Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 18 IP Security  IP Security (IPSec)

Published byMadlyn Letitia Lawrence Modified over 6 years ago

Similar presentations

Presentation on theme: "Chapter 18 IP Security  IP Security (IPSec)"— Presentation transcript:

1 Chapter 18 IP Security  IP Security (IPSec)
 Virtual Private Network (VPN)

2 Security Approaches Security approaches in TCP/IP protocol stack
IPSec: security features at IP layer Transparent to users and applications SSL (or TLS) : security features at transport layer Security features at application layer: PGP, S/MIME, SET, …

3 IP Security Overview IP security (IPSec) Application of IPSec
RFC 1636, 1994 : An implementation of IP-layer security Confidentiality service Authentication service Key management Application of IPSec VPN over Internet Secure remote access over Internet Enhancing e-Commerce security Secure routing info exchange among routers

4 IPSec (IP Security) IPSec protocols IP Authentication Header (AH)
IP Encapsulating Security Payload (ESP) Internet Key Exchange (IKE)

5 IPSec (IP Security) ESP and AH assume the peers using the protocol have a shared key -> needs a protocol for distributing keys called Internet Key Exchange (IKE). IPSec was designed as two protocols to encourage wide deployment, even where there are import, export, and usage restrictions on encryption.

6 Virtual Private Networks (VPN)
What is a VPN? “…a group of two or more computer systems, typically connected to a private network with limited public-network access, that communicates ‘securely’ over a public network.” “A combination of tunneling, encryption, authentication and access control technologies and services used to carry traffic over an IP network”

7 Virtual Private Networks (VPN)
What makes a VPN secure? Encryption Strong authentication of remote users and hosts. Mechanisms for hiding or masking information about the private network topology from potential attackers Three basic types: Hardware-based Firewall-based Standalone/Software-based

8 Security Association One-way relationship b/w sender and receiver that affords security services to the traffic on it Defined by: Security parameter index (SPI): the index used to select SA under which a received packet will be processed IP destination address Security protocol identifier: identifies AH or ESP

9 Security Association SA parameters
Sequence number counter: packet sequence number Anti-replay window AH information: authentication algorithm, key, key lifetime, etc. ESP information: authentication and encryption algorithm, key, IV, key lifetime, etc.

10 Security Association SA parameters
SA lifetime: after this lifetime, SA must be replaced with a new SA IPSec protocol mode: tunnel or transport mode Path MTU

11 Authentication Header (AH)
Designed to provide Integrity Authentication Does not provide confidentiality

12 Authentication Header (AH)
AH header includes: Payload length: length of AH authentication data: signed message digest, calculated over original IP datagram, providing source authentication, data integrity. SPI Sequence number (SN): used to protect against replay attacks Next header field: specifies type of data (TCP, UDP, etc.)

13 Authentication Header (AH)
Anti-replay attacks: Sender initializes SN counter to 0 Each time a packet is sent on this SA, sender increments the SN counter If the SN counter reaches SN overflow value, sender terminates the current SA and negotiate a new SA with a new key

14 Authentication Header (AH)
Anti-replay attacks: IP packet may be delivered out of order Receiver allows packets out of order within a window W (default size of 64) Window size (= 64) N N: the highest SN of the packets received so far

15 Authentication Header (AH)
Anti-replay attacks: Input processing (receiver): When SN of the received packet is within the window: the MAC is checked, if the MAC is correct, mark the window slot When SN of the received packet > N: check the MAC, if the MAC is correct, mark the window slot and advance the window When SN of the received packet is to the left of the window or MAC is incorrect, discard the packet Window size (= 64) N N: the highest SN of the packets received so far

16 Encapsulating Security Payload (ESP)
Designed to provide Integrity Authentication Confidentiality (Data, ESP trailer) encrypted. Next header field is in ESP trailer. ESP authentication field is similar to AH authentication field. Protocol = 50.

17 IKE (Internet Key Exchange)
A hybrid protocol designed to negotiate and provide authenticated keying material for security associations (SA) in a protected manner Based on three previous protocols ISAKMP – A framework for authentication and key exchanges, define message types for key exchanges Oakley – A described series of key exchanges and the services provided by them SKEME – A versatile key exchange technique providing anonymity, non-repudiability, and quick key refreshment

18 IPSec Mode Transport mode Tunnel mode
Provides protection to the payload of IP packet Used for end-to-end secure communication between two hosts Tunnel mode Provides protection to the entire IP packet The original IP packet is encapsulated into new IP packet including AH or ESP header. Used for secure communications between two IPSec gateways

19 IPSec Mode

20 IPSec Mode: ESP

Download ppt "Chapter 18 IP Security  IP Security (IPSec)"

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
IP SECURITY – Chapter 16 IP SECURITY – Chapter 16 Security Mechanisms: email – S/MIME, PGP client/server - Kerberos web access - Secure Sockets Layer network.

IP SECURITY – Chapter 16 IP SECURITY – Chapter 16 Security Mechanisms: – S/MIME, PGP client/server - Kerberos web access - Secure Sockets Layer network.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.

Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.
CSCE 715: Network Systems Security

CSCE 715: Network Systems Security
IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.

IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Karlstad University IP security Ge Zhang

Karlstad University IP security Ge Zhang
IPsec. 18.1 Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.

IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
IP Security.  In CERTs 2001 annual report it listed 52,000 security incidents  the most serious involving:  IP spoofing intruders creating packets.

IP Security.  In CERTs 2001 annual report it listed 52,000 security incidents  the most serious involving:  IP spoofing intruders creating packets.

Similar presentations

Ads by Google