Authentication Header ● RFC 2402 ● Services – Connectionless integrity – Data origin authentication – Replay protection – As much header authentication.

Slides:



Advertisements
Similar presentations
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.2: IPsec.
Advertisements

IPSec RFC 2401 (novembre 1998) AH (Authentication Header, RFC 2402) ESP (Encapsulating Security Payload, RFC 2406) Sécurité des Réseaux, Master CSI 2 J.Bétréma,
The Future of TCP/IP Always evolving: –New computer and communication technologies More powerful PCs, portables, PDAs ATM, packet-radio, fiber optic, satellite,
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet Security CSCE 813 IPsec
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.
Network Layer Security: IPSec
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
IPSec Isaac Ghansah.
Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
THE USE OF IP ESP TO PROVIDE A MIX OF SECURITY SERVICES IN IP DATAGRAM SREEJITH SREEDHARAN CS843 PROJECT PRESENTATION 04/28/03.
1 IPsec Youngjip Kim Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access.
IP Security. IPSEC Objectives n Band-aid for IPv4 u Spoofing a problem u Not designed with security or authentication in mind n IP layer mechanism for.
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.
IP Security: Security Across the Protocol Stack
IP Security Lawrence Taub IPSEC IP security — security built into the IP layer Provides host-to-host (or router-to-router) encryption and.
1 Network Security Lecture 8 IP Sec Waleed Ejaz
CSCE 715: Network Systems Security
SMUCSE 5349/49 IP Sec. SMUCSE 5349/7349 Basics Network-level: all IP datagrams covered Mandatory for next-generation IP (v6), optional for current-generation.
IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 4: Securing IP.
Karlstad University IP security Ge Zhang
1 CMPT 471 Networking II Authentication and Encryption 1 © Janice Regan,
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
IP Security.  In CERTs 2001 annual report it listed 52,000 security incidents  the most serious involving:  IP spoofing intruders creating packets.
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
Chapter 27 IPv6 Protocol.
Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection.
1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.
Lecture 6 W.Lilakiatsakun.  Internet Protocol  IPv4 /IPv6  IPsec  ICMP  Routing Protocol  RIP/OSPF  BGP  Attack on Layer3 Layer 3 Technology.
Internet Security CSCE 813 IPsec. CSCE813 - Farkas2 TCP/IP Protocol Stack Application Layer Transport Layer Network Layer Data Link Layer.
Security IPsec 1 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
1 IPSec: Security at the IP Layer Rocky K. C. Chang 15 March 2007.
IPSec  general IP Security mechanisms  provides  authentication  confidentiality  key management  Applications include Secure connectivity over.
IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
IPSEC Modes of Operation. Breno de MedeirosFlorida State University Fall 2005 IPSEC  To establish a secure IPSEC connection two nodes must execute a.
K. Salah1 Security Protocols in the Internet IPSec.
8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,
IP Security (IPSec) Authentication Header (AH) Dr Milan Marković.
@Yuan Xue CS 285 Network Security IP Security Yuan Xue Fall 2013.
VPNs & IPsec Dr. X Slides adopted by Prof. William Enck, NCSU.
UNIT 7- IP Security 1.IP SEC 2.IP Security Architecture
IPSecurity.
CSE 4905 IPsec.
Internet and Intranet Fundamentals
IT443 – Network Security Administration Instructor: Bo Sheng
Carrying IPSEC Authentication and ESP Headers Across SCPS-NP Networks
IPSec IPSec is communication security provided at the network layer.
IP Security and VPN Most of the slides are derived from the slides (Chapter-8) by the authors of «Computer Networking: A Top Down Approach», and from the.
Virtual Private Networks (VPNs)
Virtual Private Networks (VPNs)
CSE 5/7349 – February 15th 2006 IPSec.
Presentation transcript:

Authentication Header ● RFC 2402 ● Services – Connectionless integrity – Data origin authentication – Replay protection – As much header authentication as possible

AH Header Format Next Header Payload Len RESERVED Security Parameters Index (SPI) Sequence Number Field Authentication Data (Variable)

AH Parameters ● Next Header - Next header ID ● Payload Length – Number of 32-bit words in the AH header minus 2 (IPv6 minus 1 64-bit word) ● SPI – 32-bit value that together with the destination IP address uniquely identifies the Security Association for this datagram

Sequence Number Generation ● Sender's counter is initialized to 0 when the SA is established. ● Sender increments the counter by 1 ● New SA is negotiated upon rollover for both sender and receiver ● 32-bits ● Sender must include ● Receiver may or maynot use it

Authentication Data ● Authentication Data field is a variable length field that contains the Integrity Check Value (ICV) for this packet ● Multiple of 32-bits ● The ICV algorithm is specified in the SA ● Usually an HMAC (keyed hash) ● ICV is calculated over the Immutable and Predictable values in the IP header, AH header, padding, upper level protocols and payload, etc.

Authenticated Data ● Immutable ● Version, Payload Length, Next Header, Source Address, Destination Address without Routing Extension Header ● Mutable but predictable ● Destination Address with Routing Extension Header ● Mutable ( zeroed prior to ICV cal) ● Class, Flow Label, Hop Limit

Authenticated Data (cont'd) ● Extension Headers containing Options ( Hop-by-Hop and Dest Headers ● Bit-3 of the Type indicates whether it can change in route ● Changeable – zeroed for ICV cal ● Unchangeable – include in the ICV cal ● Padding ● Fragmentation ● If required happens after the AH Header ● May happen after AH Header is applied, then reassembly must happen and the the AH Header is processed

Authenticated Data (cont'd) ● The AH extension header ● Especially important is the Sequence Number for anti- replay ● Subsequent extension headers ● The payload ● Usually HMAC-SHA-n

AH Location in the list of Headers ● IPv6 considerations only ● At the end of all extension headers except possibly Destination Headers IPv6 Header AH Payload Older Ipv6 Header AH Payload New IPv6 Header Ext Headers Transport Mode Tunnel Mode

Outbound Packet Processing ● Match packet's selectors against the outbound policies in the SPD ● SA Lookup ● Sequence Number Generation ● ICV Calculation ● Fragmentation of the IPSec datagram if necessary

Inbound Packet Processing ● Datagram Reassembly ● SA Lookup ● Based on IP address ● Security Protocol ● The SPI ● ICV Verification ● Calc'ed over Immutable fields ● Mutable but predictable fields ● Options and Payload ● Sequence Number Verification

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.