• 200 likes • 520 Views
IPSec. Zeen Rachidi David Salim Archana Mehta. Agenda. Definition of IPSec IPSec Architecture Encapsulating Security Payload and Authentication Header Encryption and Authentication Algorithms Internet Key Exchange mechanism Scenarios for deploying Implementation Benefits
E N D
IPSec Zeen Rachidi David Salim Archana Mehta
Agenda • Definition of IPSec • IPSec Architecture • Encapsulating Security Payload and Authentication Header • Encryption and Authentication Algorithms • Internet Key Exchange mechanism • Scenarios for deploying • Implementation • Benefits • Limitations • Current areas of research
Definition of IPSec • IPSec is an abbreviation for IP security, which is used to transfer data securely over unprotected networks like “Internet”. • It acts at the networks layer and is part of IPv6. • The protocol/process is as follows : • Sender encrypts packets before sending them on the network. • Receiver authenticates packets. • Anti replay checks to reject duplicate packets preventing DOS attack. • IKE is the key exchange mechanism to securely exchange keys
IPSec Architecture Below are the various RFC defined for IPSec Source: IPSec Architecture Overview
IPSec Architecture • RFC 2401 - Overall security architecture and services offered by IPSec. • Authentication Protocols • RFC 2402 – IP Authentication Header processing (in/out bound packets ) • RFC 2403 – Use of MD-5 with Encapsulating Security Payload and Authentication Header • RFC 2404 - Use of Sha1with Encapsulating Security Payload and Authentication Header • ESP Protocol • RFC 2405 – Use of DES-CBS which is a symmetric secret key block algorithm (block size 64 bits). • RFC 2406 – IP Encapsulating Security Payload processing (in/out bound packets) • RFC 2407 – Determines how to use ISAKMP for IPSec
IPSec Architecture – Key Management • RFC 2408 (Internet Security Association and Key Management Protocol - ISAKMP) • Common frame work for exchanging key securely. • Defines format of Security Association (SA) attributes, and for negotiating, modifying, and deleting SA. • Security Association contains information like keys, source and destination address, algorithms used. • Key exchange mechanism independent. • RFC 2409 – Internet key exchange • Mechanisms for generating and exchanging keys securely.
Encapsulation Security Payload • Designed to provide both confidentiality and integrity protection • Everything after the IP header is encrypted • The ESP header is inserted after the IP header
Authentication Header • Designed for integrity only • Certain fields of the IP header and everything after the IP header is protected • Provides protection to the immutable parts of the IP header
Encryption Algorithms Some of the standard encryption algorithms implemented in IPSec are: • 3DES • AES • NULL
Authentication Algorithms • Used to achieve integrity protection of data • Everything after the IP header is hashed • Hash is attached to the IP header as an integrity checksum • Destination host generates a hash using the same algorithm and compares it to the one attached to the packet
Internet Key Exchange Phase 1 Achieves mutual authentication and establishes and IKE Security Association (SA). Three key options include: • Public Key Encryption • Public Key Signature • Symmetric Key Phase 2 achieves ESP/AH SA
IP Header AH/ESP Data IPSec Transport Mode • AH or ESP header is inserted between the IP header and payload • Encrypts only the data portion of packet • Designed for host-to-host communication where routing information is needed
IP Header Data Original IP Packet IP Header AH/ESP Data IPSec Tunnel Mode • Original IP packet is placed in new IP packet with AH or ESP header • Designed for gateway-to-gateway communication
Tunnel vs Transport Mode • Transport mode is more efficient • Transport mode hides all information of the original packet • Transport mode is not needed
IPSec Implementation • Bump-in-stack • Update OS network stack • Adding software that’s binds to network stack can cause software conflicts • Bump-in-wire • Attach network device that performs IPSec processing • Transparent to hosts
Benefits of IPSec • Operates at the network layer • Application agnostic • An Internet standard • Extensible hash and encryption algorithms
Limitations of IPSec • Complex • Configuration • Lengthy key pairs need to be configured on client and server • Performance / Processing Overhead • NAT incompatibilities • Firewall incompatibilities
Current areas of research • Stronger encryption and authentication algorithms. • Better Public Key Infrastructure to make it simple, less complex and easy to manage and more secure. • Security with non IP protocols like Fiber channel.
References • 1. IP Encapsulating Security Payload, http://www.ietf.org/rfc/rfc2406.txt • 2. IPSec,http://www.mywiseowl.com/articles/IPsec • 3. IP Security (RFC – 2411), http://rfc.net/rfc2411.html • 4. IPSec Product Overview, http://66.102.7.104/search?q=cache:S-6usqPxYnIJ:www.freesoft.org/CIE/Topics/141.htm+Ipsec&hl=en&start=33 • 5. IPsec (IP Security Protocol),http://www.nwfusion.com/details/720.html • 6. Understanding IPsec,http://www.intranetjournal.com/articles/200206/se_06_13_02c.html • 7. Information Security, Principles and Practice, Mark Stamp • 8. www.solaris.com