Presentation is loading. Please wait.

Presentation is loading. Please wait.

IPsec Problems and Solutions

Published byMay Richard Modified over 6 years ago

Similar presentations

Presentation on theme: "IPsec Problems and Solutions"— Presentation transcript:

1 IPsec Problems and Solutions
This presentation is about the problems and their solutions related to IPsec protocol Yasir Jan Future Internet 29th May, 2008

2 Contents Definition Architecture Types Modes of Operation Key Exchange
Multiple Options IPsec problems and solutions Summary References These are the contents of the presentation

3 IPsec Definition IP security refers to security mechanisms implemented at the IP (Internet Protocol) Layer to ensure integrity, authentication and confidentiality of data during transmission in the open Internet environment. IP security is basically a secure method of transmission through internet Fig: Security

4 IPsec Architecture Types
Authentication Header Integrity + Authentication Encapsulating Security Payload Integrity + Authentication + Confidentiality The are two types of architectures related to IPsec. One is Authentication header and other is Encapsulating security payload. AH provides us the functionality of Integrity and authentication of data. While ESP provides us Confidentiality of the data along with Integrity and Authentication. Authentication Header Encapsulating Security Payload Integrity Authentication Integrity Authentication Confidentiality Fig: AH and ESP comparison

5 IPsec Modes of Operation
Transport Mode Only payload of the IP packet is encrypted and/or authenticated. Tunnel Mode Entire IP packet (data plus the message headers) is encrypted and/or authenticated There are two modes of operation in IPsec. One is Transport mode, and other is Tunnel mode. Transport mode does not include the header, while tunnel mode covers the header part as well for authentication and encryption. AH Transport mode IP Header AH Header Upper Protocol Headers and Packet Data AH Tunnel mode New IP Header Old IP AH Upper Protocol Headers and Packet Data ESP Transport mode IP Header ESP Header Upper Protocol Headers and Packet Data ESP Tunnel mode New IP Header ESP Header Old IP Header Upper Protocol Headers and Packet Data Fig: Modes of operation

6 IPsec Key Exchange IPsec Key Exchange Protocol is a combination of many protocols ISAKMP is a generic protocol OAKLEY is a specific mechanism using various modes. Most of IKE is done using OAKLEY SKEME provides features of public key encryption and fast re-keying feature IKEv2 also concerns protection against denial-of-service attacks using spoofed packets The devices are able to use facilities of IPsecurity, because of their shared keys. The key exchange protocol is a combination of many protocols, which include ISAKMP, OAKLEY and SKEME. The new version IKEv2 provides extra protection. Fig: Key exchange

7 IPsec Multiple options
Use any Authentication method Cryptographic hash algorithms such as MD5 or SHA-1, or Hashed Message Authentication Code (HMAC) Use any Encryption Schemes Data Encryption Standard (DES), triple-DES, Advanced Encryption Standard (AES), and Blowfish in common use Use any protocols in IKE IPsec provides too much flexibility related to selection of authentication methods and encryption schemes. Different levels of authentication may be used for different types of networks. Fig: Many options

8 IPsec problems and solutions
1) Key Management in Large Networks When IPsec is largely developed, key management becomes very difficult 2) Difficult Traffic analysis Cannot check and process flags at intermediate devices because of encryptions IP security becomes a big problem when networks become big. The key management becomes difficult as well as setting the policies is also difficult. Traffic analysis becomes difficult, because cannot check and process flags during the transmission. The packets are encrypted and secured. Fig: Big Networks

9 IPsec problems and solutions
3) Resource Consumption Encryption decryption processes are computational intensive Cisco designed VPN accelerator card to handle computation separately 4) Too much flexibility Unnecessary multiple options available for choosing algorithms and modes Solution: Reduced flexibility is sometimes better (Remove AH) 3) IPsec is computational intensive and so consume the processing resources a lot. Cisco has designed a separate card to do the computation separately. 4) IPsec has too much options available. It should combine the activities of two or more modes into one single mode. Like Authentication is also provided by ESP, so AH should be removed completely. And so a common set of algorithms should be used. IT is also helpful for multiple vendors compativbility. Fig: Consume many resources

10 IPsec problems and solutions
5) Client software IPsec is not implemented in TCP/IP stack, needs a client installed Danger of installing malicious unreliable software by a user Solution: Install clients from reliable sources 6) Relayed ICMP messages ICMP inner data is revealed to attacker, so it can be intercepted Using ICMP header information IPsec packets could be redirected, in some cases, or error messages can be generated [1] Solution: Use ESP along with AH 5) Users may install malicious client software which may monitor all IP secured data. 6) An attacker can modify sections of the IPsec packet, causing either the clear text inner packet to be redirected or a network host to generate an error message We can also avoid it by removing the error reporting by restricting the generation of ICMP messages or by filtering these messages at a firewall or security gateway Also a combination of both AH and ESP should be used. Fig: Malicious Software

