Presentation is loading. Please wait.

Presentation is loading. Please wait.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

Published byHarriet Shepherd Modified over 8 years ago

Similar presentations

Presentation on theme: "IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol."— Presentation transcript:

1 IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol used for communication across theThe IP, which is the standard protocol used for communication across the Internet Internet IPSec is in 3 rd layer (network) in OSI model. Optional security in V4 & obligatory in V6 IPSec provides a range of : Connectionless integrity, data authentication, security services, protection against replays, confidentiality (encryption), and limited traffic flow confidentiality.

2 Transport mode Tunnel mode

3 Architecture AH Protocol ESP Protocol Encryption alg. Authentication alg. DOI Key management Covers security requirements,Covers security requirements, definitions, & mechanisms of IPsec Access protocol,protectionAccess protocol,protection against anti-replay, data origin authentication Data Confidentiality & limits traffic flow Choose suitable Algorithm for ESP Domain of Interpretation, include identifiers for approved authentication & Encrypted for approved authentication & Encryptedalgorithm Documents that describe key management

4 security services IPSec comprises two protocols that provide security services & key management key management mechanism. 1.Authentication Header (AH) Access controldata origin authentication Access control, connectionless integrity, data origin authentication and anti-replay protection against anti-replay are provided by the protocol. 2.Encapsulating Security Payload (ESP) Confidentiality provides Confidentiality of the data and limited traffic flow confidentiality

5 1.Transport mode 1.Transport mode : is designed for host-to-host communication and does not afford total protection for the IP packets transmitted between the two hosts. The security protocol header is inserted between the IP header & the upper layer protocol header, protecting only the upper layer payload of the packet. 2.Tunnel mode 2.Tunnel mode : is used To protect the entire IP packet, the packet is ‘wrapped' in a new IP packet, and both the header and the payload of the original packet are afforded IPSec protection.

6 Next Header: identifies the type of next header Payload length: identifies size of data in the packet SPI: Identifies security association Sequence counter: designed to thwart replay attacks By initializing the sender a counter by zero, each time the packet is sent on SA, the sender increments the counter, finally it will return to zero Authentication data: contains integrity check value

7 SPI: Identifies security association Sequence counter: designed to thwart replay attacks By initializing the sender a counter by zero, each time the packet is sent on SA, the sender increments the counter, finally it will return to zero Payload data: identifies size of IP data in the packet Padding: Expand the plain text size Next Header: identifies the type of data in next header Authentication data: contains integrity check value

8 For two IPSec endpoints to be able to securely communicate, each host needs to be aware of the parameters to be used in the communication. such as: 1.Security Associations (SAs) and 2.Security Policies. defined as a one-way contract between two communicating hosts. An SA is used to define the communication parameters between the two IPSec secured peers. The parameters defined in the SA are: Which protocol to be used - AH or ESP What transforms to be used - Encryption keys Lifetime of the keys Sequence Number Anti-replay window Mode Tunnel destination

9 Cont… It is possible to use more than one protocol to communicate between the 2 hosts at the same time – for example SQL database traffic using ESP and LDAP Synchronisation could be using AH.

10 SAs can be setup by : 1.Setting up an SA manually is called Manual Keying. The two parties that need to communicate agree upon the initial key. The key is exchanged out of band, e.g. by using email or over the phone. This key is then manually keyed in using the user interface to the IPSec kernel & set up the other parameters such as Security Parameter Index and key expiry date. 2. Dynamically using a key management protocol such as Internet Key Exchange (IKE) protocol. If there is no SA available, the IPSec kernel invokes IKE. IKE negotiates the SA with the destination host based on the IPSec policy associated with that host. During thesenegotiations, a pair of SAs for the communication between these two hosts are generated and added to the Security Association Database. This is known as auto mated key exchange.

11 A combination of three fields in the SAD is used to uniquely identify each SA. 1- Destination IP address 2- The IPSec protocol to be used for that session. 3-Security Parameter Index (SPI) is a unique 32-bit parameter that identifies the SA used for the session Every IPSec packet that is communicated contains an SPI. When there are multiple security associations between two hosts, the SPI is used to identify the correct SA for a particular communication session.

12 We have four examples of combinations of SAs that must be supported by Compliant IPSec hosts (workstation,server) or security gateways(firewall,router) Each SA can be either AH or ESP for host tohost SAs the mode may be transport or tunnel,otherwise it must be tunnel mode

13 Case 2 : security is provided only between gateways Case 3: security is provided between gateways and host to host Cont...

14 Case4 : only tunnel mode between remot host and the firewall One or two SAs between remot host and local host Cont...

15 The security policy defines the security services to be applied at the IPSec endpoint, and every IP packet processed has to be evaluated against the policy regardless of whether it is protected by IPSec or not. Security policies are maintained in a Security Policy Database (SPD). IPSec architecture specifies that a separate SPD be maintained for every IPSec enabled interface.Two tables are defined in the SPD for inbound & outbound policy. Each entry has to indicate how the traffic that matches that entry is processed, need to be (bypass, reject or proceed with IPSec processing). Each policy entry also has a number of selectors that are used to identify the policy application process. These selectors include source address, destination address, user ID or system name, transport layer protocol and source and destination ports.

16 This mutual authentication is achieved through a pre-shared secret key, digital certificatea digital signature digital certificate, or a digital signature. Once the two communicating systems have authenticated themselves to each other, they generate session keys for data integrity and confidentiality. Phase 1 is used for mutual authentication of the IPSec peers. the IPSec peers authenticate each other, and setup a communication channel. exchange happens once per communication session, and pre-shared secrets or public key pairs are used for identification and authentication. The secure, authenticated communication channel established is called an ISAKMP Phase 2 session keys for other security services are established using the ISAKMP. can result in multiple connections. IPSec security associations are generated during this phase.

17

18 IPSec is implemented at the IP layer, thus providing security services to the upper layer protocols. IPSec can be implemented between, two hosts, two gateways or between a host and a gateway. Some examples of these of implementations are: a) Two servers synchronising a database, either internally or across the Internet

19 b) Two gateways, providing secure communication between the two networks connected by the two gateways c) A gateway and host/s as in remote access solutions. Cont...

Download ppt "IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol."

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.2: IPsec.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.2: IPsec.
Cryptography and Network Security

Cryptography and Network Security
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.

IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.
Security at the Network Layer: IPSec

Security at the Network Layer: IPSec
Network Security Essentials Chapter 8 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Network Security Essentials Chapter 8 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Network Layer Security: IPSec

Network Layer Security: IPSec
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

Similar presentations

Ads by Google