Documente Academic
Documente Profesional
Documente Cultură
1
Usability and Security
Determine
where on this
line your
organization
needs lie
Convenience
/ Usability
0 Security
2
Services, Mechanisms,
Algorithms
A typical security protocol provides one or
more security services (authentication, secrecy,
integrity, etc.)
Services are built from mechanisms.
Mechanisms are implemented using algorithms.
Services
SSL/IPSec/PPTP, etc (Security Protocols)
3
Security in the Internet
Architecture
Lack of security in the Internet Architecture
Security was left up to the applications
With the passage of time it was realized that
universal security at the IP level will become a
need and not a luxury
4
Security Application Email - S/MIME Application
•The further
Transport Transport
the more
Datalink PPP - ECP Datalink
transparent it is
Physical Physical
•The further up
you go, the
Encrypting Encrypting
easier it is to NIC
PHYSICAL NETWORK
NIC
deploy
5
Some Pros of Security at
the IP Level
Can be end to end or at least multilink unlike
link layer
Could be hw/sw supported (hw support for
encryption)
Can shield unmodified host apps giving them
crypto/security at the level of nets/hosts/and
possibly users
Can extend secure enclave across insecure areas
6
What is IPSec?
Extensions to the basis Internet Protocol to
provide security functions at the IP level
Applicable to both IP Version 4 and IP Version
6
IPSec available in Windows 2000, Linux, Cisco
Routers, etc.
7
How do you know IPSec is
there?
AH/ESP new IP layer protocols (50/51) with
either
1. an IP datagram encapsulated in them (tunnel mode)
2. TCP/UDP and the rest above them (transport mode)
8
IP Security Usage Scenario
9
Applications of IPSec
Secure Branch Office Connectivity Over the
Internet
Secure Remote Access Over the Internet
Establishing Extranet and Intranet Connectivity
with Business partners
Enhancing Electronic Commerce Security
10
IP Security Architecture
Defined by IPSec Documents (RFCs)
IP Security Protocol Working Group of IETF
IP Security Evolving with the passage of time
IPSec provides security services at the IP layer
by enabling a system to select required security
protocols, determine the algorithms to use for
the services, and put in place any cryptographic
keys required.
11
IPSec Documents Overview
Relevant RFCs
RFC 1825: An overview of a
security architecture
RFC 1826: Description of a
packet authentication extension
to IP
RFC 1828: A specific
authentication mechanism
RFC 1827: Description of a
packet encryption extension to
IP
RFC 1829: A specific encryption
mechanism
12
AH and ESP
AH
The Authentication Header provides support for
data integrity and authentication of IP packets
ESP
The Encapsulating Security Payload provides
confidentiality services, including confidentiality of
message contents and limited traffic flow
confidentiality. As an optional feature, ESP can also
provide the same authentication service as AH.
13
IPSec Services
14
Security Associations
What is a SA?
An SA is a one way relationship between a sender
and a received that affords security services to the
traffic carried on it.
SA Parameters
Security Association Database stores parameters
associated with each of the SAs
SA Selectors
Each SPD entry is defined by a set of IP and upper
layer protocol field values called selectors.
15
Security Association (SA)
A simplex (uni-directional) logical connection, created
for security purposes
All traffic traversing an SA is provided the same
security processing
In IPsec, an SA is an Internet-layer abstraction
implemented through the use of AH or ESP
State data associated with an SA is represented in the
SA Database (SAD)
16
Security Parameters Index (SPI)
An arbitrary 32-bit value that is used by a receiver to identify the SA to
which an incoming packet should be bound.
For a unicast SA, the SPI can be used by itself to specify an SA, or it may be
used in conjunction with the IPsec protocol type.
Additional IP address information is used to identify multicast SAs.
The SPI is carried in AH and ESP protocols to enable the receiving system to
select the SA under which a received packet will be processed.
An SPI has only local significance, as defined by the creator of the SA
(usually the receiver of the packet carrying the SPI); thus an SPI is generally
viewed as an opaque bit string.
However, the creator of an SA may choose to interpret the bits in an SPI to
facilitate local processing.
17
Security Association
Database Parameters
Security Parameters Index (SPI)
• sequence number counter
• sequence number overflow
• anti-replay window
• AH information
• ESP information
• lifetime of SA
• IPSec protocol mode
• Path MTU
• other information
18
SA Selector
IPSec provides flexibility
• SAs can be combined
• Security Policy Database (SPD) specifies mapping of IP
traffic to SAs
• mapping is done according to field values of selectors
– destination IP address
– source IP address
– user ID
– data sensitivity level
– transport layer protocol
– source and destination ports
19
Transport and Tunnel
Modes
Tunnel Mode means that one outgoing IP
packet is encapsulated in another packet with
typically a different IP destination
Tunnels can be (1) Router to Router (2) Router
to host or host to router (3) host to host
20
Transport and Tunnel
Modes
21
Tunnel Mode and Transport
Mode Functionality
22
Authentication Header
23
Services Provided by AH
Anti-Replay Service
Integrity Check Value
24
Anti-Replay Service
25
Transport and Tunnel
Modes
26
Scope of Authentication
Header
27
Scope of Authentication
Header
28
Encapsulating Security
Payload - ESP
ESP Services
Confidentiality
Authentication Services
ESP Format
SPI
SN
PD
Padding
Pad Length
Next Header
Authentication Data
29
ESP
30
ESP Format
31
Transport-level security
32
A virtual private network via
Tunnel Mode
33
Scope of ESP Encryption
and Authentication
34
Combining Security
Associations
35
Combining Security
Associations
36
Combining Security
Associations
37
Combining Security
Associations
38
Key Management
Involves the determination and distribution of
secret keys
Typically four keys are used between two
applications
Two types of key management
Manual
Automated
39
ISAKMP
•The default
automated key
management
protocol from
IPSec is referred to
as
ISAKMP/Oakley
•Oakley is a
refinement of
Diffie Hellman
Key Exchange
Protocol
40
ISAKMP
Exchange
Types
41
ISAKMP Payload Types
42
Conclusion
IPSec provides Universal IP level security for
all applications
Two choices are available AH and ESP
IPSec can be used in a transport mode for end
to end authentication and encryption or in
tunnel mode for router to router authentication
and encryption
IPSec can be implemented IPV4 as options and
is a required part of the implementation of IPV6
43