2. Outline:
What Security Problem? - Kamran ahmed
Understanding TCP/IP. - Kamran ahmed
Security at What Level? -
IP Security.
IPSec Security Services.
Modes of operation.
IPSec Security Protocols.
Outbound/Inbound IPSec Processing.
Real World Deployment Examples.
2
dept. of ECE
3. What Security Problem?
Today's Internet is primarily comprised of :
Public
Un-trusted
Unreliable IP networks
Because of this inherent lack of security,
the Internet is subject to various types of
threats…
3
dept. of ECE
4. Internet Threats
Data integrity
The contents of a packet can be accidentally or deliberately modified.
Identity spoofing
The origin of an IP packet can be forged.
Anti-reply attacks
Unauthorized data can be retransmitted.
Loss of privacy
The contents of a packet can be examined in transit.
4
dept. of ECE
5. Understanding TCP/IP
OSI Reference Model
Application Layer
Transport Layer
Network Layer
Physical Layer
Presentation Layer
Session Layer
Logical Link Layer
TCP, UDP
IP
Network Adapter
Device Driver
Application
HTTP
SMTP
FTP
SNMP
NFS
FTP
DNS
5
dept. of ECE 2024-25
7. Understanding TCP/IP
Encapsulation of Data for Network Delivery
Original
Message
Data 3
Application Layer
Transport Layer
(TCP, UDP)
7
dept. of ECE 2024-25
8. Understanding TCP/IP
Encapsulation of Data for Network Delivery
Original
Message
Data 3
Header 3
Transport Layer
(TCP, UDP)
Application Layer
8
dept. of ECE 2024-25
9. Understanding TCP/IP
Encapsulation of Data for Network Delivery
Original
Message
Data 3
Header 3
Data 2
Transport Layer
(TCP, UDP)
Network Layer
(IP)
Application Layer
9
dept. of ECE 2024-25
10. Understanding TCP/IP
Encapsulation of Data for Network Delivery
Original
Message
Data 3
Header 3
Data 2
Header 2
Transport Layer
(TCP, UDP)
Network Layer
(IP)
Application Layer
10
dept. of ECE 2024-25
11. Understanding TCP/IP
Encapsulation of Data for Network Delivery
Original
Message
Data 3
Header 3
Data 2
Header 2
Transport Layer
(TCP, UDP)
Network Layer
(IP)
Data 1
Application Layer
Data Link
Layer
11
dept. of ECE 2024-25
12. Understanding TCP/IP
Encapsulation of Data for Network Delivery
Original
Message
Data 3
Header 3
Data 2
Header 2
Transport Layer
(TCP, UDP)
Network Layer
(IP)
Data 1
Header 1
Application Layer
Data Link
Layer
12
dept. of ECE 2024-25
24. Security at What Level?
Application Layer
Transport Layer
Network Layer
Data Link Layer
PGP, Kerberos, SSH, etc.
Transport Layer Security (TLS)
IP Security
Hardware encryption
24
dept. of ECE
25. Security at Application Layer
(PGP, Kerberos, SSH, etc.)
Implemented in end-hosts
Advantages
- Extend application without involving operating system.
- Application can understand the data and can provide the appropriate
security.
Disadvantages
- Security mechanisms have to be designed independently of each
application.
25
dept. of ECE
26. Security at Transport Layer
Transport Layer Security (TLS)
Implemented in end-hosts
Advantages
- Existing applications get security seamlessly
Disadvantages
- Protocol specific
26
dept. of ECE
27. Security at Network Layer
IP Security (IPSec)
Advantages
- Provides seamless security to application and transport layers (ULPs).
- Allows per flow or per connection security and thus allows for very
fine-grained security control.
Disadvantages
- More difficult to to exercise on a per user basis on a multi-user
machine.
27
dept. of ECE
28. Security at Data Link Layer
(Hardware encryption)
Need a dedicated link between host/routers.
Advantages
- Speed.
Disadvantages
- Not scalable.
- Need dedicated links.
28
dept. of ECE
29. IP Security (IPSec)
IPSec is a framework of open standards
developed by the Internet Engineering Task
Force (IETF).
Creates secure, authenticated, reliable
communications over IP networks
29
dept. of ECE
30. IPSec Security Services
Connectionless integrity
Assurance that received traffic has not been
modified. Integrity includes anti-reply defenses.
Data origin authentication
Assurance that traffic is sent by legitimate party or parties.
Confidentiality (encryption)
Assurance that user’s traffic is not examined by non-
authorized parties.
Access control
Prevention of unauthorized use of a resource.
30
dept. of ECE
31. IPSec Modes of Operation
Transport Mode: protect the upper layer protocols
IP
Header
TCP
Header
Data
Original IP
Datagram
IP
Header
TCP
Header
IPSec
Header
Data
Transport Mode
protected packet
Tunnel Mode: protect the entire IP payload
Tunnel Mode
protected packet
New IP
Header
TCP
Header
IPSec
Header
Data
Original IP
Header
protected
protected
31
dept. of ECE
32. Tunnel Mode
Host-to-Network, Network-to-Network
Protected
Data
IPSec
IP Layer
SG
Internet
Transport
Layer
Application
Layer
IP
Layer
Host B
Protected
Data
IPSec
IP Layer
SG
Transport
Layer
Application
Layer
IP
Layer
Host A
SG = Security Gateway
32
dept. of ECE
33. Transport Mode
Transport Layer
Application Layer
Host-to-Host
Transport Layer
Application Layer
IP Layer
Data Link Layer
IPSec
Host B
IP Layer
Data Link Layer
IPSec
Host A
33
dept. of ECE
35. IPSec Security Protocols
Authentication Header (AH) provides:
- Connectionless integrity
- Data origin authentication
- Protection against replay attacks
Encapsulating Security Payload (ESP) provides:
- Confidentiality (encryption)
- Connectionless integrity
- Data origin authentication
- Protection against reply attacks
Both protocols may be used alone or applied in
combination with each other.
35
dept. of ECE
37. SPD
IPSec policies
SAD
SPD = Security Policy Database
SAD = Security Association Database
SA = Security Association
Packet
Outbound IPSec Processing
selector
1. Drop the packet.
2. Bypass IPSec.
3. Apply IPSec.
SAout
37
dept. of ECE
38. SPD
IPSec policies
Packet
Inbound IPSec Processing
Case 1:
If IPSec headers exists
1. Headers are processed.
2. SPD is consulted to
determine if the packet
can be admitted based on
the Sain.
SPD = Security Policy Database
SAD = Security Association Database
SA = Security Association
38
dept. of ECE
39. SPD
IPSec policies
Packet
Inbound IPSec Processing
Case 2:
If IPSec headers are absent
1. SPD is consulted to
determine the type of
service to afford this packet.
2. If certain traffic is required
to be IPSec protected and its
not it must be dropped.
SPD = Security Policy Database
SAD = Security Association Database
SA = Security Association
39
dept. of ECE
41. Conclusion
The Internet was not created with security in mind.
Communications can be altered, examined and exploited.
There is a growing need to protect private information
crossing the public networks that make up the Internet
infrastructure.
IPSec is a set of protocols and methodologies to create
secure IP connections.
41
dept. of ECE
