1 / 26

IPSec

IPSec. IP Security (IPSec). IP Security (IPSec). IPSec overview Authentication Header (AH) Encapsulating Security Payload (ESP) Internet Key Exchange (IKE) Main Mode negotiation Quick Mode negotiation Retransmit behavior. Overall Architecture (RFC 1825).

frisco
Download Presentation

IPSec

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IPSec IP Security (IPSec)

  2. IP Security (IPSec) • IPSec overview • Authentication Header (AH) • Encapsulating Security Payload (ESP) • Internet Key Exchange (IKE) • Main Mode negotiation • Quick Mode negotiation • Retransmit behavior

  3. Overall Architecture (RFC 1825) • Framework for security protocols to provide: • Data integrity • Data authentication • Data confidentiality • Security association management • Key management

  4. Authentication Header (RFC 1826) IP Header plus Data IP Header plus Data • Data integrity—no twiddling of bits • Origin authentication—definitely came from router • Uses keyed-hash mechanism • Does not provide confidentiality Authentication Data (00ABCDEF) Authentication Data (00ABCDEF) IPHDR AH Data Router Router

  5. Router Router All Data-Encrypted Encapsulating Security Payload (RFC 1827) • Confidentiality • Data origin authentication • Data integrity • Replay protection (optional)

  6. Security Association (SA) • Agreement between two entities on method to communicate securely • Unidirectional—two way communication consists of two SAs Firewall Router Insecure Channel

  7. IKE Policy Negotiation Encryption Algorithm, Hash Algorithm, and Method of Authentication 3DES, MD5, and RSA Signatures, or IDEA, SHA, and DSS Signatures, or Blowfish, SHA, and RSA Encryption IDEA, SHA, and DSS Signatures ISAKMP Policy Tunnel

  8. IPSec Model • Device authentication • Crypto devices obtain digital certificates from CAs • Authorization • Packet selection via ACLs • Security Association (SA) established via ISAKMP/OAKLAY • Privacy and integrity • IPSec-based encryption and digital signature Internal Network Certificate Authority Digital Certificate Digital Certificate IKE Session SA Authenticated Encrypted Tunnel Clear Text Internal Network Encrypted

  9. IPsec Protocols and Formats Authentication Header Encapsulating Security Payload ISAKMP/Oakley Diffie-Hellman Transport Tunnel • Integrity, authentication • Adds confidentiality • Negotiates security parameters • Uses digital certificates • Generates shared secret keys • IP payload only, Layer 4 is obscured • Both end systems need IPsec • Entire datagram • No changes to intermediate systems • DES, 3DES, RC4, IDEA, AES ... • HMAC MD5, HMAC SHA1 Headers Key Exchange Modes Encryption Hashing

  10. IPSec Modes IP HDR DATA Tunnel Mode New IP HDR IPSec HDR IP HDR DATA Encrypted IP HDR DATA Transport Mode IP HDR IPSec HDR DATA Encrypted

  11. Tunnel and Transport Modes • Transport mode for end-to-end session • Tunnel mode for everything else Transport Mode Tunnel Mode Joe’s PC HR Server

  12. Ipsec—Standards Based Internet Dial VLANs IPsec IPsec IPsec Firewall Campus

  13. IPSec Overview • Proposed Internet standard for IP-layer cryptography with IPv4 and IPv6 Router to Router PC to Router Router to Firewall PC to Server

  14. IPSec Process • Initiating the IPSec session • Phase one—exchanging keys • Phase two—setting up security associations • Encrypting/decrypting packets • Rebuilding security associations • Timing out security associations

  15. Initiating the IPSec Session Phase One — ISAKMP • Internet Security Association Key Management Protocol (ISAKMP) • Both sides need to agree on the ISAKMP security parameters (ISAKMP SADB) • ISAKMP parameters • Encryption algorithm • Hash algorithm • Authentication method • Diffie-Hellman modulus • Group lifetime

  16. Initiating the IPSec Session Phase Two • Both sides need to agree on the IPSec security parameters (IPSec SADB) • IPSec parameters • IPSec peer • Endpoint of IPSec tunnel • IPSec proxy • Traffic to be encrypted/decrypted • IPSec transform • Encryption and hashing • IPSec lifetime • Phase two SA regeneration time

  17. Encrypting and Decrypting Packets • Phase one and phase two completes • Security Associations (SA) are created at both IPSec endpoints • Using the negotiated SADB information • Outbound packets are encrypted • Inbound packets are decrypted

  18. Rebuilding Security Associations • To ensure that keys are not compromised they are periodically refreshed • Security associations will be rebuilt when: • The lifetime expires, or • Data volume has been exceeded, or • Another SA is attempted with identical parameters

  19. Security Associations • Combination of mutually agreed security services, protection mechanisms, and cryptographic keys • ISAKMP SA • IPSec SAs • One for inbound traffic • One for outbound traffic • Security Parameters Index (SPI) • Helps identify an SA • Creating SAs • Main Mode for ISAKMP SA • Quick Mode for IPSec SAs

  20. IPSec Headers • Authentication Header (AH) • Provides data origin authentication, data integrity, and replay protection for the entire IP datagram • Encapsulating Security Payload (ESP) • Provides data origin authentication, data integrity, replay protection, and data confidentiality for the ESP-encapsulated portion of the packet

  21. IPSec Modes • Transport mode • Typically used for IPSec peers doing end-to-end security • Provides protection for upper-layer protocol data units (PDUs) • Tunnel mode • Typically used by network routers to protect IP datagrams • Provides protection for entire IP datagrams

  22. AH Transport Mode IP Upper layer PDU IP AH Upper layer PDU Authenticated

  23. AH Tunnel Mode IP Upper layer PDU IP (new) AH IP Upper layer PDU Authenticated

  24. ESP Transport Mode IP Upper layer PDU IP ESP Upper layer PDU ESP Auth Data Encrypted Authenticated

  25. ESP with AH Transport Mode IP Upper layer PDU IP AH ESP Upper layer PDU ESP ESP Auth Encrypted Authenticated with ESP Authenticated with AH

  26. ESP Tunnel Mode IP Upper layer PDU IP (new) ESP IP Upper layer PDU ESP Auth Data Encrypted Authenticated

More Related