Scribd
Upload
46 views

IP Security: Data and Network Security 1

This document discusses IP security (IPSec) which provides a framework for secure communication at the IP layer. IPSec can encrypt and authenticate traffic to secure applications, email, file transfers and web access. It provides benefits such as transparency to applications and individual user security. The key aspects covered include the IPSec architecture, services, security associations, authentication and encryption algorithms, key management protocols like Oakley and ISAKMP. Transport and tunnel modes are also described for how IPSec handles authentication and encryption of packet contents and headers.

Uploaded by

asad
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
46 views

IP Security: Data and Network Security 1

This document discusses IP security (IPSec) which provides a framework for secure communication at the IP layer. IPSec can encrypt and authenticate traffic to secure applications, email, file transfers and web access. It provides benefits such as transparency to applications and individual user security. The key aspects covered include the IPSec architecture, services, security associations, authentication and encryption algorithms, key management protocols like Oakley and ISAKMP. Transport and tunnel modes are also described for how IPSec handles authentication and encryption of packet contents and headers.

Uploaded by

asad
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 31

Chapter 6

IP Security

Data and Network Security 1


TCP/IP Example

Data and Network Security 2


IPv4 Header

Data and Network Security 3


IPv6 Header

Data and Network Security 4


IP Security Overview
• Not a single protocol.

• General framework that allows a pair of


communicating entities to use a set of algorithm
for secure communication. appropriate for the
communication.

• Encrypt and/or authenticate all traffic at IP level.


Thus, applications, email, file transfer, WEB access
can be secured.

Data and Network Security 5


IP Security Overview
• Applications of IPSec

– Secure branch office connectivity over the Internet

– Secure remote access over the Internet

– Establsihing extranet and intranet connectivity with


partners

– Enhancing electronic commerce security

Data and Network Security 6


IP Security Scenario

Data and Network Security 7


IP Security Overview
• Benefits of IPSec
– Transparent to applications (below transport layer
(TCP, UDP)
– Provide security for individual users

• IPSec can assure that:


– A router or neighbor advertisement comes from an
authorized router
– A redirect message comes from the router to which
the initial packet was sent
– A routing update is not forged

Data and Network Security 8


IP Security Architecture
• IPSec documents:
– RFC 2401: An overview of security architecture

– RFC 2402: Description of a packet encryption


extension to IPv4 and IPv6

– RFC 2406: Description of a packet emcryption


extension to IPv4 and IPv6

– RFC 2408: Specification of key managament


capabilities
Data and Network Security 9
IPSec Document Overview

Data and Network Security 10


IPSec Services
• Access Control
• Connectionless integrity
• Data origin authentication
• Rejection of replayed packets
• Confidentiality (encryption)
• Limited traffic flow confidentiallity

Data and Network Security 11


Security Associations (SA)
• A one way relationsship between a sender and a
receiver.

• Identified by three parameters:


– Security Parameter Index (SPI)
– IP Destination address
– Security Protocol Identifier

Data and Network Security 12


Security Parameters
• A SA is defined by the following parameters:
– Sequence Number Counter
– Sequence Counter Overflow
– Anti-replay Window
– AH Information
– ESP Information
– Lifetime of this SA
– IPSec protocol mode (Tunnel or Transport?)
– Path MTU

Data and Network Security 13


Transport Mode Tunnel Mode
SA SA

AH Authenticates IP payload
and selected portions of
Authenticates entire
inner IP packet plus
IP header and IPv6 selected portions of
extension headers outer IP header

ESP Encrypts IP payload and


any IPv6 extesion header
Encrypts inner IP
packet

ESP with Encrypts IP payload and Encrypts inner IP


any IPv6 extesion header. packet. Authenticates
authentication Authenticates IP payload inner IP packet.
but no IP header

Data and Network Security 14


Before applying AH

Data and Network Security 15


Transport Mode (AH
Authentication)

Data and Network Security 16


Tunnel Mode (AH
Authentication)

Data and Network Security 17


Authentication Header
• Provides support for data integrity and
authentication (MAC code) of IP packets.
• Guards against replay attacks.
• HMAC-MD5-96 or HMAC-SHA-1-96

Data and Network Security 18


End-to-end versus End-to-
Intermediate Authentication

Data and Network Security 19


Encapsulating Security Payload
• ESP provides confidentiality services

Data and Network Security 20


Encryption and
Authentication Algorithms
• Encryption:
– Three-key triple DES
– RC5
– IDEA
– Three-key triple IDEA
– CAST
– Blowfish
• Authentication:
– HMAC-MD5-96
– HMAC-SHA-1-96
Data and Network Security 21
ESP Encryption and
Authentication

Data and Network Security 22


ESP Encryption and
Authentication

Data and Network Security 23


Combinations of Security
Associations

Data and Network Security 24


Combinations of Security
Associations

Data and Network Security 25


Combinations of Security
Associations

Data and Network Security 26


Combinations of Security
Associations

Data and Network Security 27


Key Management
• Two types:
– Manual
– Automated
• Oakley Key Determination Protocol
• Internet Security Association and Key
Management Protocol (ISAKMP)

Data and Network Security 28


Oakley
• Three authentication methods:
– Digital signatures
– Public-key encryption
– Symmetric-key encryption

Data and Network Security 29


ISAKMP

– Defines procedures and packet formats to negotiate,


establish, modify, and delete Sas

– UDP or TCP port 500

Data and Network Security 30


ISAKMP

Data and Network Security 31

You might also like