Scribd
Upload
72 views

Introduction To Ipsec

This document provides an overview of IPSec, including: - IPSec provides security at the network layer by adding authentication headers and encapsulating security payloads to IP packets. - It uses Internet Key Exchange to negotiate security associations and exchange encryption keys between peers. - IPSec can operate in either transport mode to encrypt payloads only, or tunnel mode to encrypt entire packets.

Uploaded by

Sarthak Paliwal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
72 views

Introduction To Ipsec

This document provides an overview of IPSec, including: - IPSec provides security at the network layer by adding authentication headers and encapsulating security payloads to IP packets. - It uses Internet Key Exchange to negotiate security associations and exchange encryption keys between peers. - IPSec can operate in either transport mode to encrypt payloads only, or tunnel mode to encrypt entire packets.

Uploaded by

Sarthak Paliwal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 21

Introduction to IPSec

Overview of Presentation
• Introduction
– The Internet Model and Threats
– Solutions Possible
– Security Measures at Various Layers
– IPsec: security at network layer
• How IPsec works
– IPsec model
– Authentication Header
– Encapsulating Security Payload
– Internet Key Exchange
• Limitations of IPsec
• Conclusions
Introduction
• Original Design Model for Internet
– The model of Internet was made for a more begin
environment like academia
– All data on Internet was free to all and anyone could
share or modify the data
– Since the some etiquette was being observed by the
limited Internet community, security was hardly an
issue
– Internet has grown beyond academia
Introduction (contd.)
• In present scenario, Internet enables instant on-
demand business by
– Establishing communication links with suppliers and
business partners
– By eliminating the need for costly wide area network
dedicated lines
– Enabling remote access to corporate networks using many
available Internet service providers
• One of the main stumbling blocks to achieve these
benefits is lack of security (besides, reliability, quality
of service among others)
Internet Threats
• The varied nature of Internet users and networks has
brought the security concern
• To ratify the fears several threats have surfaced,
such as,
– Identity spoofing
– Denial of service
– Loss of privacy
– Loss of data integrity
– Replay attacks
Internet Threats (contd.)
• Identity spoofing
– Executing transactions by masquerading
• Denial of service
– Preventing a service provider by flooding with fake requests for
service
• Loss of privacy
– Eavesdropping on conversations, database replies etc
• Loss of data integrity
– Modifying data in transit to disrupt a valid communication
• Replay attacks
– Using older legitimate replies to execute new and malicious
transactions
Solutions to the Problems
• Confidentiality
– If data is encrypted intruders cannot observe
• Integrity
– Modification can be detected
• Authentication
– If devices can identify source of data then it is difficult to impersonate
a friendly device
– Spoofing , replay attacks and denial of service can be averted
• The question is where should such a solution be implemented
in the protocol stack?
Security Measures at Different Layers

Application Layer PGP, Kerberos, SSH, S/MIME

Transport Layer SSL/Transport Layer Security (TLS)

Network Layer IPsec

Data Link Layer


Hardware encryption
Security Measures at Different Layers
(contd.)
• Application Layer Security
– Implemented as a User Software
– No need to modify operating system or underlying network structure
– Each application and system requires its own security mechanisms
• SSL/TLS (transport layer security) is implement as user-end
software, and is protocol specific
• Link layer security
– Implemented in hardware
– Requires encryption decryption between every link
– Difficult to implement in Internet like scenario
IPsec: Security at IP Layer
• IPsec is a framework of open standards developed by
IETF (www.ietf.org, rfc’s 4301-4308)
• IPsec is below transport layer and is transperant to
applications
– IPsec provides security to all traffic passing through the IP layer
• End users need not be trained on security mechanisms,
issued keys or revoked
• IPsec has the granularity to provide per-user security if
needed
IPsec: Security at IP Layer (contd.)

• IPsec has additional advantages of protecting


routing architecture
– IPsec can assure that a router advertisement is
from an authorized router
– A routing update is not forged
– A neighbor advertisement comes from an
authorized router
IPsec Services
• Access control
• Connectionless Integrity
• Data origin authentication
• Rejection of replayed packets
• Confidentiality
• Limited traffic flow confidentiality
SA(security association) Parameters

• Sequence Number Counter


• Sequence Counter Overflow
• Anti-Replay Window
• AH Information
• ESP Information
• Lifetime of SA
• IPSec Protocol mode –Tunnel, Transport
• Path MTU
IPsec components
• IPsec consists of two important protocol components
– The first, defines the information that needs to be added
to the IP packet to achieve the required services. These
are classified further as Authentication Header and
Encapsulating Security Protocol
– The second, Internet Key Exchange, which negotiates
security association between two peers and exchanges
keying material
IPsec Modes
• IPsec can operate in two modes
– Transport Mode
• Only IP payload is encrypted
• IP headers are left in tact
• Adds limited overhead to the IP packet
– Tunnel
• Entire IP packet is encrypted
• New IP headers are generated for this packet
• Transparent to end-users
IPsec modes (contd.)
Transport Mode: protect the upper layer protocols

Original IP IP TCP Data


Datagram Header Header

Transport Mode IP IPSec TCP Data


protected packet Header Header Header

protected
Tunnel Mode: protect the entire IP payload

Tunnel Mode New IP IPSec Original IP TCP Data


protected packet Header Header Header Header

protected
Authentication Header
• This information is added to the header to
provide the following services:
– Access control, connectionless integrity, data
origin authentication, rejection of replayed
packets
– Information added are:
• Sequence number (32-bit)
• Integrity check value (variable, multiple of 32-bits)
Authentication Header (contd.)
• Anti-replay attacks
– Range of sequence numbers for session is 232-1
– Sequence numbers are not reused
• Integrity Check Value (ICV)
– Keyed MAC algorithms used: AES, MD5, SHA-1
– MAC is calculated over immutable fields in transit
(source/dest. addr, IP version, header length, packet
length)
IKE(internet key exchange) and IPsec
Limitations
• Security implemented by AH and ESP ultimately
depends on their implementation
• Operating environment affects the way IPsec
security works
• Defects in OS security, poor random number
generators, misconfiguration of protocols, can all
degrade security provided by IPssec.
Conclusions
• IPsec provides a method for creating secure private
networks over public networks
• Applications, operating systems need not be changed
– Implementation can be limited to secure gateways
• Several products based on IPsec are commercially
deployed
• Users can even enable and use IPsec on their
machines

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy