IPSec

IPSec provides the capability to secure

communications across a LAN, across
private and public wide area networks
(WANs) and across the Internet

1
 Usability and Security
 Determine
where on this
line your
organization
needs lie
Convenience
/ Usability

0 Security 
2
 Services, Mechanisms,
Algorithms
 A typical security protocol provides one or
more security services (authentication, secrecy,
integrity, etc.)
 Services are built from mechanisms.
 Mechanisms are implemented using algorithms.
Services
SSL/IPSec/PPTP, etc (Security Protocols)

Signatures Encryption Hashing Mechanisms

DSA RSA RSA DES SHA1 MD5 Algorithms

3
 Security in the Internet
Architecture
 Lack of security in the Internet Architecture
 Security was left up to the applications
 With the passage of time it was realized that
universal security at the IP level will become a
need and not a luxury

4
Security Application Email - S/MIME Application

Protocol Presentation Presentation

Layers Session SSL Session

•The further
Transport Transport

down you go, Network IPSec Network

the more
Datalink PPP - ECP Datalink
transparent it is
Physical Physical

•The further up
you go, the
Encrypting Encrypting
easier it is to NIC
PHYSICAL NETWORK
NIC

deploy
5
 Some Pros of Security at
the IP Level
 Can be end to end or at least multilink unlike
link layer
 Could be hw/sw supported (hw support for
encryption)
 Can shield unmodified host apps giving them
crypto/security at the level of nets/hosts/and
possibly users
 Can extend secure enclave across insecure areas

6
 What is IPSec?
 Extensions to the basis Internet Protocol to
provide security functions at the IP level
 Applicable to both IP Version 4 and IP Version
6
 IPSec available in Windows 2000, Linux, Cisco
Routers, etc.

7
 How do you know IPSec is
there?
 AH/ESP new IP layer protocols (50/51) with
either
1. an IP datagram encapsulated in them (tunnel mode)
2. TCP/UDP and the rest above them (transport mode)

 Every packet may have AH/ESP applied to them:

AH for authentication;
ESP for encryption and authentication, this is bulk/per-
packet encryption/authentication

8
IP Security Usage Scenario

9
 Applications of IPSec
 Secure Branch Office Connectivity Over the
Internet
 Secure Remote Access Over the Internet
 Establishing Extranet and Intranet Connectivity
with Business partners
 Enhancing Electronic Commerce Security

10
 IP Security Architecture
 Defined by IPSec Documents (RFCs)
 IP Security Protocol Working Group of IETF
 IP Security Evolving with the passage of time
 IPSec provides security services at the IP layer
by enabling a system to select required security
protocols, determine the algorithms to use for
the services, and put in place any cryptographic
keys required.

11
 IPSec Documents Overview
 Relevant RFCs
 RFC 1825: An overview of a
security architecture
 RFC 1826: Description of a
packet authentication extension
to IP
 RFC 1828: A specific
authentication mechanism
 RFC 1827: Description of a
packet encryption extension to
IP
 RFC 1829: A specific encryption
mechanism

12
 AH and ESP
 AH
The Authentication Header provides support for
data integrity and authentication of IP packets
 ESP
The Encapsulating Security Payload provides
confidentiality services, including confidentiality of
message contents and limited traffic flow
confidentiality. As an optional feature, ESP can also
provide the same authentication service as AH.

13
IPSec Services

14
 Security Associations
 What is a SA?
An SA is a one way relationship between a sender
and a received that affords security services to the
traffic carried on it.
 SA Parameters
Security Association Database stores parameters
associated with each of the SAs
 SA Selectors
Each SPD entry is defined by a set of IP and upper
layer protocol field values called selectors.

15
 Security Association (SA)
 A simplex (uni-directional) logical connection, created
for security purposes
 All traffic traversing an SA is provided the same
security processing
 In IPsec, an SA is an Internet-layer abstraction
implemented through the use of AH or ESP
 State data associated with an SA is represented in the
SA Database (SAD)

16
 Security Parameters Index (SPI)
 An arbitrary 32-bit value that is used by a receiver to identify the SA to
which an incoming packet should be bound.
 For a unicast SA, the SPI can be used by itself to specify an SA, or it may be
used in conjunction with the IPsec protocol type.
 Additional IP address information is used to identify multicast SAs.
 The SPI is carried in AH and ESP protocols to enable the receiving system to
select the SA under which a received packet will be processed.
 An SPI has only local significance, as defined by the creator of the SA
 (usually the receiver of the packet carrying the SPI); thus an SPI is generally
viewed as an opaque bit string.
 However, the creator of an SA may choose to interpret the bits in an SPI to
facilitate local processing.

17
 Security Association
Database Parameters
 Security Parameters Index (SPI)
 • sequence number counter
 • sequence number overflow
 • anti-replay window
 • AH information
 • ESP information
 • lifetime of SA
 • IPSec protocol mode
 • Path MTU
 • other information

18
 SA Selector
 IPSec provides flexibility
 • SAs can be combined
 • Security Policy Database (SPD) specifies mapping of IP
 traffic to SAs
 • mapping is done according to field values of selectors
 – destination IP address
 – source IP address
 – user ID
 – data sensitivity level
 – transport layer protocol
 – source and destination ports
19
 Transport and Tunnel
Modes
 Tunnel Mode means that one outgoing IP
packet is encapsulated in another packet with
typically a different IP destination
 Tunnels can be (1) Router to Router (2) Router
to host or host to router (3) host to host

20
Transport and Tunnel
Modes

21
Tunnel Mode and Transport
Mode Functionality

22
Authentication Header

23
 Services Provided by AH
 Anti-Replay Service
 Integrity Check Value

24
Anti-Replay Service

25
Transport and Tunnel
Modes

26
Scope of Authentication
Header

27
Scope of Authentication
Header

28
 Encapsulating Security
Payload - ESP
 ESP Services
Confidentiality
Authentication Services
 ESP Format
SPI
SN
PD
Padding
Pad Length
Next Header
Authentication Data

29
ESP

30
ESP Format

31
Transport-level security

32
A virtual private network via
Tunnel Mode

33
Scope of ESP Encryption
and Authentication

34
Combining Security
Associations

35
Combining Security
Associations

36
Combining Security
Associations

37
Combining Security
Associations

38
 Key Management
 Involves the determination and distribution of
secret keys
 Typically four keys are used between two
applications
 Two types of key management
Manual
Automated

39
 ISAKMP
•The default
automated key
management
protocol from
IPSec is referred to
as
ISAKMP/Oakley
•Oakley is a
refinement of
Diffie Hellman
Key Exchange
Protocol

40
ISAKMP
Exchange
Types

41
ISAKMP Payload Types

42
 Conclusion
 IPSec provides Universal IP level security for
all applications
 Two choices are available AH and ESP
 IPSec can be used in a transport mode for end
to end authentication and encryption or in
tunnel mode for router to router authentication
and encryption
 IPSec can be implemented IPV4 as options and
is a required part of the implementation of IPV6
43