SlideShare a Scribd company logo

Ip sec

Download as PPT, PDF
S
shifanabasheer

The document discusses IP security (IPSec) and its components. It summarizes that IPSec provides authentication, confidentiality, and key management for network traffic. It describes the two main protocols used in IPSec - Authentication Header (AH) for data integrity and authentication, and Encapsulating Security Payload (ESP) for confidentiality and optional authentication. It also discusses transport and tunnel modes, security associations, and key management standards like Oakley and ISAKMP.

1 of 22
Downloaded 10 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown
The need... • In CERTs 2001 annual report it listed 52,000 security incidents • the most serious involving: • IP spoofing • intruders creating packets with false address then taking advantages of OS exploits • eavesdropping and sniffing • attackers listen for userids and passwords and then just walk into target systems • as a result the IAB included authentication and encryption in the next generation IP (IPv6)
IP Security • We’ve considered some application specific security mechanisms • eg. S/MIME, PGP, Kerberos, SSL/HTTPS • however there are security concerns that cut across protocol layers • would like security implemented by the network for all applications
IPSec • general IP Security mechanisms • provides • authentication • confidentiality • key management • applicable to use over LANs, across public & private WANs, & for the Internet
IPSec Uses
Benefits of IPSec • in a firewall/router provides strong security to all traffic crossing the perimeter • is resistant to bypass • is below transport layer, hence transparent to applications • can be transparent to end users • can provide security for individual users if desired • additionally in routing applications: • assure that router advertisments come from authorized routers • neighbor advertisments come from authorized routers • insure redirect messages come from the router to which initial packet was sent • insure no forging of router updates
IP Security Architecture • RFC 2401 (Primary RFC) • specification is quite complex • defined in numerous RFC’s • incl. RFC 2401/2402/2406/2408 • many others, grouped by category • mandatory in IPv6, optional in IPv4
IPSec Services • Two protocols are used to provide security: • Authentication Header Protocol (AH) • Encapsulation Security Payload (ESP) • Services provided are: • Access control • Connectionless integrity • Data origin authentication • Rejection of replayed packets • a form of partial sequence integrity • Confidentiality (encryption) • Limited traffic flow confidentiality
Security Associations • a one-way relationship between sender & receiver that affords security for traffic flow • defined by 3 parameters: • Security Parameters Index (SPI) • a bit string • IP Destination Address • only unicast allowed • could be end user, firewall, router • Security Protocol Identifier • indicates if SA is AH or ESP • has a number of other parameters • seq no, AH & EH info, lifetime etc • have a database of Security Associations
Authentication Header (AH) • RFC 2402 • provides support for data integrity & authentication of IP packets • end system/router can authenticate user/app • prevents address spoofing attacks by tracking sequence numbers • based on use of a MAC (message authentication code) • HMAC-MD5-96 or HMAC-SHA-1-96 • MAC is calculated: • immutable IP header fields • AH header (except for Authentication Data field) • the entire upper-level protocol data (immutable) • parties must share a secret key
Authentication Header
Transport and Tunnel Modes • Both AH and ESP have two modes • transport mode is used to encrypt & optionally authenticate IP data • data protected but header left in clear • can do traffic analysis but is efficient • good for ESP host to host traffic • tunnel mode encrypts entire IP packet • add new header for next hop • good for VPNs, gateway to gateway security
Transport & Tunnel Modes
Encapsulating Security Payload (ESP) • RFC 2406 • provides message content confidentiality & limited traffic flow confidentiality • can optionally provide the same authentication services as AH • supports range of ciphers, modes, padding • incl. DES, Triple-DES, RC5, IDEA, CAST etc • CBC most common • pad to meet blocksize, for traffic flow
Encapsulating Security Payload
Combining Security Associations • SA’s can implement either AH or ESP • to implement both need to combine SA’s • form a security bundle • have 4 cases (see next)
Combining Security Associations a. AH in transport mode b.ESP in transport mode c. AH followed by ESP in transport mode(ESP SA inside an AH SA d. any one a, b, c inside an AH or ESP in tunnel mode
Key Management • handles key generation & distribution • typically need 2 pairs of keys • 2 per direction for AH & ESP • manual key management • sysadmin manually configures every system • automated key management • automated system for on demand creation of keys for SA’s in large systems • has Oakley & ISAKMP elements
Oakley • RFC 2412 • a key exchange protocol • based on Diffie-Hellman key exchange • adds features to address weaknesses • cookies, groups (global params), nonces, DH key exchange with authentication • can use arithmetic in prime fields or elliptic curve fields
ISAKMP • Internet Security Association and Key Management Protocol (RFC 2407) • provides framework for key management • defines procedures and packet formats to establish, negotiate, modify and delete SAs • independent of key exchange protocol, encryption algorithm and authentication method
ISAKMP
Summary • have considered: • IPSec security framework • AH Protocol • ESP Protocol • key management & Oakley/ISAKMP

