Presentation is loading. Please wait.

Presentation is loading. Please wait.

IPSec Access control Connectionless integrity

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "IPSec Access control Connectionless integrity"— Presentation transcript:

1 Sheng-Liang Song ssl@cisco.com
IPSec Access control Connectionless integrity Data origin authentication Rejection of replayed packets Confidentiality Sheng-Liang Song

2 Sheng-Liang Song ssl@cisco.com
IPSec Complexity Security worst “enemy” “best practice” Sheng-Liang Song

3 Agenda IPSec Overview IPSec Discussion Q&A IPSec (Network Layer)
Modes (Tunnel/Transport) Protocols (ESP/AH) IKE (Internet Key Exchange) IPSec Cases IPSec Discussion Q&A

4 Key Words ISAKMP (Internet Security Association
and Key Management Protocol) SA (Security Associations) SPD (Security Policy Database) IKE (Internet Key Exchange) AH (Authentication Header) ESP (Encapsulating Security Payload) HMAC (Keyed-Hashing for Message Authentication) H(K XOR opad_5C, H(K XOR ipad_36, text))

5 IPSec (Network Layer) lives at the network layer
transparent to applications application transport network link physical User SSL OS IPSec NIC

6 IPv4 Header Format Mutable, predictable, Immutable

7 IPv6 Header Format

8 IPSec Modes (Tunnel and Transport)
Transport Mode Tunnel Mode Transport Mode IP header data IP header ESP/AH data Tunnel Mode IP header data new IP hdr ESP/AH IP header data

9 IPSec Protocols (ESP and AH)
ESP (Encapsulating Security Payload) Integrity and confidentiality (HMAC/DES-CBC) Integrity only by using NULL encryption AH (Authentication Header) Integrity only IP HDR Data IPSec Tunnel Original IP Layer encrypted IPSec Encrypted session IPSec Authenticated session AH HDR ESP HDR New IP HDR

10 AH Format The sender's counter is initialized to 0 when an SA is established.

11 AH/Transport

12 AH/Transport

13 ESP Format The sender's counter is initialized to 0 when an SA is established.

14 ESP/Transport

15 ESP/Tunnel

16 IPSec Tunnels Original IP Packet Classified IP packet IPSec packet
IP header TOS IP Payload IP header IP Payload Classified IP packet Set TOS TOS Original IP Packet TOS copy TOS IP new hdr New IP header built by tunnel entry point TOS byte is copied IP new hdr ESP header IPSec packet IP IP Payload TOS

17 Anti-Replay in IPSec Both ESP and AH have an anti-reply mechanism
based on sequence numbers sender increment the sequence number after each transmission receiver optionally checks the sequence number and rejects if it is out of window

18 How IPSec uses IKE

19 IPSec and IKE in Practice
Sets up a keying channel Sets up data channels Internal Network Certificate Authority Digital Certificate ISAKMP Session Digital Certificate SA Authenticated Encrypted Tunnel ISAKMP (Internet Security Association and Key Management Protocol) SA (Security Associations) SPD (Security Policy Database) Discard,bypass IPsec, apply IPSec (Overhead) Clear Text Internal Network Encrypted

20 IPSec (IKE1 Phase1) Authenticated with Signatures
Authenticated with Shared key Authenticated with Public Key Encryption Authenticated with Public Key Encryption (Revised)

21 IPSec (Cases)

22 IPSec Case1

23 IPSec Case2

24 IPSec Case3

25 IPSec Case4

26 Q & A IPSec Discussion IPSec authenticates machines, not users
Does not stop denial of service attacks Easier to do DoS Order of operations: Encryption/Authentication Q & A L2,L3,L4 Parsing Header(IP,TCP,UDP) checking Packet action classifying Probabilistic content matching

27 Reference Information Security: Principles and Practice, Mark Stamp, Jan 29,2005 Cisco IOS IPsec Cisco White Paper, IPsec, N. Ferguson and B. Schneier, A Cryptographic Evaluation of IPsec, IPsec, Security for the Internet Protocol,

Download ppt "IPSec Access control Connectionless integrity"

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
Internet Security CS457 Seminar Zhao Cheng. Security attacks interruption, interception, modification, fabrication passive attack, active attack.

Internet Security CS457 Seminar Zhao Cheng. Security attacks interruption, interception, modification, fabrication passive attack, active attack.
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Security at the Network Layer: IPSec

Security at the Network Layer: IPSec
Henric Johnson1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.

Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Similar presentations

Ads by Google