Download presentation
Presentation is loading. Please wait.
Published byDaniela Reed Modified over 8 years ago
2
IPSec general IP Security mechanisms provides authentication confidentiality key management Applications include Secure connectivity over internet, office VPN’s, across organizations e-commerce
3
IP Security Scenario
4
Benefits of IPSec in a firewall/router provides strong security to all traffic crossing the perimeter is resistant to bypass is below transport layer, hence transparent to applications can be transparent to end users can provide security for individual users if desired
5
IP Security Architecture It involves various aspects such as…. IPSec Document IPSec Services Security Association(SA)
6
IPSec Documents-7groups Architecture ESP AH Encryption Algorithm Authentication Algorithm Key Management Doman of Interpretation(DoI)
7
IPSec Services Access control Connectionless integrity Data origin authentication Rejection of replayed packets a form of partial sequence integrity Confidentiality (encryption) Limited traffic flow confidentiality
8
Security Associations a one-way relationship between sender & receiver that affords security for traffic flow defined by 3 parameters: Security Parameters Index (SPI) IP Destination Address Security Protocol Identifier has a number of other parameters seq no, AH & EH info, lifetime etc
9
SA selectors Security policy database(SPD) contains entries each of which defines a subset of IP traffic and points to an SA Each SPD entry is defined by a set of IP and upper protocol field values called selectors The following selectors determine an SPD entry: Destination IP address, Source IP address, UserID, Datasensitivity level, Transport Layer protocol etc
10
Transport and tunnel modes AH and ESP support two modes tunnel and transport mode Transport mode provides security for mainly upper layer protocols. Example :TCP,UDP,ICMP packet Tunnel mode provides protection for the entire packet. The entire packet travels through a tunnel from one IP to another, no routers are able to examine the inner IP.
11
Authentication Header (AH) provides support for data integrity & authentication of IP packets end system/router can authenticate user/app prevents address spoofing attacks by tracking sequence numbers based on use of a MAC HMAC-MD5-96 or HMAC-SHA-1-96 parties must share a secret key
12
Authentication Header
13
IPSec Authentication Header (AH) in Transport Mode Data TCP Hdr Orig IP Hdr Data TCP Hdr AH Hdr Orig IP Hdr Next Hdr Payload Len RsrvSecParamIndex Keyed Hash Integrity hash coverage (except for mutable fields in IP hdr) Seq# 24 bytes total AH is IP protocol 51 Insert © 2000 Microsoft Corporation
14
IPSec AH Tunnel ModeData TCP Hdr Orig IP Hdr Integrity hash coverage (except for mutable new IP hdr fields) IP Hdr AH Hdr AH HdrData TCP Hdr Orig IP Hdr New IP header with source & destination IP address © 2000 Microsoft Corporation
15
Encapsulating Security Payload (ESP) provides message content confidentiality & limited traffic flow confidentiality can optionally provide the same authentication services as AH supports range of ciphers, modes, padding incl. DES, Triple-DES, RC5, IDEA, CAST etc CBC most common pad to meet blocksize, for traffic flow
16
Encapsulating Security Payload
17
Transport vs Tunnel Mode ESP transport mode is used to encrypt & optionally authenticate IP data data protected but header left in clear can do traffic analysis but is efficient good for ESP host to host traffic tunnel mode encrypts entire IP packet add new header for next hop good for VPNs, gateway to gateway security
18
IPSec Encapsulating Security Payload (ESP) in Transport Mode Data TCP Hdr Orig IP Hdr Data TCP Hdr ESP Hdr Orig IP Hdr ESP Trailer ESP Auth Usually encrypted integrity hash coverage SecParamIndex Padding PaddingPadLengthNextHdr Seq# Keyed Hash 22-36 bytes total InitVector ESP is IP protocol 50 Insert Append © 2000 Microsoft Corporation
19
IPSec ESP Tunnel ModeData TCP Hdr Orig IP Hdr ESP Auth Usually encrypted integrity hash coverage Data TCP Hdr ESP Hdr IP Hdr IP HdrIPHdr New IP header with source & destination IP address © 2000 Microsoft Corporation ESP Trailer
20
Combining Security Associations SA’s can implement either AH or ESP to implement both need to combine SA’s form a security bundle Security associations can be bundled in two ways : transport adjacency and iterated tunneling
21
Authentication + confidentiality ESP with authentication option Transport mode ESP Tunnel mode ESP There are 4 basic combinations of SA’s(next slide)
22
Combining Security Associations
23
Oakley a key exchange protocol based on Diffie-Hellman key exchange adds features to address weaknesses cookies, groups (global params), nonces, DH key exchange with authentication
24
ISAKMP Internet Security Association and Key Management Protocol provides framework for key management defines procedures and packet formats to establish, negotiate, modify, & delete SAs independent of key exchange protocol, encryption alg, & authentication method
25
ISAKMP
26
ISAKMP Payload Types Hash-{Hash Data} Proposal-{Proposal#,Protocol ID,SPI size,# of transform} Transform-{Transform #, Transform ID,SA attribute} Key Exchange-{Key Exchange Data} Identification-{ID Type,ID Data} Signature(SIG)-{Signature Data} etc……….
27
ISAKMP Exchanges-5 default exchanges Base Exchange min imizes no: of exchanges –no ID protection use nounce-replay attack Identity Protection Exchange session keys-encrypted message containing authentication information. ie,DS and certificates validating public keys Authentication only Exchange Mutual authentication without key exchange
28
Aggressive Exchange min imizes no: of exchanges –no ID protection Informational Exchange-Error/status notification/deletion
29
Summary have considered: IPSec security framework AH ESP key management & Oakley/ISAKMP
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.