More Related Content

PPT
Unit08
Nurul Nadirah
 
PDF
CNIT 141 13. TLS
Sam Bowne
 
PPTX
IPSec | Computer Network
shubham ghimire
 
PDF
20 palo alto site to site
Mostafa El Lathy
 
PPT
The Security layer
Swetha S
 
PDF
IP security and VPN presentation
KishoreTs3
 
PDF
CNIT 141: 13. TLS
Sam Bowne
 
PDF
IP Security
Dr.Florence Dayana
 
Unit08
Nurul Nadirah
 
CNIT 141 13. TLS
Sam Bowne
 
IPSec | Computer Network
shubham ghimire
 
20 palo alto site to site
Mostafa El Lathy
 
The Security layer
Swetha S
 
IP security and VPN presentation
KishoreTs3
 
CNIT 141: 13. TLS
Sam Bowne
 
IP Security
Dr.Florence Dayana
 

What's hot (20)

PDF
CNIT 141: 13. TLS
Sam Bowne
 
PDF
18CS2005 Cryptography and Network Security
Kathirvel Ayyaswamy
 
PPTX
Encryption
Zeeshan Butt
 
PDF
3 palo alto ngfw architecture overview
Mostafa El Lathy
 
PDF
CNIT 123 8: Desktop and Server OS Vulnerabilities
Sam Bowne
 
PDF
Palo alto outline course | Mostafa El Lathy
Mostafa El Lathy
 
PDF
BAIT1103 Chapter 4
limsh
 
PDF
APIdays Barcelona 2019 - Introduction to Onion Services to secure APIs with P...
apidays
 
PPSX
Secure socket layer
Nishant Pahad
 
PDF
CNIT 123: 6: Enumeration
Sam Bowne
 
PPT
Wi fi protected-access
bhanu4ugood1
 
PDF
13 palo alto url web filtering concept
Mostafa El Lathy
 
PDF
15 intro to ssl certificate & pki concept
Mostafa El Lathy
 
PPTX
Wireless Security null seminar
Nilesh Sapariya
 
PPTX
Wpa vs Wpa2
Nzava Luwawa
 
PPSX
authentication and access control(http://4knet.ir)
Azad Kaki
 
PPSX
BSET_Lecture_Crypto and SSL_Overview_FINAL
Glenn Haley
 
PPTX
Wireless Network Security
SAHEEL FAL DESAI
 
PDF
Wireless Cracking using Kali
n|u - The Open Security Community
 
PPT
Secure socket later
Muhammad Ahmad Nazar
 
CNIT 141: 13. TLS
Sam Bowne
 
18CS2005 Cryptography and Network Security
Kathirvel Ayyaswamy
 
Encryption
Zeeshan Butt
 
3 palo alto ngfw architecture overview
Mostafa El Lathy
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
Sam Bowne
 
Palo alto outline course | Mostafa El Lathy
Mostafa El Lathy
 
BAIT1103 Chapter 4
limsh
 
APIdays Barcelona 2019 - Introduction to Onion Services to secure APIs with P...
apidays
 
Secure socket layer
Nishant Pahad
 
CNIT 123: 6: Enumeration
Sam Bowne
 
Wi fi protected-access
bhanu4ugood1
 
13 palo alto url web filtering concept
Mostafa El Lathy
 
15 intro to ssl certificate & pki concept
Mostafa El Lathy
 
Wireless Security null seminar
Nilesh Sapariya
 
Wpa vs Wpa2
Nzava Luwawa
 
authentication and access control(http://4knet.ir)
Azad Kaki
 
BSET_Lecture_Crypto and SSL_Overview_FINAL
Glenn Haley
 
Wireless Network Security
SAHEEL FAL DESAI
 
Wireless Cracking using Kali
n|u - The Open Security Community
 
Secure socket later
Muhammad Ahmad Nazar
 
Ad

Viewers also liked (20)

PPTX
IP Security
Keshab Nath
 
PPT
Ch20
Joe Christensen
 
PPTX
Turing machine-TOC
Maulik Togadiya
 
PPTX
Java history, versions, types of errors and exception, quiz
SAurabh PRajapati
 
