng
Presentation transcript:

1 © 2002, Cisco Systems, Inc. All rights reserved. Protocol /IPSec Securing Routing/Signaling Protocols w/ IPSec David Ward

222 Protcol-IPSec Overview Problem space Protocol/IPSec interactions Other efforts Future NOTE: this is a non-charter presentation

333 Protcol-IPSec What are the problems? Protect the router as host - See rsec, ips, ipsec, msec, etc Protect the router infrastructure- peerid, passwords, socket, DOS Protect the protocol session data - encryption Protect the association of data to peer - See SBGP, SOBGP Create a secure VPN (IPSec tunnels) but, actually provide dynamic routing

444 Protcol-IPSec How to secure w/ IPSec? Protect the router - peerid, passwords, socket, DOS Protect the peering session data - encryption Summarize routing in a secure VPN - Touch/Knight

555 Protcol-IPSec Difference in Modes New IP Header IPSec ESP Header Data IP Header Data Tunnel Mode Original IP Header IPSec ESP Header Transport Mode Original IP Header Data Optional Encryption Outer IP Header Inner IP Header From: Paul Knight Original Packet

666 Protcol-IPSec What is a Security Association (SA)? All the information to establish secure (IPSec) communication –Selection of the security mechanisms: ESP (Encapsulating Security Protocol) or AH (Authentication Header)protection Ciphering algorithm Hash function Choice of authentication method –Authentication of the two parties –Choice of the ciphering and authentication keys

777 Protcol-IPSec What is the SAD? Security Association Database: All active security associations –Identifier : Outer destination IP address Security Protocol SPI – Security Parameter Index –Parameters Authentication algorithm and keys Encryption algorithm and keys Lifetime Security Protocol Mode (tunnel or transport) Anti-replay service Link with an associated policy in the SPD

888 Protcol-IPSec What is the SPD? Security Policy Database: Applies to every packet For each policy entry, includes: –Selectors Destination IP Address Source IP Address Name Transport Layer Protocol (protocol number) Source and Destination Ports –The policy : Discard the packet, bypass or process IPSec For IPSec Processing : -Security Protocol and Mode -Enabled Services (anti-replay, authentication, encryption) -Algorithms (for authentication and/or encryption) –Link to an active SA in the SAD (if it exists)

999 Protcol-IPSec What aspects of IPSec from ips work: Protocol security implementations MUST support transport mode ESP with NULL encryption and HMAC-SHA1 authentication. Transport mode MUST be supported: Between router as host IKE MAY be supported Tunnel mode MAY be supported when an IPSec Gateway is introduced inbetween routers

10 Protcol-IPSec What aspects of IPSec (con’t 2)? Fragmentation issues solved w/ MTU discovery Connnections behind firewall or NAT like device covered w/ IPSec extensions Machine and User (if ever used) covered by IPSec Pre-shared keys for auto config (if ever used) covered by IPSec Brief description of Transport vs Tunnel Use transport mode when not running secure VPN overlay

11 Protcol-IPSec What recommended transforms from ips? AES - CBC SHOULD be supported Solves key exhaustion issues 3DES MAY be supported - perhaps rekeying issues. Doubtful if any real problem. Deployment issue which transform to actually use Note that current protocol drafts don’t follow these recommendations

12 Protcol-IPSec What is affected in Protocols? Not really a protocol extension Doesn’t affect OPEN, UPDATES, CAPABILITY NEGOTIATION, GRACEFUL RESTART, CLOSE, NOTIFICATION, etc. Have to clean up some protocol specification Not discussed in OSPF v2, needs cleanup OSPFv3 Not discussed in RIP, needs cleanup in RIPng Not discussed in ISIS Not discussed in BGP RSVP - needs more work: draft-tschofenig-rsvp-sec- properties-00.txt LDP - not defined, md5 only (c n’ p from BGP), not a big deal to use IPSec

13 Protcol-IPSec Summarize routing in secure VPNs (tunnel mode) What is the problem? The IPsec Security Associations have selectors that determine the traffic they allow. Like static routes. SP and SA Database lookups do the “routing” SA setup is orders of magnitude slower than routing change  Dynamically changing SA due to routing updates doesn’t scale

14 Protcol-IPSec Summarize routing in secure VPNs 0.2 (tunnel mode) What is the solution? (1) Use “wild card” in tunnel SAs (allow all traffic) OR (2) Use encapsulation to make the traffic fit the “static route”, by setting destination address in the encapsulated traffic Either way you are “pushing” traffic into the VPN What are the relevant drafts? draft-touch-ipsec-vpn-04.txt, draft-wang-cevpn-routing-00.txt draft-knight-ppvpn-ipsec-dynroute-01.txt Tunnel Header IPSec ESP Header Data Original IP Header Optional Encryption Tunnel Header Data Original IP Header

15 Protcol-IPSec What will using IPSec do to the network? Increase feeling of security in some cases improve security Add config and ops complexity Add to convergence time Increase use of system resources (cpu, memory) Give a generic solution to the auth/crypto problem that is already widely implemented

16 Protcol-IPSec What to do next? Really an ops/deployment doc and not protocol extension Certainly informational Could be in IPS (security policy) could be in rpsec Augment draft-bellovin-useipsec-00.txt (BGP as example) Suggest Informational for RPSec Generalized for routing/signaling protocols – common auth, cipher, SA, bcast media handling, tunnel mode, etc – right now we are all over the place UNCLEAR: Need decision from ADs, RAdirectorate, to agree to use IPsec for routing protocols Enables cleanup of current specs w/o massive thrash Enables a meta “ipsec for rpsec” doc instead of tracking individual specs: except where specifics are needed

17 Protcol-IPSec What to do next? Leave msec WG to do their thing Any protocol specific changes should be in proper WG (e.g. changes to IPsec for OSPFv3) but, generalized since the work doesn’t require protocol changes but, spec clarification. The auth algo, SA approach and ciphers are currently not following other specs. Virt links needs addressing. Not ready for primetime except BGP, LDP IGPs have md5, V6 is IPSec Leave signaling for NSIS Fold in Joe Touch’s work or push it all into 2401bis? Believe that routing stuff should be here including routing in secure VPNs

18 Protcol-IPSec END - Remain calm at all times Actually can deploy ‘authenticated’ routing (for overlay VPNs and node to node) today In some cases encrypted We still have a lot of work to do if this is the direction that the RADs want us to go Is *immediate problem space* larger than EBGP? Implementation recommendations for DOS attacks due to IPSec deployments should be through another venue Enumerating the threats should be here For open source info on routing in secure VPNs and IPsec/IKE implementations: This presentation represents the views and opinions of the author and does not necessarily reflect those of Cisco Systems.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.