Click here to load reader

IPSec and VPN

  • View

  • Download

Embed Size (px)

Text of IPSec and VPN

IPSec and vpn

Presented by : Abdullaziz TagawyCourse : Computer Security 1March / 2016

ResourcesMaterialsIPSec Tutorial by Scott Cleven-MulcahyItem (paper is taken from the GIAC directory of certified professionals)IPSecAn Overview; (Presented by Somesh Jha) University of Wisconsin.The Cryptography of the IPSec and IKE Protocols; (presented by Hugo Krawczyk), Technion & IBM Research. INTERNET KEY EXCHANGE PROTOCOL ; (Presented by PRATEEK SINGH BAPNA).IP Security (IPSec); (Presented by Thomas Lee ), Chief Technologist QA .Technical Development Program - VPN basics (Presented by Martn Bratina) 2014 AT&T Intellectual Property.Book(s)Cryptography and Network Security Principles and Practice 6th Ed (William Stallings)Cryptography and Network Security by Forouzan (2007)Google search


Beginning course details and/or books/materials needed for a class/project.

IPSec ContentsIP Security OverviewApplications of IpsecBenefits of IpsecIPsec DocumentsIPsec ServicesTransport and Tunnel ModesIP Security PolicySecurity AssociationsSecurity Association DatabaseSecurity Policy DatabaseIP Traffic Processing


IPSec ContentsEncapsulating Security PayloadESP FormatEncryption and Authentication AlgorithmsPaddingAnti-Replay ServiceTransport and Tunnel Modes

Combining Security AssociationsAuthentication Plus ConfidentialityBasic Combinations of Security Associations


IPSec ContentsInternet Key ExchangeKey Determination ProtocolHeader and Payload FormatsAll TogetherVPNWhat is a VPN?Types of VPNs.Commonly used VPNsIPSec VPN Benefits


IP Security OverviewIPsec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. Examples of its use include:Secure branch office connectivity over the InternetSecure remote access over the InternetEstablishing extranet and intranet connectivity with partnersEnhancing electronic commerce security

Applications of Ipsec:-6

IP Security OverviewSome of the benefits of IPsec:-When IPsec is implemented in a firewall or router, it provides strong security that can be applied to all traffic crossing the perimeter.IPsec in a firewall is resistant to bypass.IPsec is below the transport layer (TCP, UDP) and so is transparent to applications.IPsec can be transparent to end users.IPsec can provide security for individual users if needed.Benefits of Ipsec:-7

IP Security OverviewIPsec encompasses three functional areas: authentication, confidentiality, key management.The latest version of the IPsec document roadmap, which as of this writing is RFC 6071.The documents can be categorized into the following groups: Architecture: Covers the general concepts, security requirements, definitions, and mechanisms defining IPsec technology RFC 4301[Security Architecture for the Internet Protocol.].Authentication Header (AH):RFC 4302[IP Authentication Header] Note that the use of AH is deprecated. It is included in IPsecv3 for backward compatibility but should not be used in new applications.Encapsulating Security Payload (ESP):The current specification is RFC 4303, [IP Encapsulating Security Payload (ESP)].

IPsec Documents:-8

IP Security OverviewIPsec encompasses three functional areas: authentication, confidentiality, key management.The latest version of the IPsec document roadmap, which as of this writing is RFC 6071.The documents can be categorized into the following groups: Internet Key Exchange (IKE): RFC 5996, [Internet Key Exchange (IKEv2) Protocol], but there are a number of related RFCs.Cryptographic algorithms: This category encompasses a large set of documents that define and describe cryptographic algorithms for encryption, message authentication, pseudorandom functions (PRFs), and cryptographic key exchange.Other: There are a variety of other IPsec-related RFCs, including those dealingwith security policy and management information base (MIB) contentIPsec Documents:-9

IP Security OverviewIPsec provides security services at the IP layer (AH , ESP) by enabling a system to select required security protocols, determine the algorithm(s) to use for the service(s), and put in place any cryptographic keys required to provide the requested services.Access controlConnectionless integrityData origin authenticationRejection of replayed packets (a form of partial sequence integrity)Confidentiality (encryption)Limited traffic flow confidentialityIPsec Services:-10

