Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCE 815 Network Security Lecture 13

Published byΕυφροσύνη Έρις Παπανδρέου Modified over 5 years ago

Similar presentations

Presentation on theme: "CSCE 815 Network Security Lecture 13"— Presentation transcript:

1 CSCE 815 Network Security Lecture 13
IP Security (IPSec) March 4, 2003

2 PGP Homework 5.4 page 159 Find PGP on SUNs (whereis, which, whatis, man-k) Construct a RSA based signing key Construct an encryption key Pick a partner from the class. Send a signed but cleartext message to your partner. Validate the signature of the received message. Send the key and an encrypted message to the partner. Decrypt the message.

3 Chapter 6 – IP Security If a secret piece of news is divulged by a spy before the time is ripe, he must be put to death, together with the man to whom the secret was told. —The Art of War, Sun Tzu

4 Outline Internetworking and Internet Protocols (Appendix 6A)
IP Security Overview IP Security Architecture Authentication Header Encapsulating Security Payload Combinations of Security Associations Key Management

5 TCP/IP Example (fig 6.13)

6 IP Security have considered some application specific security mechanisms eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that cut across protocol layers would like security implemented by the network for all applications

7 IPSec general IP Security mechanisms provides
authentication confidentiality key management applicable to use over LANs, across public & private WANs, & for the Internet Internet Engineering Task Force (IETF) develops protocol standards for the internet

8 IPv4 Header

9 IP version 4 Fields Version (4 bits) the value is 0100 = 4
Internet Hedaer Length (IHL)(4) length of header in 32bit words. The minimum value is 5. Type of Service(8) Total Length (16) Total IP packet length in octets Identification (16) sequence number Flags(3) “more”, and “don’t fragment” Fragment offset (13) where is belongs in 64bit units Time to Live (TTL) (8) number of “seconds” for packet to live Checksum Addresses 32 bit source and destination addresses Options

10 IPv6 Header

11 IP version 6 Fields Version (4 bits) the value is 0110 (6)
Traffic class (8) priority of this packet for routers Flow Label(20) label packets for special processing by routers Payload Length(16) Next Header(8) – usually TCP or UDP or an IPv6 extension Hop limit (8) Source Address(128=16 octets=4 words) Destination address (128=16octets=4 words)

12 IP Security Overview IPSec is not a single protocol. Instead, IPSec provides a set of security algorithms plus a general framework that allows a pair of communicating entities to use whichever algorithms provide security appropriate for the communication.

13 IP Security Overview Applications of IPSec Virtual Private Networks
Secure branch office connectivity over the Internet Secure remote access over the Internet Establshing extranet and intranet connectivity with partners Enhancing electronic commerce security Virtual Private Networks Two protocols Authentication Header (AH) authentication protocol Encapsulating Security Protocol (ESP) combined encryption/authentication protocol

14 IP Security Scenario

15 IP Security Architecture
specification is quite complex defined in numerous RFC’s RFC 2401 – overview of security architecture RFC 2402 – packet authentication extension RFC 2406 – packet encryption RFC 2408 – key management many others, grouped by category mandatory in IPv6, optional in IPv4 Figure 6.2 summarizes additional documents

16 IPSec Document Overview

17 Benefits of IPSec in a firewall/router provides strong security to all traffic crossing the perimeter is resistant to bypass is below transport layer, hence transparent to applications can be transparent to end users can provide security for individual users if desired

18 Routing Applications support
IPsec can play a vital role in routing architecture Routing protocols such as OSPF run on top of IPSec Benefits provided by IPSec for routing application Router advertisement is valid Neighbor advertisement is avlid Verify redirect message come from the same router the initial packet was sent from Validate routing update messages

19 IPSec Services Access control Connectionless integrity
Data origin authentication Rejection of replayed packets a form of partial sequence integrity Confidentiality (encryption) Limited traffic flow confidentiality Table 6.1 summarizes the services provided by AH and ESP

20 Security Associations
a one-way relationship between sender & receiver that affords security for traffic flow For two-way it requires two separate SAs Uniquely defined by 3 parameters: Security Parameters Index (SPI) this is carried in AH and ESP headers IP Destination Address Security Protocol Identifier has a number of other parameters Sequence number, AH & EH info, lifetime etc have a database of Security Associations

21 SA Parameters Sequence number counter Sequence counter overflow flag
Anti-replay window AH info: authentication algorithm, keys, key lifetimes ESP info: encryption and authentication algorithm, keys, key lifetimes Lifetime of this Security Association (SA) IPSec protocol mode: tunnel or transport Path MTU maximum transmission unit

22 SA Selectors IPSec offers flexibility in selecting and applying SAs to IP traffic Security Policy database (SPD) SPD entries define a subset of the IP traffic and the SA that should be applied to this traffic

23 Authentication Header (AH)
provides support for data integrity & authentication of IP packets end system/router can authenticate user/app prevents address spoofing attacks by tracking sequence numbers based on use of a MAC HMAC-MD5-96 or HMAC-SHA-1-96 parties must share a secret key

24 IPSec Services Access Control Connectionless integrity
Data origin authentication Rejection of replayed packets Confidentiality (encryption) Limited traffic flow confidentiallity

25 ESP with authentication
Transport Mode SA Tunnel Mode SA AH Authenticates IP payload and selected portions of IP header and IPv6 extension headers Authenticates entire inner IP packet plus selected portions of outer IP header ESP Encrypts IP payload and any IPv6 extesion header Encrypts inner IP packet ESP with authentication Encrypts IP payload and any IPv6 extesion header. Authenticates IP payload but no IP header Encrypts inner IP packet. Authenticates inner IP packet.

26 Before applying AH

27 Transport Mode (AH Authentication)

28 Tunnel Mode (AH Authentication)

29 Authentication Header
Provides support for data integrity and authentication (MAC code) of IP packets. Guards against replay attacks.

30 End-to-end versus End-to-Intermediate Authentication

31 Encapsulating Security Payload
ESP provides confidentiality services

32 Encryption and Authentication Algorithms
Three-key triple DES RC5 IDEA Three-key triple IDEA CAST Blowfish Authentication: HMAC-MD5-96 HMAC-SHA-1-96

33 ESP Encryption and Authentication

34 ESP Encryption and Authentication

35 Combinations of Security Associations

36 Combinations of Security Associations

37 Combinations of Security Associations

38 Combinations of Security Associations

39 Key Management Two types: Manual Automated
Oakley Key Determination Protocol Internet Security Association and Key Management Protocol (ISAKMP)

40 Oakley Three authentication methods: Digital signatures
Public-key encryption Symmetric-key encryption

41 ISAKMP

42 Recommended Reading Comer, D. Internetworking with TCP/IP, Volume I: Principles, Protocols and Architecture. Prentic Hall, 1995 Stevens, W. TCP/IP Illustrated, Volume 1: The Protocols. Addison-Wesley, 1994

Download ppt "CSCE 815 Network Security Lecture 13"

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
NS-H0503-02/11041 IP Security. NS-H0503-02/11042 TCP/IP Example.

NS-H /11041 IP Security. NS-H /11042 TCP/IP Example.
Cryptography and Network Security

Cryptography and Network Security
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.

IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.
Henric Johnson1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden
Network Security Essentials Chapter 8 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Network Security Essentials Chapter 8 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.

Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Cryptography and Network Security

Cryptography and Network Security
1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden Revised by Andrew.

1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden Revised by Andrew.
IP Security: Security Across the Protocol Stack

IP Security: Security Across the Protocol Stack

Similar presentations

Ads by Google