6/21/01Team 2 DCS 835 Rev 6/22/011 IP Security (IPSec)  Background –The internet has no centralized technical support. What makes it work is an agreed.

Slides:



Advertisements
Similar presentations
IPSec.
Advertisements

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet Security CSCE 813 IPsec
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Henric Johnson1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Network Layer Security: IPSec
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
IP Security. IPSEC Objectives n Band-aid for IPv4 u Spoofing a problem u Not designed with security or authentication in mind n IP layer mechanism for.
K. Salah1 Security Protocols in the Internet IPSec.
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 23 Virtual Private Networks (VPNs)
1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden Revised by Andrew.
IP Security: Security Across the Protocol Stack
An Introduction to Encrypting Messages on the Internet Mike Kaderly INFS 750 Summer 2010.
IPSec in a Multi-OS Environment. What is IPSec? IPSec stands for Internet Protocol Security It is at a most basic level a way of adding security to your.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
IP Security Lawrence Taub IPSEC IP security — security built into the IP layer Provides host-to-host (or router-to-router) encryption and.
Advanced Unix 25 Oct 2005 An Introduction to IPsec.
CSCE 715: Network Systems Security
Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)
/IPsecurity.ppt 1 - Chapter 6 of William Stallings. Network Security Essentials (2nd edition). Prentice Hall.
TCP/IP Protocols Contains Five Layers
IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Karlstad University IP security Ge Zhang
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
1 Chapter 6 IP Security. 2 Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
Internet Security and Firewall Design Chapter 32.
© 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved.1 Computer Networks and Internets, 5e By Douglas E. Comer Lecture PowerPoints.
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection.
1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.
V IRTUAL P RIVATE N ETWORKS K ARTHIK M OHANASUNDARAM W RIGHT S TATE U NIVERSITY.
Internet Security CSCE 813 IPsec. CSCE813 - Farkas2 TCP/IP Protocol Stack Application Layer Transport Layer Network Layer Data Link Layer.
Authentication Header ● RFC 2402 ● Services – Connectionless integrity – Data origin authentication – Replay protection – As much header authentication.
IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
IPSEC Modes of Operation. Breno de MedeirosFlorida State University Fall 2005 IPSEC  To establish a secure IPSEC connection two nodes must execute a.
K. Salah1 Security Protocols in the Internet IPSec.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 27 November 23, 2004.
© MMII JW RyderCS 428 Computer Networking1 IP Security  IPSec  Firewall Design  Security - Understanding when and how users, computers, services, networks.
IP Security - Chapter 6 of William Stallings. Network Security Essentials (2nd edition). Prentice Hall Slides by Henric Johnson Blekinge Institute.
IPSec Detailed Description and VPN
UNIT 7- IP Security 1.IP SEC 2.IP Security Architecture
IPSecurity.
Chapter 18 IP Security  IP Security (IPSec)
IT443 – Network Security Administration Instructor: Bo Sheng
CSCE 815 Network Security Lecture 13
IP Security - Chapter 6 of William Stallings. Network Security Essentials (2nd edition). Prentice Hall Slides by Henric Johnson Blekinge Institute.
IP Security - Chapter 6 of William Stallings. Network Security Essentials (2nd edition). Prentice Hall Slides by Henric Johnson Blekinge Institute.
Virtual Private Networks (VPNs)
Chapter 6 IP Security.
Presentation transcript:

6/21/01Team 2 DCS 835 Rev 6/22/011 IP Security (IPSec)  Background –The internet has no centralized technical support. What makes it work is an agreed upon common set of protocols that allow different networks to communicate with one another. TCP/IP protocols developed de facto, although today TCP/IP is formally specified as a de jure standard by the Internet Engineering Task Force (IETF).

6/21/01Team 2 DCS 835 Rev 6/22/012 IP Security (IPSec)  Background (cont’d) –The IETF is open to anyone. The membership requirement is participation in one of the more than 100 working groups. Each group has a working theme. IPSec protocols were developed by the Security working group.

6/21/01Team 2 DCS 835 Rev 6/22/013 IP Security (IPSec)  Background (cont’d) IPSec began as two security protocol proposals: Photuris and SKIP. When the proponents couldn’t reach agreement, ISAKMP, a general-purpose syntax was agreed to. At the same time, a third more complex protocol called Oakley, was proposed. Finally, a document originally titled ISAKMP/Oakley Resolution Document evolved into what is now known as Internet Key Exchange (IKE), the key portion of IPSec.

6/21/01Team 2 DCS 835 Rev 6/22/014 IP Security (IPSec)  Technical Overview –IPSec is a set of protocols devised by the IETF –IPSec offers authentication and privacy services at the IP layer –IPSec can be used with IPv4 and IPv6 –IPSec provides a flexible framework –It is not a single protocol, but provides a set of security algorithms that work within the framework

6/21/01Team 2 DCS 835 Rev 6/22/015 IP Security (IPSec)  Technical Overview (cont’d) The two main pieces of IPSEC are the data packet encodngs (AH and ESP), and the key exchange portion (IKE) IPSec operates “on top of” layer 3 (IP), but “below” layer 4 (TCP or UDP), in that it encrypts each data packet independent of all others. If packets are lost or delayed, layer 4 (the layer that requests retransmission) sees only authenticated data.

6/21/01Team 2 DCS 835 Rev 6/22/016 IP Security (IPSec)  Required Security Algorithms –IPSec defines a minimal set of algorithms that are mandatory.

