IPsec. 18.1 Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.

Slides:

Advertisements

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

Advertisements

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.2: IPsec.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Internet Security CSCE 813 IPsec

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.

Security at the Network Layer: IPSec

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Network Layer Security: IPSec

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Chapter 5 Network Security Protocols in Practice Part I

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.

Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

THE USE OF IP ESP TO PROVIDE A MIX OF SECURITY SERVICES IN IP DATAGRAM SREEJITH SREEDHARAN CS843 PROJECT PRESENTATION 04/28/03.

1 IPsec Youngjip Kim Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access.

IP Security. IPSEC Objectives n Band-aid for IPv4 u Spoofing a problem u Not designed with security or authentication in mind n IP layer mechanism for.

VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

IP Security: Security Across the Protocol Stack

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

CSCE 715: Network Systems Security

SMUCSE 5349/49 IP Sec. SMUCSE 5349/7349 Basics Network-level: all IP datagrams covered Mandatory for next-generation IP (v6), optional for current-generation.

Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)

IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.

8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 4: Securing IP.

Karlstad University IP security Ge Zhang

IP Security.  In CERTs 2001 annual report it listed 52,000 security incidents  the most serious involving:  IP spoofing intruders creating packets.

IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.

IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.

1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,

Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.

IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.

IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.

Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection.

1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.

Internet Security CSCE 813 IPsec. CSCE813 - Farkas2 TCP/IP Protocol Stack Application Layer Transport Layer Network Layer Data Link Layer.

Authentication Header ● RFC 2402 ● Services – Connectionless integrity – Data origin authentication – Replay protection – As much header authentication.

1 IPSec: Security at the IP Layer Rocky K. C. Chang 15 March 2007.

Cryptography and Network Security (CS435) Part Thirteen (IP Security)

IPSec  general IP Security mechanisms  provides  authentication  confidentiality  key management  Applications include Secure connectivity over.

IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Network Layer Security Network Systems Security Mort Anvari.

IPSEC Modes of Operation. Breno de MedeirosFlorida State University Fall 2005 IPSEC  To establish a secure IPSEC connection two nodes must execute a.

K. Salah1 Security Protocols in the Internet IPSec.

8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,

IP Security (IPSec) Authentication Header (AH) Dr Milan Marković.

@Yuan Xue CS 285 Network Security IP Security Yuan Xue Fall 2013.

CSE 4905 IPsec.

Chapter 18 IP Security  IP Security (IPSec)

Internet and Intranet Fundamentals

IT443 – Network Security Administration Instructor: Bo Sheng

IPSec IPSec is communication security provided at the network layer.

Virtual Private Networks (VPNs)

Virtual Private Networks (VPNs)

CSE 5/7349 – February 15th 2006 IPSec.

Presentation transcript:

IPsec

18.1 Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange (IKE) 18.5 Encapsulated Security Payload (ESP) 18.6 Summary

18.1 Introduction  Internet Protocol Security (IPsec) provides for various security services on the IP layer, in IPv4 as well as IPv6, thus offering protection for protocols in the upper layers  IPsec is typically used to secure communications between hosts and security gateways

 The set of security services that IPsec provides includes access control data integrity protection data origin authentication anti-replay protection confidentiality limited traffic flow confidentiality

 IPsec can operate in two modes tunnel mode  typically used to tunnel IP traffic between two security gateways  IPsec protects the full IP datagram transport mode  mainly used to provide security services for upper layer protocols  IPsec offers limited protection to IP headers

 The components of the IPsec security architecture [RFC2401] 1.Security protocols  Authentication Header (AH) [RFC2402] extends protection to some parts of the IP header  Encapsulated Security Payload (ESP) [RFC2406] no security services provided for the IP headers that precede the ESP header

2.Security associations  definition of the Security Policy Database (SPD) and the Security Association Database (SAD) as well as the management and usage of security associations 3.Key management  the distribution of cryptographic keys for use with the security protocols (namely, the Internet Key Exchange, or IKE [RFC2409]) 4.Algorithms used for encryption and authentication

18.2 Security associations  Security protocols make use of security associations (SAs) as they provide security services  SA a relationship between two entities that defines how they are going to use security services to secure their communications it includes information on authentication and/or encryption algorithms, cryptographic keys and key lengths as well as the initialization vectors (IV) that are shared between the entities

an SA is unidirectional  typically two SAs are needed for a bidirectional flow of traffic one for inbound (read) traffic and one for outbound (write) traffic

