IP Sec by Amin Pathan
-
Upload
aminpathan11 -
Category
Education
-
view
101 -
download
5
Transcript of IP Sec by Amin Pathan
11
IPSec—An OverviewIPSec—An Overview
BY Amin PathanBY Amin Pathan
MGM`s Polytechnic, AurangabadMGM`s Polytechnic, Aurangabad
2
OutlineOutline
why IPSec?why IPSec? IPSec ArchitectureIPSec Architecture Internet Key Exchange (IKE)Internet Key Exchange (IKE) IPSec PolicyIPSec Policy discussiondiscussion
3
IP is not Secure!IP is not Secure!
IP protocol was designed in the late 70s to early 80sIP protocol was designed in the late 70s to early 80s
– Part of DARPA Internet ProjectPart of DARPA Internet Project– Very small networkVery small network
All hosts are known!All hosts are known! So are the users!So are the users! Therefore, security was not an issueTherefore, security was not an issue
4
Security Issues in IPSecurity Issues in IP
source spoofingsource spoofing replay packetsreplay packets no data integrity or no data integrity or
confidentialityconfidentiality• DOS attacks• Replay attacks• Spying• and more…
Fundamental Issue: Networks are not (and will never be)
fully secure
5
Goals of IPSecGoals of IPSec
to verify sources of IP packetsto verify sources of IP packets
– authenticationauthentication to prevent replaying of old packetsto prevent replaying of old packets to protect integrity and/or confidentiality of packetsto protect integrity and/or confidentiality of packets
– data Integrity/Data Encryptiondata Integrity/Data Encryption
6
OutlineOutline
Why IPsec?Why IPsec? IPSec ArchitectureIPSec Architecture Internet Key Exchange (IKE)Internet Key Exchange (IKE) IPsec PolicyIPsec Policy DiscussionDiscussion
7
The IPSec Security The IPSec Security ModelModel
Secure
Insecure
8
IPSec ArchitectureIPSec Architecture
ESP AH
IKE
IPSec Security Policy
Encapsulating SecurityPayload
Authentication Header
The Internet Key Exchange
9
IPSec ArchitectureIPSec Architecture
IPSec provides security in three situations:
– Host-to-host, host-to-gateway and gateway-to-gateway
IPSec operates in two modes:
– Transport mode (for end-to-end)– Tunnel mode (for VPN)
10
IPsec ArchitectureIPsec Architecture
Tunnel Mode
Router Router
Transport Mode
11
Various PacketsVarious Packets
IP header
IP header
IP header
TCP header
TCP header
TCP header
data
data
data
IPSec header
IPSec header IP header
Original
Transportmode
Tunnelmode
12
IPSecIPSec
A collection of protocols (RFC 2401)A collection of protocols (RFC 2401)
– Authentication Header (AH)Authentication Header (AH) RFC 2402RFC 2402
– Encapsulating Security Payload Encapsulating Security Payload (ESP)(ESP)
RFC 2406RFC 2406
– Internet Key Exchange (IKE)Internet Key Exchange (IKE) RFC 2409RFC 2409
– IP Payload Compression (IPcomp)IP Payload Compression (IPcomp) RFC 3137RFC 3137
13
Authentication Header Authentication Header (AH)(AH)
Provides source authenticationProvides source authentication– Protects against source spoofingProtects against source spoofing
Provides data integrityProvides data integrity Protects against replay attacksProtects against replay attacks
– Use monotonically increasing sequence Use monotonically increasing sequence numbersnumbers
– Protects against denial of service attacksProtects against denial of service attacks NO protection for confidentiality!NO protection for confidentiality!