6/21/01Team 2 DCS 835 Rev 6/22/017 IP Security (IPSec) - Authentication  IPSec Authentication Header IPv4 HEADER AUTHENTICATION HEADER TCP HEADER TCP DATA IPv4 datagram with IPSec authentication header added IPSec uses a separate authentication header The Protocol field in the IP header is set to 51 The receiver gets the information type carried in the datagram from the NEXT HEADER field in the authentication header

6/21/01Team 2 DCS 835 Rev 6/22/018 IP Security (IPSec) - Authentication  IPSec Authentication Header (cont’d) NEXT HEADERPAYLOAD LENRESERVED IPSec authentication header format SECURITY PARAMETERS INDEX SEQUENCE NUMBER AUTHENTICATION DATA (VARIABLE

6/21/01Team 2 DCS 835 Rev 6/22/019 IP Security (IPSec) - Authentication  IPSec Authentication Header (cont’d) –PAYLOAD LEN specifies the length of the authentication header –SEQUENCE NUMBER contains a unique sequence number for each packet sent. –SECURITY PARAMETERS INDEX specifies the security scheme used –AUTHENTICATION DATA contains data for the selected security scheme

6/21/01Team 2 DCS 835 Rev 6/22/0110 IP Security (IPSec) - Authentication  IPSec security schemes can include: –Authentication algorithm –A key (or keys) used by the algorithm –A lifetime for the key –A lifetime for the algorithm –A list of source addresses authorized to use the scheme.

6/21/01Team 2 DCS 835 Rev 6/22/0111 IP Security (IPSec) - Authentication  IPSec Security Association –To save header space, IPSec arranges to have each receiver collect all the details about a security scheme in an abstraction called a Security Association (SA). –Each SA is given a security parameters index (a number that identifies it) –The sender must know the SA of the receiver, and places the value in the security parameters index of each datagram.

6/21/01Team 2 DCS 835 Rev 6/22/0112 IP Security (IPSec) - Authentication  IPSec Security Association (cont’d) –Index values are not global –Each destination creates as many SAs as it needs and assigns an index to each –The destination can assign a lifetime for each SA, and reuse the index after the SA expires

6/21/01Team 2 DCS 835 Rev 6/22/0113 IP Security (IPSec) - Authentication  IPSec Mutable Header Fields –IPSec is designed to ensure that the datagram that is sent is unchanged when it arrives. If the entire datagram were authenticated, this would be impossible, because each intermediate router decrements the time-to-live field and recomputes the checksum –IPSec calls header fields that are changed in transit mutable fields –Therefore IPSec only authenticates immutable fields

6/21/01Team 2 DCS 835 Rev 6/22/0114 IP Security (IPSec) - Privacy  IPSec Encapsulating Security Payload (ESP) IPv4 HEADER ESP HEADER TCP HEADER TCP DATA IPv4 datagram with IPSec ESP added The Protocol field in the IP header is set to 50 ESP uses many of the same features used in the authentication header, but rearranges the order ESP TRAILER ESP AUTH Encrypted Authenticated

6/21/01Team 2 DCS 835 Rev 6/22/0115 IP Security (IPSec) - Privacy  IPSec Encapsulating Security Payload (ESP) 0 – 255 OCTETS OF PADDINGPAD LENGTHNEXT HEADER SECURITY PARAMETERS INDEX SEQUENCE NUMBER ESP AUTHENTICATION DATA (VARIABLE) ESP Header ESP Trailer

6/21/01Team 2 DCS 835 Rev 6/22/0116 IP Security (IPSec) - Privacy  IPSec Encapsulating Security Payload (ESP) –Padding may be required because the NEXT HEADER field is right justified within a 4-octet field. IPSec requires that the AUTH DATA be aligned to the start of a 4-octet boundary

6/21/01Team 2 DCS 835 Rev 6/22/0117 IP Security (IPSec) Tunneling OUTER IP HEADER ESP HEADER INNER IP DATAGRAM (INCLUDING IP HEADER) IPSec tunneling mode with ESP added VPN uses encryption along with IP-in-IP tunneling to keep inter-site data transfers private. The IPSec standard explicitly defines the tunneled versions of the datagrams. ESP TRAILER ESP AUTH Encrypted Authenticated OUTER IP HEADER IPSSec tunneling mode for authentication AUTHENTICATION HEADER INNER IP DATAGRAM (INCLUDING IP HEADER)

6/21/01Team 2 DCS 835 Rev 6/22/0118 References 1.Comer, Douglas E. Internetworking with TCP/IP Vol 1: Principles, Protocols, and Architecture, 4 th ed. Upper Saddle River, N.J.: Prentice Hall, Cisco Systems, IP Security—IPSec Overview, _ov.pdf _ov.pdf 3.Cisco Systems, IPSec Network Security, Release 11.3(3)T. 13t_3/ipsec.pdf 13t_3/ipsec.pdf 4.Zao, Kent, Gahm, Troxel, Condell, Helinck, Yuan, Castineyra. “A Public Key Based Secure Mobile IP”, Wireless Networks Vol. 5, J.C Baltzer AG, 1999, pp Treese, Win. “Putting it Together: Engineering the Net: The IETF”, networker Vol 3 No.1, March, 1999, pp Perlman, Kaufman. “Key Exchange in IPSec: Analysis of IKE”, IEEE Internet Computing, Nov-Dec 2000,

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.