 An SA is uniquely identified by the following three items security parameter index (SPI) destination IP address security protocol (either AH or ESP)

 The management of SAs involves two databases SPD (Security Policy Database)  contains the policies by which all inbound and outbound traffic is categorized on a host or a security gateway  a set of selectors—IP layer and upper layer (e.g., TCP and UDP) protocol field values—is used by the SPD to map traffic to a specific SA SAD (Security Association Database)  a container for all active SAs, and related parameters

18.3 Internet Security Association and Key Management Protocol (ISAKMP)  ISAKMP used for negotiating, establishing, modification, and deletion of SAs and related parameters it defines the procedures and packet formats for peer authentication creation and management of SAs and techniques for key generation it also includes mechanisms that mitigate certain threats (e.g., denial-of-service, or DOS, and anti- replay protection)

 ISAKMP an "abstract" protocol—it provides a IPsec framework for authentication and key management, and supports many actual key exchange protocols (e.g., IKE) defines header and payload formats

 ISAKMP operates in two phases  phase 1 the peers establish an ISAKMP SA (namely, they authenticate and agree on the used mechanisms to secure further communications)  phase 2 this ISAKMP SA is used to negotiate further protocol SAs (e.g., an IPsec/ESP SA)

18.4 Internet Key Exchange (IKE)  IKE a key exchange protocol which, in conjunction with ISAKMP, negotiates authenticated keying material for SAs can use two modes to establish a phase 1 ISAKMP SA  main mode the identities of the negotiating entities are protected

 aggressive mode the identities are revealed to the outside world  both modes use the Ephemeral Diffie-Hellman key exchange algorithm to generate keying material for the ISAKMP SA

18.5 Encapsulated Security Payload (ESP)  ESP used to provide security services in IPv4 and IPv6. can be used alone or in unison with an AH can "provide either confidentiality (i.e., encryption) or integrity protection (i.e., authentication), or both. can operate in transport mode and in tunnel mode

 The ESP header is inserted into the IP datagram after the IP header and before any upper layer protocol headers in transport mode, or before an encapsulated IP datagram in tunnel mode  Figure 18.1 illustrates the ESP packet format

 The fields in the ESP header The sequence number  a monotonically increasing 32-bit counter used to protect against replay attacks  when an SA is established the sequence number is reset to zero

Payload data  a variable length field that typically contains the data payload, whose type is denoted by the next header field  it may also contain cryptographic synchronization data, such as an IV

Padding  used to fill the payload data to a specific block size multiple required by a particular encryption algorithm, or to randomize the length of the payload in order to protect against traffic flow analysis Pad length  an 8-bit field whose value indicates in bytes the length of the padding field

Next header  an 8-bit field whose value indicates the type of data contained in the payload data field Authentication data  a variable length field containing an integrity check value (ICV), which is computed (using an authentication algorithm) from the rest of the ESP packet, to provide data integrity protection

 To process outbound traffic, a host or security gateway first uses a set of selectors in the SPD to determine the outbound SA used  It then follows a set of steps to process the outbound packet 1.Either the entire original outbound IP datagram is encapsulated in an ESP payload field (tunnel mode) or just the original upper layer protocol information from the outbound IP datagram is encapsulated (transport mode) 2.Appropriate padding is added to the payload data

3.The results are encrypted using an encryption key and an algorithm 4.The sequence number is incremented as appropriate 5.If authentication is enabled, then the ICV is calculated 6.Possible fragmentation of the IP datagram is performed

 On receiving an IP datagram the recipient follows the following steps to process the packet 1.Possible reassembly of the IP datagram is performed 2.Using the SPI, security protocol and destination IP address, an appropriate SA is looked up from the SAD 3.If anti-replay protection is enabled, the sequence number is inspected

4.If authentication is enabled, then the ICV is verified 5.The packet is decrypted, padding is removed and the original IP datagram is reconstructed

18.6 Summary  IPsec provides security services in the IP layer, in both IPv4 and IPv6, offering protection for protocols at higher layers  IKE is used for key exchange creating and managing SAs and related security parameters  ESP is used for confidentiality and integrity protection