PPTX
Data mining
Maulik Togadiya
 
PPTX
remote sensor
SAurabh PRajapati
 
PDF
12. dfs
Dr Sandeep Kumar Poonia
 
PDF
6. The grid-COMPUTING OGSA and WSRF
Dr Sandeep Kumar Poonia
 
PPTX
Distributed file system
Anamika Singh
 
PDF
Distributed Operating System_2
Dr Sandeep Kumar Poonia
 
PDF
Lecture28 tsp
Dr Sandeep Kumar Poonia
 
PPT
Multiple Access in wireless communication
Maulik Togadiya
 
PPTX
Ccleaner presentation
SAurabh PRajapati
 
PPTX
optimization of DFA
Maulik Togadiya
 
PPTX
Distributed shred memory architecture
Maulik Togadiya
 
PDF
Distributed computing
Deepak John
 
PDF
Soft computing
Dr Sandeep Kumar Poonia
 
PPTX
IDS n IPS
SAurabh PRajapati
 
PPTX
Synchronization - Election Algorithms
OsaMa Hasan
 
PDF
5. Distributed Operating Systems
Dr Sandeep Kumar Poonia
 
IP Security
Keshab Nath
 
Ch20
Joe Christensen
 
Turing machine-TOC
Maulik Togadiya
 
Java history, versions, types of errors and exception, quiz
SAurabh PRajapati
 
Data mining
Maulik Togadiya
 
remote sensor
SAurabh PRajapati
 
12. dfs
Dr Sandeep Kumar Poonia
 
6. The grid-COMPUTING OGSA and WSRF
Dr Sandeep Kumar Poonia
 
Distributed file system
Anamika Singh
 
Distributed Operating System_2
Dr Sandeep Kumar Poonia
 
Lecture28 tsp
Dr Sandeep Kumar Poonia
 
Multiple Access in wireless communication
Maulik Togadiya
 
Ccleaner presentation
SAurabh PRajapati
 
optimization of DFA
Maulik Togadiya
 
Distributed shred memory architecture
Maulik Togadiya
 
Distributed computing
Deepak John
 
Soft computing
Dr Sandeep Kumar Poonia
 
IDS n IPS
SAurabh PRajapati
 
Synchronization - Election Algorithms
OsaMa Hasan
 
5. Distributed Operating Systems
Dr Sandeep Kumar Poonia
 
Ad

Similar to Ip sec (20)

PPTX
IP SEC.ptx
MamoonKhan40
 
PPTX
Cryptography and Network security # Lecture 8
Kabul Education University
 
PPT
Unit 5.ppt
DHANABALSUBRAMANIAN
 
PDF
BAIT1103 Chapter 6
limsh
 
PPTX
ssl-tls-ipsec-vpn.pptx
jithu26327
 
PPT
ICS PPT Unit 4.ppt
DEEPAK948083
 
PPT
Ch16
Joe Christensen
 
PPTX
CryptoStandards and protocols for digital secure communications
bipinbhattarai12
 
PPT
IS Unit-4 .ppt
NamanRockzz
 
PPT
Ip sec and ssl
Mohd Arif
 
PPTX
EOC MODULE 3 IP security - SR.pptx engineering college
komalsingh2444
 
PPTX
chAPTER 19 INTERNET PROTOCOL SECURITY PRESENTATION
PragyanshuParadkar1
 
PDF
CNS ppt.pdf
ChaitanyaK65
 
PPT
ch22.ppt
ImXaib
 
PPT
Ip sec talk
anoean
 
PPT
Chapter_4_InternetSecurity.pptChapter_4_InternetSecurity.pptChapter_4_Interne...
namrataparopate
 
PPT
Chapter_4_InternetSecurity.pptChapter_4_InternetSecurity.pptChapter_4_Interne...
namrataparopate
 
PPT
taub-IPsec network security in network.ppt
ubaidullah75790
 
PPTX
IPsec
abdullah roomi
 
PDF
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 
IP SEC.ptx
MamoonKhan40
 
Cryptography and Network security # Lecture 8
Kabul Education University
 
Unit 5.ppt
DHANABALSUBRAMANIAN
 
BAIT1103 Chapter 6
limsh
 
ssl-tls-ipsec-vpn.pptx
jithu26327
 
ICS PPT Unit 4.ppt
DEEPAK948083
 
Ch16
Joe Christensen
 
CryptoStandards and protocols for digital secure communications
bipinbhattarai12
 
IS Unit-4 .ppt
NamanRockzz
 
Ip sec and ssl
Mohd Arif
 
EOC MODULE 3 IP security - SR.pptx engineering college
komalsingh2444
 
chAPTER 19 INTERNET PROTOCOL SECURITY PRESENTATION
PragyanshuParadkar1
 
CNS ppt.pdf
ChaitanyaK65
 
ch22.ppt
ImXaib
 
Ip sec talk
anoean
 
Chapter_4_InternetSecurity.pptChapter_4_InternetSecurity.pptChapter_4_Interne...
namrataparopate
 
