1 / 19

IPSec

IPSec. Zeen Rachidi David Salim Archana Mehta. Agenda. Definition of IPSec IPSec Architecture Encapsulating Security Payload and Authentication Header Encryption and Authentication Algorithms Internet Key Exchange mechanism Scenarios for deploying Implementation Benefits

demetrius
Télécharger la présentation

IPSec

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IPSec Zeen Rachidi David Salim Archana Mehta

  2. Agenda • Definition of IPSec • IPSec Architecture • Encapsulating Security Payload and Authentication Header • Encryption and Authentication Algorithms • Internet Key Exchange mechanism • Scenarios for deploying • Implementation • Benefits • Limitations • Current areas of research

  3. Definition of IPSec • IPSec is an abbreviation for IP security, which is used to transfer data securely over unprotected networks like “Internet”. • It acts at the networks layer and is part of IPv6. • The protocol/process is as follows : • Sender encrypts packets before sending them on the network. • Receiver authenticates packets. • Anti replay checks to reject duplicate packets preventing DOS attack. • IKE is the key exchange mechanism to securely exchange keys

  4. IPSec Architecture Below are the various RFC defined for IPSec Source: IPSec Architecture Overview

  5. IPSec Architecture • RFC 2401 - Overall security architecture and services offered by IPSec. • Authentication Protocols • RFC 2402 – IP Authentication Header processing (in/out bound packets ) • RFC 2403 – Use of MD-5 with Encapsulating Security Payload and Authentication Header • RFC 2404 - Use of Sha1with Encapsulating Security Payload and Authentication Header • ESP Protocol • RFC 2405 – Use of DES-CBS which is a symmetric secret key block algorithm (block size 64 bits). • RFC 2406 – IP Encapsulating Security Payload processing (in/out bound packets) • RFC 2407 – Determines how to use ISAKMP for IPSec

  6. IPSec Architecture – Key Management • RFC 2408 (Internet Security Association and Key Management Protocol - ISAKMP) • Common frame work for exchanging key securely. • Defines format of Security Association (SA) attributes, and for negotiating, modifying, and deleting SA. • Security Association contains information like keys, source and destination address, algorithms used. • Key exchange mechanism independent. • RFC 2409 – Internet key exchange • Mechanisms for generating and exchanging keys securely.

  7. Encapsulation Security Payload • Designed to provide both confidentiality and integrity protection • Everything after the IP header is encrypted • The ESP header is inserted after the IP header

  8. Authentication Header • Designed for integrity only • Certain fields of the IP header and everything after the IP header is protected • Provides protection to the immutable parts of the IP header

  9. Encryption Algorithms Some of the standard encryption algorithms implemented in IPSec are: • 3DES • AES • NULL

  10. Authentication Algorithms • Used to achieve integrity protection of data • Everything after the IP header is hashed • Hash is attached to the IP header as an integrity checksum • Destination host generates a hash using the same algorithm and compares it to the one attached to the packet

  11. Internet Key Exchange Phase 1 Achieves mutual authentication and establishes and IKE Security Association (SA). Three key options include: • Public Key Encryption • Public Key Signature • Symmetric Key Phase 2 achieves ESP/AH SA

  12. IP Header AH/ESP Data IPSec Transport Mode • AH or ESP header is inserted between the IP header and payload • Encrypts only the data portion of packet • Designed for host-to-host communication where routing information is needed

  13. IP Header Data Original IP Packet IP Header AH/ESP Data IPSec Tunnel Mode • Original IP packet is placed in new IP packet with AH or ESP header • Designed for gateway-to-gateway communication

  14. Tunnel vs Transport Mode • Transport mode is more efficient • Transport mode hides all information of the original packet • Transport mode is not needed

  15. IPSec Implementation • Bump-in-stack • Update OS network stack • Adding software that’s binds to network stack can cause software conflicts • Bump-in-wire • Attach network device that performs IPSec processing • Transparent to hosts

  16. Benefits of IPSec • Operates at the network layer • Application agnostic • An Internet standard • Extensible hash and encryption algorithms

  17. Limitations of IPSec • Complex • Configuration • Lengthy key pairs need to be configured on client and server • Performance / Processing Overhead • NAT incompatibilities • Firewall incompatibilities

  18. Current areas of research • Stronger encryption and authentication algorithms. • Better Public Key Infrastructure to make it simple, less complex and easy to manage and more secure. • Security with non IP protocols like Fiber channel.

  19. References • 1. IP Encapsulating Security Payload, http://www.ietf.org/rfc/rfc2406.txt • 2. IPSec,http://www.mywiseowl.com/articles/IPsec • 3. IP Security (RFC – 2411), http://rfc.net/rfc2411.html • 4. IPSec Product Overview, http://66.102.7.104/search?q=cache:S-6usqPxYnIJ:www.freesoft.org/CIE/Topics/141.htm+Ipsec&hl=en&start=33 • 5. IPsec (IP Security Protocol),http://www.nwfusion.com/details/720.html • 6. Understanding IPsec,http://www.intranetjournal.com/articles/200206/se_06_13_02c.html • 7. Information Security, Principles and Practice, Mark Stamp • 8. www.solaris.com

More Related