14
AH DetailsAH Details
Use 32-bit monotonically increasing sequence number to Use 32-bit monotonically increasing sequence number to avoid replay attacksavoid replay attacks
Use cryptographically strong hash algorithms to protect data Use cryptographically strong hash algorithms to protect data integrity (96-bit)integrity (96-bit)
– Use symmetric key cryptographyUse symmetric key cryptography– HMAC-SHA-96, HMAC-MD5-96 HMAC-SHA-96, HMAC-MD5-96
15
Encapsulating Security Encapsulating Security Payload (ESP)Payload (ESP)
Provides all that AH offers, andProvides all that AH offers, and in addition provides in addition provides data confidentialitydata confidentiality
– Uses symmetric key encryptionUses symmetric key encryption
16
ESP DetailsESP Details
Same as AH:Same as AH:
– Use 32-bit sequence number to Use 32-bit sequence number to counter replaying attackscounter replaying attacks
– Use integrity check algorithmsUse integrity check algorithms Only in ESP:Only in ESP:
– Data confidentiality:Data confidentiality: Uses symmetric key encryption Uses symmetric key encryption
algorithms to encrypt packetsalgorithms to encrypt packets
17
Internet Key Exchange Internet Key Exchange (IKE)(IKE)
Exchange and negotiate security policies Exchange and negotiate security policies Establish security sessionsEstablish security sessions
– Identified as Identified as Security AssociationsSecurity Associations Key exchangeKey exchange Key managementKey management Can be used outside IPsec as wellCan be used outside IPsec as well
18
IPsec/IKE AcronymsIPsec/IKE Acronyms
Security Association (SA)Security Association (SA)– Collection of attribute associated with a Collection of attribute associated with a
connectionconnection– Is Is asymmetric!asymmetric!
One SA for inbound traffic, another SA for One SA for inbound traffic, another SA for outbound trafficoutbound traffic
Similar to ciphersuites in SSLSimilar to ciphersuites in SSL
Security Association Database (SADB)Security Association Database (SADB)– A database of SAsA database of SAs
19
IPsec/IKE AcronymsIPsec/IKE Acronyms
Security Parameter Index (SPI)Security Parameter Index (SPI)
– A unique index for each entry in the A unique index for each entry in the SADBSADB
– Identifies the SA associated with a Identifies the SA associated with a packetpacket
Security Policy Database (SPD)Security Policy Database (SPD)
– Store policies used to establish SAsStore policies used to establish SAs
20
How They Fit TogetherHow They Fit Together
SPD
SADBSA-2
SPI
SPI
SA-1
21
SPD and SADB SPD and SADB ExampleExample
FroFromm
ToTo ProtocolProtocol PortPort PolicyPolicy
AA BB AnyAny AnyAny AH[HMAC-MD5]AH[HMAC-MD5]Tunnel Mode
Transport Mode
AC
B
A’s SPD
FroFromm
ToTo ProtocolProtocol SPISPI SA RecordSA Record
AA BB AHAH 1212 HMAC-MD5 keyHMAC-MD5 key
A’s SADB
D
FromFrom ToTo ProtocoProtocoll
PortPort PolicyPolicy Tunnel DestTunnel Dest
AnyAny AnyAny ESP[3DES]ESP[3DES] DD
C’s SPD
FromFrom ToTo ProtocolProtocol SPISPI SA RecordSA Record
ESPESP 1414 3DES key3DES keyC’s SADB
Asub Bsub
Asub Bsub
22
IPsec PolicyIPsec Policy
Phase 1 policies are defined in terms Phase 1 policies are defined in terms of of protection suitesprotection suites
Each protection suiteEach protection suite– Must contain the following:Must contain the following:
Encryption algorithmEncryption algorithm Hash algorithmHash algorithm Authentication methodAuthentication method Diffie-Hellman GroupDiffie-Hellman Group
– May optionally contain the following:May optionally contain the following: LifetimeLifetime ……
23
IPSec PolicyIPSec Policy
Phase 2 policies are defined in terms Phase 2 policies are defined in terms of of proposalsproposals
Each proposal:Each proposal:– May contain one or more of the followingMay contain one or more of the following
AH sub-proposalsAH sub-proposals ESP sub-proposalsESP sub-proposals IPComp sub-proposalsIPComp sub-proposals Along with necessary attributes such asAlong with necessary attributes such as
– Key length, life time, etcKey length, life time, etc
24
ResourcesResources
IP, IPsec and related RFCs:IP, IPsec and related RFCs:
– http://www.ietf.org/html.charters/ipsec-charter.html
– IPsec: RFC 2401, IKE: RFC 2409IPsec: RFC 2401, IKE: RFC 2409– www.freeswan.orgwww.freeswan.org
Google searchGoogle search