Presentation is loading. Please wait.

Presentation is loading. Please wait.

6/21/01Team 2 DCS 835 Rev 6/22/011 IP Security (IPSec)  Background –The internet has no centralized technical support. What makes it work is an agreed.

Published byAlbert Cannon Modified over 8 years ago

Similar presentations

Presentation on theme: "6/21/01Team 2 DCS 835 Rev 6/22/011 IP Security (IPSec)  Background –The internet has no centralized technical support. What makes it work is an agreed."— Presentation transcript:

1 6/21/01Team 2 DCS 835 Rev 6/22/011 IP Security (IPSec)  Background –The internet has no centralized technical support. What makes it work is an agreed upon common set of protocols that allow different networks to communicate with one another. TCP/IP protocols developed de facto, although today TCP/IP is formally specified as a de jure standard by the Internet Engineering Task Force (IETF).

2 6/21/01Team 2 DCS 835 Rev 6/22/012 IP Security (IPSec)  Background (cont’d) –The IETF is open to anyone. The membership requirement is participation in one of the more than 100 working groups. Each group has a working theme. IPSec protocols were developed by the Security working group.

3 6/21/01Team 2 DCS 835 Rev 6/22/013 IP Security (IPSec)  Background (cont’d) IPSec began as two security protocol proposals: Photuris and SKIP. When the proponents couldn’t reach agreement, ISAKMP, a general-purpose syntax was agreed to. At the same time, a third more complex protocol called Oakley, was proposed. Finally, a document originally titled ISAKMP/Oakley Resolution Document evolved into what is now known as Internet Key Exchange (IKE), the key portion of IPSec.

4 6/21/01Team 2 DCS 835 Rev 6/22/014 IP Security (IPSec)  Technical Overview –IPSec is a set of protocols devised by the IETF –IPSec offers authentication and privacy services at the IP layer –IPSec can be used with IPv4 and IPv6 –IPSec provides a flexible framework –It is not a single protocol, but provides a set of security algorithms that work within the framework

5 6/21/01Team 2 DCS 835 Rev 6/22/015 IP Security (IPSec)  Technical Overview (cont’d) The two main pieces of IPSEC are the data packet encodngs (AH and ESP), and the key exchange portion (IKE) IPSec operates “on top of” layer 3 (IP), but “below” layer 4 (TCP or UDP), in that it encrypts each data packet independent of all others. If packets are lost or delayed, layer 4 (the layer that requests retransmission) sees only authenticated data.

6 6/21/01Team 2 DCS 835 Rev 6/22/016 IP Security (IPSec)  Required Security Algorithms –IPSec defines a minimal set of algorithms that are mandatory.

7 6/21/01Team 2 DCS 835 Rev 6/22/017 IP Security (IPSec) - Authentication  IPSec Authentication Header IPv4 HEADER AUTHENTICATION HEADER TCP HEADER TCP DATA IPv4 datagram with IPSec authentication header added IPSec uses a separate authentication header The Protocol field in the IP header is set to 51 The receiver gets the information type carried in the datagram from the NEXT HEADER field in the authentication header

8 6/21/01Team 2 DCS 835 Rev 6/22/018 IP Security (IPSec) - Authentication  IPSec Authentication Header (cont’d) NEXT HEADERPAYLOAD LENRESERVED IPSec authentication header format SECURITY PARAMETERS INDEX SEQUENCE NUMBER AUTHENTICATION DATA (VARIABLE..... 0 8 16 31

9 6/21/01Team 2 DCS 835 Rev 6/22/019 IP Security (IPSec) - Authentication  IPSec Authentication Header (cont’d) –PAYLOAD LEN specifies the length of the authentication header –SEQUENCE NUMBER contains a unique sequence number for each packet sent. –SECURITY PARAMETERS INDEX specifies the security scheme used –AUTHENTICATION DATA contains data for the selected security scheme

10 6/21/01Team 2 DCS 835 Rev 6/22/0110 IP Security (IPSec) - Authentication  IPSec security schemes can include: –Authentication algorithm –A key (or keys) used by the algorithm –A lifetime for the key –A lifetime for the algorithm –A list of source addresses authorized to use the scheme.

11 6/21/01Team 2 DCS 835 Rev 6/22/0111 IP Security (IPSec) - Authentication  IPSec Security Association –To save header space, IPSec arranges to have each receiver collect all the details about a security scheme in an abstraction called a Security Association (SA). –Each SA is given a security parameters index (a number that identifies it) –The sender must know the SA of the receiver, and places the value in the security parameters index of each datagram.