11 IPsec problems and solutions
7) Scrambled Group passwords recovery IPsec passwords were first sniffed from memories, when used, so Cisco VPN clients were designed to scramble the passwords in memory, but they were hacked again Once getting group password, an attacker can hijack a connection from a user and get other usernames and passwords 8) No End-End Protection Applications use their own SSL or other techniques IETF working on API integrated with IPsec to achieve maximum use 7) IPsec passwords when used for decryption purposes was present in memory, from where an attacker could read it. So design was changed to scramble the password in the memory, while keeping the original in hard drive. But now the scrambled passwords have also become vulnerable, and are descrambled. 8) Application layer securities are useful in some cases, when end to end security is required. IPsec does not provide security at all levels. A combination of both SSL and IPsec should be used for more better performance Fig: Scrambled passwords

12 IPsec problems and solutions
9) Firewalls firewalls monitor the ports and protocols that the traffic originates from and is designated for, to determine the traffic’s “acceptability” before allowing the traffic through Firewall is easy to setup with the standard exceptions and any customizations you need With IPsec you have to create rules with filter lists and actions and then add these to a policy, and then distribute them and …. But IPsec has many good things as compared to firewalls like encryption, no bottle necks etc 9) Firewalls also provide certain level of security which IPsec doesn’t do. Both should be used in parallel for better performance. Fig: IPsec vs firewalls

13 IPsec problems and solutions
10) VoIP Quality loss Scheduling causes packet loss in real time applications Latency in VoIPs 11) Denial of Service Send too many acknowledge messages to the victim during wait period of TCP connection timeout Solution: IKEv2 has the solution 10) Scheduling causes delay in performance. IPsec pockets are numbered and scheduled at the receiver end, which may cause latency, so sometimes the packets are dropped to achieve real time application quality. 11) Attacker may send too many messages to a victim causing its buffer to overflow and hence making it to deny all further activities. IKEv2 provides the facility of preventing denial of service. Fig: Voice quality and Denial of service

14 IPsec problems and solutions
12) Multicast Traffic Packets have single destination addresses, so difficult to mange SPI Some applications using streaming multimedia assign port numbers dynamically, so IPsec policy becomes difficult to assign IPsec has multicast option but is not enough for all occasions 13) Security within algorithms IPsec works with other protocols for security. They should be secure enough to stop attacker otherwise only secure IPsec is useless 12) It is difficult to assign multicast addresses. We can do group assignments, i.e. message from certain sender is send to a group of receivers. So a group policy is assigned to specific sender address. Also a specific destination address may be assigned to multiple receivers. But in both cases the manual grouping is difficult. 13) The encryption and authentication algorithms should have enough security otherwise IPsec becomes useless Fig: Multicast traffic

15 IPsec problems and solutions
14) Brute Force Attack ESP initiation scheme is fixed 3 steps of Aggressive mode, so intruder may try to delay the initiation during which it will find the key by brute force attack Crack Tool was used with Pre-Shared-Key IKE authentication [2] for guessing with brute force 14) A brute force attack will try to delay the devices temporarily and make a brute force attack to know the password. There are Crack tools available which can do so. Fig: Trying out ALL options by brute force

16 IPsec problems and solutions
15) Incompatibility with NAT (RFC 3715) Network Address Translation (NAT) was developed to answer the impending problems of the limit of IPv4 addresses When NAT changes the IP addresses or ports in the IP header, IPSec cannot re-calculate the hash because it is not knowledgeable about the key and so IPsec drops the packets. In ESP the NAT device cannot access and change the port information inside the encrypted TCP headers of the packets Solution: NAT-T (encapsulation of the IPsec part of the IP packet in yet another UDP header between the ESP portion of the packet and the original IP header. ) 15) NAT and IPsec cannot go together because Nat tries to modify the address while IP tries to secure the address. NAT-T is used which can provide compatibility by putting extra UDP header between ESP portion and original IP header Fig: IPsec and NAT are incompatible

17 Summary IPsec has multiple components
Security and authentication is provided by additional components so they should be also secure IPsec have some incompatibility issues IPsec is overall complex, needs simplification This slide shows the summary of whole presentation Fig: Summary

18 References Images taken from various sources on internet These are the references Fig: References

19 Thankyou Thankyou for listening Any questions, do ask. Fig: Questions

Download ppt "IPsec Problems and Solutions"

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.

Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
Chapter 13 – Network Security

Chapter 13 – Network Security
OV 12 - 1 Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
OV 12 - 1 Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
CSCE 715: Network Systems Security

CSCE 715: Network Systems Security

Similar presentations

Ads by Google