IP Security
- 1. NETWORK SECURITY
Name of the Staff : M.FLORENCE DAYANA M.C.A.,M.Phil.,(Ph.D).,
Head, Dept. of CA
Bon Secours College For Women
Thanjavur.
Class : II MSc., CS
Semester : III
Unit : IV
Topic : IP Security
2/15/2019 1
- 2. IP Security Overview
• Internet protocol security (IPsec) is a set of protocols that
provides security for Internet Protocol.
• It can use cryptography to provide security.
• IPsecurity can be used for the setting up of virtual private networks (VPNs)
in a secure manner.
• Internet Protocol Security (IPsec) is a protocol suite for secure Internet
Protocol (IP) communications that works by authenticating
and encrypting each IP packet of a communication session.
- 3. Applications of IPsec
• IPsec provides the capability to secure communications across a LAN, private
and public WANs, and the Internet
• An extranet is a private network that uses Internet technology and the public
telecommunication system to securely share part of a business's information or
operations with suppliers, vendors, partners, customers, or other businesses.
• An intranet is a private network accessible only to an organization's staff.
Examples
include:
• Secure branch office connectivity over the Internet
• Secure remote access over the Internet
• Establishing extranet and intranet connectivity
with partners
• Enhancing electronic commerce security
- 4. An
IP Security
Architecture
Ethernet is a system for connecting a number of computer systems to form a local area
network, with protocols to control the passing of information and to avoid simultaneous
transmission by two or more systems.
- 5. Benefits of IPSecurity
• When IPSec is implemented in a firewall or Router,It provides
strong security whose application is to all traffic crossing this
perimeter.
• Traffic within a company or workgroup does not incur the
overhead of security-related processing.
•
IPSec is below the transport layer (TCP, UDP), and is thus
transparent to applications.
•
- 6. • There is no need to change software on a user or server system
when IPSec is implemented in the firewall or router.
• Even if IPSec is implemented in end systems, upper layer
software, including applications is not affected.
• IPSec can be transparent to end users.
• IPsec can provide security for individual users if needed
Benefits of IPSecurity
- 7. Routing Applications
• IPsec can play a vital role in the routing architecture required for
internetworking
IPsec can assure that:
A router
advertisement
comes from an
authorized
router
A router seeking to
establish or maintain a
neighbor relationship
with a router in
another routing
domain is an
authorized router
A redirect
message
comes from
the router to
which the
initial IP
packet was
sent
A routing
update is not
forged
A router is a networking device that forwards data packets between computer networks.
- 8. IPsec
Documents1.Architecture
• Covers the general concepts, security
requirements, definitions, and
mechanisms defining IPsec technology
• The current specification is RFC4301,
Security Architecture for the Internet
Protocol
2.Authentication Header (AH)
• An extension header to provide
message authentication
• The current specification is RFC 4302, IP
Authentication Header
3. Encapsulating Security Payload (ESP)
• Consists of an encapsulating header and trailer
used to provide encryption or combined
encryption/authentication
• The current specification is RFC 4303, IP
Encapsulating Security Payload (ESP)
4. Internet Key Exchange (IKE)
• A collection of documents describing the key
management schemes for use with IPsec
• The main specification is RFC 5996, Internet Key
Exchange (IKEv2) Protocol, but there are a number
of related RFCs
5. Cryptographic algorithms
• This category encompasses a large set
of documents that define and describe
cryptographic algorithms for
encryption, message authentication,
pseudorandom functions (PRFs), and
cryptographic key exchange
6.Other
• There are a variety of other IPsec-
related RFCs, including those
dealing with security policy and
management information base
(MIB) content
- 9. IPsec Services
• IPsec provides security services at the IP layer by enabling a system to:
• Select required security protocols
• Determine the algorithm(s) to use for the service(s)
• Put in place any cryptographic keys required to provide the requested
services
• RFC lists the following services:
• Access control
• Connectionless integrity
• Data origin authentication
• Rejection of replayed packets (a form of partial sequence integrity)
• Confidentiality (encryption)
• Limited traffic flow confidentiality
- 10. Transport and Tunnel Modes
Transport Mode
• Provides protection primarily for
upper-layer protocols
• Examples include a TCP or UDP
segment or an ICMP packet
• ICMP (Internet Control Message
Protocol) is an error-reporting protocol
• Typically used for end-to-end
communication between two hosts
• ESP in transport mode encrypts and
optionally authenticates the IP
payload but not the IP header
• AH in transport mode authenticates
the IP payload and selected portions
of the IP header
Tunnel Mode
• Provides protection to the entire IP packet
• Used when one or both ends of a security
association (SA) are a security gateway
• A number of hosts on networks behind
firewalls may engage in secure
communications without implementing
IPsec
• ESP in tunnel mode encrypts and
optionally authenticates the entire inner
IP packet, including the inner IP header
• AH in tunnel mode authenticates the
entire inner IP packet and selected
portions of the outer IP header
- 12. Security Association (SA)
• A Security Association (SA) is the
establishment of shared security
attributes between two network entities
to support secure communication.
