Upload
roy-little
View
216
Download
0
Embed Size (px)
DESCRIPTION
Why do we need IPSec? Because IP is insecure – you can Forge IP address modify packet contents replay old content inspect packet content during transit
Citation preview
IPSec – IP Security Protocol
ByArchis Raje
What is IPSec IP Security – set of extensions
developed by IETF to provide privacy and authentication to IP.
To protect the contents of an IP datagram, the data is transformed using cryptography.
Why do we need IPSec?Because IP is insecure – you can• Forge IP address• modify packet contents• replay old content• inspect packet content during transit
How does it work?combination of - Cryptographic protocols Security mechanisms
What Does IPSec Provide? Access control to network elements. Data origin authentication. Connectionless integrity for protocols
such as UDP. Detection and rejection of replayed
packets. Use of encryption to provide data
confidentiality. Limited traffic flow confidentiality.
Since the IPSec services are offered at the
network layer of the TCP/IP protocol stack, these services can be used by any of the upper-layer protocols such as TCP, UDP, ICMP and IGMP or any application layer protocol.
IPSec provides cryptographic based security for ipv4 and ipv6 datagrams.
How?Using two traffic security protocols: Authentication header (AH). Encapsulating security payload (ESP).
And through the use of cryptographic-key management procedures and protocols such as -
Internet key exchange (IKE) protocol.
Together, the security protocols
provide - Data confidentiality Limited traffic flow confidentiality Connectionless integrity Data origin authentication Anti-replay service
Modes of Operation of AH and ESP Transport mode Tunnel mode
Transport Mode
Authenticated
IP Header
AH transformation:
IP Header
TCP/UDP Header
TCP/UDPHeaderAH Header
Upper layerpayload
Upper layerpayload
Transport ModeESP transformation:
Encrypted
Authenticated
IP Header
IP Header
TCP/UDP Header
TCP/UDP Header
Upper layerpayload
Upper layerpayload
ESP Header
ESPTrailer
ESPauth
Tunnel ModeAH transformation:
IP HeaderUpper layerpayload
Upper layerpayloadIP Header
TCP/UDP Header
TCP/UDP HeaderIP Header AH Header
Authenticated
Tunnel ModeESP transformation:
Encrypted
Authenticated
IP Header
IP Header IP Header
TCP/UDP Header
TCP/UDP Header
Upper layerpayload
Upper layerpayload
ESP Header
ESPTrailer
ESPauth
Communication The IKE protocol is used to negotiate the
cryptographic algorithm choices, to be utilized by AH and ESP, and put in place the necessary cryptographic keys that the algorithms require.
IPSec can implement different security policy/encryption algorithm for different subnets, nodes, etc.
It does this by the use of Security Association (SA).
Security AssociationAn agreement between communicating peers
on factors such as - IPSec protocol Mode of operation of the protocols (transport
mode or tunnel mode) Cryptographic algorithms Cryptographic keys Lifetime of the keys
SAs are simplex (unidirectional)
SAD – Security Association Database Stores SA parameters communicated by
IKE. Contents are –
Sequence number counter. Sequence counter overflow flag Anti-replay window IPSec protocol mode Path maximum transfer unit (PMTU) Lifetime of the SA
SPD - Security Policy Database Contains policies that are to be applied to
the traffic destined to or originated from a given host or network.
Contents are – Destination IP address Source IP address Transport layer protocol System name: FQDN or email id User ID
Drawbacks Complex - has too many options. Prone to Initialization Vector attacks.