Chapter_4_InternetSecurity.pptChapter_4_InternetSecurity.pptChapter_4_Interne...
namrataparopate
 
taub-IPsec network security in network.ppt
ubaidullah75790
 
IPsec
abdullah roomi
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 

Ip sec

  • 1. Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown
  • 2. The need... • In CERTs 2001 annual report it listed 52,000 security incidents • the most serious involving: • IP spoofing • intruders creating packets with false address then taking advantages of OS exploits • eavesdropping and sniffing • attackers listen for userids and passwords and then just walk into target systems • as a result the IAB included authentication and encryption in the next generation IP (IPv6)
  • 3. IP Security • We’ve considered some application specific security mechanisms • eg. S/MIME, PGP, Kerberos, SSL/HTTPS • however there are security concerns that cut across protocol layers • would like security implemented by the network for all applications
  • 4. IPSec • general IP Security mechanisms • provides • authentication • confidentiality • key management • applicable to use over LANs, across public & private WANs, & for the Internet
  • 6. Benefits of IPSec • in a firewall/router provides strong security to all traffic crossing the perimeter • is resistant to bypass • is below transport layer, hence transparent to applications • can be transparent to end users • can provide security for individual users if desired • additionally in routing applications: • assure that router advertisments come from authorized routers • neighbor advertisments come from authorized routers • insure redirect messages come from the router to which initial packet was sent • insure no forging of router updates
  • 7. IP Security Architecture • RFC 2401 (Primary RFC) • specification is quite complex • defined in numerous RFC’s • incl. RFC 2401/2402/2406/2408 • many others, grouped by category • mandatory in IPv6, optional in IPv4
  • 8. IPSec Services • Two protocols are used to provide security: • Authentication Header Protocol (AH) • Encapsulation Security Payload (ESP) • Services provided are: • Access control • Connectionless integrity • Data origin authentication • Rejection of replayed packets • a form of partial sequence integrity • Confidentiality (encryption) • Limited traffic flow confidentiality
  • 9. Security Associations • a one-way relationship between sender & receiver that affords security for traffic flow • defined by 3 parameters: • Security Parameters Index (SPI) • a bit string • IP Destination Address • only unicast allowed • could be end user, firewall, router • Security Protocol Identifier • indicates if SA is AH or ESP • has a number of other parameters • seq no, AH & EH info, lifetime etc • have a database of Security Associations
  • 10. Authentication Header (AH) • RFC 2402 • provides support for data integrity & authentication of IP packets • end system/router can authenticate user/app • prevents address spoofing attacks by tracking sequence numbers • based on use of a MAC (message authentication code) • HMAC-MD5-96 or HMAC-SHA-1-96 • MAC is calculated: • immutable IP header fields • AH header (except for Authentication Data field) • the entire upper-level protocol data (immutable) • parties must share a secret key
  • 12. Transport and Tunnel Modes • Both AH and ESP have two modes • transport mode is used to encrypt & optionally authenticate IP data • data protected but header left in clear • can do traffic analysis but is efficient • good for ESP host to host traffic • tunnel mode encrypts entire IP packet • add new header for next hop • good for VPNs, gateway to gateway security
  • 14. Encapsulating Security Payload (ESP) • RFC 2406 • provides message content confidentiality & limited traffic flow confidentiality • can optionally provide the same authentication services as AH • supports range of ciphers, modes, padding • incl. DES, Triple-DES, RC5, IDEA, CAST etc • CBC most common • pad to meet blocksize, for traffic flow
  • 16. Combining Security Associations • SA’s can implement either AH or ESP • to implement both need to combine SA’s • form a security bundle • have 4 cases (see next)
  • 17. Combining Security Associations a. AH in transport mode b.ESP in transport mode c. AH followed by ESP in transport mode(ESP SA inside an AH SA d. any one a, b, c inside an AH or ESP in tunnel mode
  • 18. Key Management • handles key generation & distribution • typically need 2 pairs of keys • 2 per direction for AH & ESP • manual key management • sysadmin manually configures every system • automated key management • automated system for on demand creation of keys for SA’s in large systems • has Oakley & ISAKMP elements
  • 19. Oakley • RFC 2412 • a key exchange protocol • based on Diffie-Hellman key exchange • adds features to address weaknesses • cookies, groups (global params), nonces, DH key exchange with authentication • can use arithmetic in prime fields or elliptic curve fields
  • 20. ISAKMP • Internet Security Association and Key Management Protocol (RFC 2407) • provides framework for key management • defines procedures and packet formats to establish, negotiate, modify and delete SAs • independent of key exchange protocol, encryption algorithm and authentication method
  • 22. Summary • have considered: • IPSec security framework • AH Protocol • ESP Protocol • key management & Oakley/ISAKMP

Editor's Notes

  • #6: Stallings Fig 16-1.
  • #12: Stallings Fig 16-3.
  • #14: Stallings Fig 16-5.
  • #16: Stallings Fig 16-7.
  • #18: Stallings Fig 16-10.
  • #22: Stallings Fig 16-12.