• A security association (SA) is a logical
connection involving two devices that
transfer data, With the help of the defined
IPsec protocols
• An SA may include attributes such as:
cryptographic algorithm and mode;
traffic encryption key; and parameters
for the network data to be passed over
the connection.
Security Parameters Index
(SPI)
• A 32-bit unsigned integer
assigned to this SA and having
local significance only
IP Destination Address
• Address of the
destination endpoint of
the SA, which may be an
end-user system or a
network system such as
a firewall or router
Security protocol
Identifier
• Indicates whether the
association is an AH or
ESP security
association
A SA is Uniquely identified by three parameters:
- 13. Security Association Database (SAD)
The following parameters in a SAD entry
• Security parameter index (is used to construct the packet’s Number field. This is 32 bit value)
• Sequence number counter (A 32-bit value used to generate the Sequence Number field)
• Sequence counter overflow (A flag indicating whether overflow of the Sequence Number)
• Anti-replay window (The main goal of anti-replay is to avoid hackers injecting or making changes in
packets that travel from a source to a destination)
•AH information
•ESP information (Encapsulating Security Payload)
• Lifetime of this security association
• IPsec protocol mode (Tunnel, Transport, or wildcard(mask))
•Path MTU (maximum size of a packet that can be transmitted without fragmentation)
- 14. Security Policy Database (SPD)
The following selectors determine an SPD entry:
Remote IP address
This may be a single
IP address, an
enumerated list or
range of addresses,
or a wildcard (mask)
address
The latter two are
required to support
more than one
destination system
sharing the same SA
Local IP address
This may be a single IP
address, an
enumerated list or
range of addresses, or
a wildcard (mask)
address
The latter two are
required to support
more than one
source system
sharing the same SA
Next layer protocol
The IP protocol
header includes a
field that designates
the protocol
operating over IP
Name
A user identifier from
the operating system
Not a field in the IP or
upper-layer headers but
is available if IPsec is
running on the same
operating system as the
user
Local and remote
ports
These may be
individual TCP or UDP
port values, an
enumerated list of
ports, or a wildcard
port
- 15. ESP with Authentication Option
• An Encapsulating Security Payload (ESP) is a protocol within the IPSec for
providing authentication, integrity and confidentially of network packets
data/payload in IPv4 and IPv6 networks.
• In this approach, the first user applies ESP to the data to be protected and then
appends the authentication data field
• For both cases authentication applies to the ciphertext rather than the
plaintext
• Authentication and encryption apply to the IP payload delivered to the host, but the IP header is not
protected
Transport mode ESP
• Authentication applies to the entire IP packet delivered to the outer IP destination address and
authentication is performed at that destination
• The entire inner IP packet is protected by the privacy mechanism for delivery to the inner IP
destination
Tunnel mode ESP
- 16. Internet Key Exchange
• The key management portion of IPsec involves the determination and
distribution of secret keys
• A typical requirement is four keys for communication between two applications
• Transmit and receive pairs for both integrity and confidentiality
• The IPsec Architecture document mandates support for two types of key
management:
• A system administrator
manually configures each
system with its own keys
and with the keys of other
communicating systems
• This is practical for small,
relatively static
environments
Manual
• Enables the on-demand
creation of keys for SAs and
facilitates the use of keys in
a large distributed system
with an evolving
configuration
Automated
- 17. ISAKMP/Oakley
The default automated key management protocol of Ipsec
Oakley Key Determination Protocol
• The Oakley Key Determination Protocol is a key-
agreement protocol that allows authenticated parties to exchange
keying material across an insecure connection using the Diffie–
Hellman key exchange algorithm.
Internet Security Association and Key Management Protocol (ISAKMP)
• Provides a framework for Internet key management and provides the
specific protocol support, including formats, for negotiation of security
attributes
• Consists of a set of message types that enable the use of a variety of
key exchange algorithms
- 18. Features of IKE Key Determination
The five important features are:
1.
• It employs a mechanism known as cookies to thwart clogging attacks
2.
• It enables the two parties to negotiate a group; this, in essence, specifies the
global parameters of the Diffie-Hellman key exchange
3.
• It uses nonces to ensure against replay attacks
4.
• It enables the exchange of Diffie-Hellman public key values
5.
• It authenticates the Diffie-Hellman exchange to thwart man-in-the-middle-attacks
The Internet Key Exchange (IKE) is an IPsec (Internet Protocol Security) standard protocol used to
ensure security for virtual private network (VPN) negotiation and remote host or network access.