View
637
Download
1
Category
Tags:
Preview:
DESCRIPTION
IPSec protocol. Overview of IKE in IPSec. A look at ESP packet. AH is excluded in this presentation.
Citation preview
Internet Protocol Security (IPSec)
Group name: grouppage
What to expect
• What is the difference between SSL and IPSec• And when to use it?• Go through the basics for IPSec• Explain IPSec’s key exchange • Look further into ESP, main protocol of IPSec
Internet Protocol (TCP/IP)
Has no inherent security
Man in the middle can read/write to:The TCP/IP headersThe payload data
SSL/TLS and IPSec can encrypt data
IPSec Compared To SSLIPSec
Application Independent
Authenticates IP headers
Encrypts TCP and Application layer
SSL Must be compiled in
Application Insecure IP headers Encrypts application
layer
Malory can: Create packets that have
A's IP as src address Read A's packets Can change A's packets
•Normal IP
IPSec Malroy can do nothing
When to use?
Reasons not to use NAT Support User authentication
Reasons to use: VPN Application doesn't support
TLS Don't want to use PKI Host authentication
IPSec basics for this presentation
Main protocol in IPSec:
–Encapsulating Security Payload (ESP)
Constructs that guide the operation of IPSec
Security Policy (SP)Security Association (SA)
IPSec basics for this presentation
Security Policies
Governs how IPSec process different
datagrams received by an IPSec device
SA describes a particular kind of secure connection between one device and
another.
AH
Security Associations
Security Associations are key to IPSEC’s
authentication and confidentiality mechanisms.
Security Associations
SAs are needed to negotiate in the exchange
of the “shared secret” process
Security Associations
Sharing the shared secret
Sharing the shared secret
IPSec, like many secure networking protocol sets, is based on the concept
of a “shared secret”.
Sharing the shared secret
Before ESP (IPSec protocols) can be used, any two devices must exchange the “secret”
that the ESP themselves will use.
Sharing the shared secret
So how does this happen?
Exchanging the secret
Internet Key Exchange (IKE).
Internet Key Exchange (IKE)
IPSec-capable devices to exchange security associations (SAs), Populate their security association databases (SADs).
Internet Key Exchange (IKE)
These established SAs are then being used for the actual
exchange of secured datagrams with the ESP protocols.
Sharing the shared secret
Source: http://technet.microsoft.com
IPSec Protocols
Encapsulating Security Payload
Encapsulating Security Payload (ESP)
Main function: Provide privacy for IP datagrams
by encrypting them.
ESP packet in transport mode
ESP packet in tunnel mode
New IP Header
Thank You!
The end and we hope you understand
References
• Understanding IPSEC - Server 2003 http://www.youtube.com/watch?v=DH1zI8QYi4A
• TCPIP Guide– http://www.tcpipguide.com/free/
t_IPSecurityIPSecProtocols.htm
Recommended