12 6/21/01Team 2 DCS 835 Rev 6/22/0112 IP Security (IPSec) - Authentication  IPSec Security Association (cont’d) –Index values are not global –Each destination creates as many SAs as it needs and assigns an index to each –The destination can assign a lifetime for each SA, and reuse the index after the SA expires

13 6/21/01Team 2 DCS 835 Rev 6/22/0113 IP Security (IPSec) - Authentication  IPSec Mutable Header Fields –IPSec is designed to ensure that the datagram that is sent is unchanged when it arrives. If the entire datagram were authenticated, this would be impossible, because each intermediate router decrements the time-to-live field and recomputes the checksum –IPSec calls header fields that are changed in transit mutable fields –Therefore IPSec only authenticates immutable fields

14 6/21/01Team 2 DCS 835 Rev 6/22/0114 IP Security (IPSec) - Privacy  IPSec Encapsulating Security Payload (ESP) IPv4 HEADER ESP HEADER TCP HEADER TCP DATA IPv4 datagram with IPSec ESP added The Protocol field in the IP header is set to 50 ESP uses many of the same features used in the authentication header, but rearranges the order ESP TRAILER ESP AUTH Encrypted Authenticated

15 6/21/01Team 2 DCS 835 Rev 6/22/0115 IP Security (IPSec) - Privacy  IPSec Encapsulating Security Payload (ESP) 0 – 255 OCTETS OF PADDINGPAD LENGTHNEXT HEADER SECURITY PARAMETERS INDEX SEQUENCE NUMBER ESP AUTHENTICATION DATA (VARIABLE)..... 0 16 31 0 16 24 31 ESP Header ESP Trailer

16 6/21/01Team 2 DCS 835 Rev 6/22/0116 IP Security (IPSec) - Privacy  IPSec Encapsulating Security Payload (ESP) –Padding may be required because the NEXT HEADER field is right justified within a 4-octet field. IPSec requires that the AUTH DATA be aligned to the start of a 4-octet boundary

17 6/21/01Team 2 DCS 835 Rev 6/22/0117 IP Security (IPSec) Tunneling OUTER IP HEADER ESP HEADER INNER IP DATAGRAM (INCLUDING IP HEADER) IPSec tunneling mode with ESP added VPN uses encryption along with IP-in-IP tunneling to keep inter-site data transfers private. The IPSec standard explicitly defines the tunneled versions of the datagrams. ESP TRAILER ESP AUTH Encrypted Authenticated OUTER IP HEADER IPSSec tunneling mode for authentication AUTHENTICATION HEADER INNER IP DATAGRAM (INCLUDING IP HEADER)

18 6/21/01Team 2 DCS 835 Rev 6/22/0118 References 1.Comer, Douglas E. Internetworking with TCP/IP Vol 1: Principles, Protocols, and Architecture, 4 th ed. Upper Saddle River, N.J.: Prentice Hall, 2000. 2.Cisco Systems, IP Security—IPSec Overview, 1998. http://www.cisco.com/warp/public/cc/techno/protocol/ipsecur/prodlit/ipsec _ov.pdf http://www.cisco.com/warp/public/cc/techno/protocol/ipsecur/prodlit/ipsec _ov.pdf 3.Cisco Systems, IPSec Network Security, Release 11.3(3)T. http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113t/1 13t_3/ipsec.pdf http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113t/1 13t_3/ipsec.pdf 4.Zao, Kent, Gahm, Troxel, Condell, Helinck, Yuan, Castineyra. “A Public Key Based Secure Mobile IP”, Wireless Networks Vol. 5, J.C Baltzer AG, 1999, pp. 373-390. 5.Treese, Win. “Putting it Together: Engineering the Net: The IETF”, networker Vol 3 No.1, March, 1999, pp. 13-19. 6.Perlman, Kaufman. “Key Exchange in IPSec: Analysis of IKE”, IEEE Internet Computing, Nov-Dec 2000, http://computer.org/internet/http://computer.org/internet/

Download ppt "6/21/01Team 2 DCS 835 Rev 6/22/011 IP Security (IPSec)  Background –The internet has no centralized technical support. What makes it work is an agreed."

Similar presentations

IPSec.

IPSec.
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Henric Johnson1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Network Layer Security: IPSec

Network Layer Security: IPSec
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.

Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
IP Security. IPSEC Objectives n Band-aid for IPv4 u Spoofing a problem u Not designed with security or authentication in mind n IP layer mechanism for.

IP Security. IPSEC Objectives n Band-aid for IPv4 u Spoofing a problem u Not designed with security or authentication in mind n IP layer mechanism for.
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.

Similar presentations

Ads by Google