IP Security OverviewAccess ControlIPSec provides access control indirectly, using a Security Association Database (SAD), When a packet arrives at a destination and there is no Security Association already established for this packet, the packet is discarded.Message IntegrityA digest of data is created and sent by the sender to be checked by the receiver.Entity AuthenticationThe Security Association and the keyed-hash digest of the data sent by the sender authenticate the sender of the data

IPsec Services:-


IP Security OverviewIPsec Services:-


IP Security OverviewBoth AH and ESP support two modes of use: transport and tunnel mode.Transport and Tunnel Modes:-


IP Security OverviewIPSec in transport mode does not protect the IP header; it only protects the payload coming from the transport layer.IPSec in tunnel mode protects the original IP header.Transport and Tunnel Modes:-Transport ModeTransport and Tunnel Modes:-Tunnel Mode14

IP Security OverviewTransport and Tunnel Modes:-Transport ModeTransport and Tunnel Modes:-Tunnel Mode


IP Security OverviewTransport mode is normally used when we need host-to-host (end-to-end) protection of data. The sending host uses IPSec to authenticate and/or encrypt the payload delivered from the transport layer. The receiving host uses IPSec to check the authentication and/or decrypt the IP packet and deliver it to the transport layer.The new IP header, has different information than the original IP header.Tunnel mode is normally used between two routers, between a host and a router, or between a router and a host.The entire original packet is protected from intrusion between the sender and the receiver, as if the whole packet goes through an imaginary tunnel.Transport and Tunnel Modes:-Transport ModeTransport and Tunnel Modes:-Tunnel Mode16

IP Security OverviewTransport and Tunnel Modes:-Transport ModeTransport and Tunnel Modes:-Tunnel Mode


IP Security OverviewThe IPSec layer comes between the transport layer and the network layer.The flow is from the network layer to the IPSec layer and then back to the network layer again.Transport and Tunnel Modes:-Transport ModeTransport and Tunnel Modes:-Tunnel Mode


IP Security PolicySecurity Policy (SP): This is important aspect of IPSec which defines the type of security applied to a packet when it is to be sent or when it has arrived.IPsec policy is determined primarily by the interaction of two databases, the security association database (SAD) and the security policy database (SPD).19

IP Security Policy


IP Security PolicyIt is a key concept that appears in both the authentication and confidentiality mechanisms for IP.It is a contract between two parties; it creates a secure channel between them.Alice needs to unidirectionally communicate with Bob.If they are interested only in the confidentiality aspect of security, they can get a shared secret key between themselves.That is mean there are two SAs between Alice and Bob; one outbound SA and one inbound SA.Security Associations:-Idea of Security Association21

IP Security PolicyThe Security Association can be more involved if the two parties need message integrity and authentication.It needs other data such as the algorithm for message integrity, the key, and other parameters.It can be much more complex if the parties need to use specific algorithms and specific parameters for different protocols, such as IPSec AH or IPSec ESP.Each of them stores the value of the key in one variable and the name of the encryption/ decryption algorithm in another.Alice uses the algorithm and the key to encrypt a message to Bob; Bob uses the algorithm and the key when he needs to decrypt the message received from Alice.Security Associations:-Idea of Security Association (con..)


IP Security PolicyA security association is uniquely identified by three parameters.Security Parameters Index (SPI): A 32-bit unsigned integer assigned to this SA and having local significance only. The SPI is carried in AH and ESP headers to enable the receiving system to select the SA under which a received packet will be processed.IP Destination Address: This is the address of the destination endpoint of the SA, which may be an end-user system or a network system such as a firewall or router.

Security Protocol Identifier: This field from the outer IP header indicates whether the association is an AH or ESP security association.Security Associations:-23

IP Security PolicyWe need a set of SAs that can be collected into a database.We need a set of SAs that can be collected into a database.The database can be thought of as a two-dimensional table with each row defining a single SA.There are two SADs, one inbound and one outboundSecurity Association Database:-24

IP Security PolicySecurity Parameter Index: A 32-bit value selected by the receiving end of an SA to uniquely identify the SA. In an SAD entry for an outbound SA, the SPI is used to construct the packets AH or ESP header. In an SAD entry for an inbound SA, the SPI is used to map traffic to the appropriate SA. Sequence Number Counter: A 32-bit value used to generate the Sequence Number field in AH or ESP headers, (required for all implementations). Sequence Counter Overflow: A fl

Search related