IPSec
IPSec provides the capability to secure
communications across a LAN, across
private and public wide area networks
(WANs) and across the Internet
1
� Usability and Security
Determine
where on this
line your
organization
needs lie
Convenience
/ Usability
0 Security
2
� Services, Mechanisms,
Algorithms
A typical security protocol provides one or
more security services (authentication, secrecy,
integrity, etc.)
Services are built from mechanisms.
Mechanisms are implemented using algorithms.
Services
SSL/IPSec/PPTP, etc (Security Protocols)
Signatures Encryption Hashing Mechanisms
DSA RSA RSA DES SHA1 MD5 Algorithms
3
� Security in the Internet
Architecture
Lack of security in the Internet Architecture
Security was left up to the applications
With the passage of time it was realized that
universal security at the IP level will become a
need and not a luxury
4
�Security Application Email - S/MIME Application
Protocol Presentation Presentation
Layers Session SSL Session
•The further
Transport Transport
down you go, Network IPSec Network
the more
Datalink PPP - ECP Datalink
transparent it is
Physical Physical
•The further up
you go, the
Encrypting Encrypting
easier it is to NIC
PHYSICAL NETWORK
NIC
deploy
5
� Some Pros of Security at
the IP Level
Can be end to end or at least multilink unlike
link layer
Could be hw/sw supported (hw support for
encryption)
Can shield unmodified host apps giving them
crypto/security at the level of nets/hosts/and
possibly users
Can extend secure enclave across insecure areas
6
� What is IPSec?
Extensions to the basis Internet Protocol to
provide security functions at the IP level
Applicable to both IP Version 4 and IP Version
6
IPSec available in Windows 2000, Linux, Cisco
Routers, etc.
7
� How do you know IPSec is
there?
AH/ESP new IP layer protocols
1. an IP datagram encapsulated in them (tunnel mode)
2. TCP/UDP and the rest above them (transport mode)
Every packet may have AH/ESP applied to them:
AH for authentication;
ESP for encryption and authentication, this is bulk/per-
packet encryption/authentication
8
�IP Security Usage Scenario
9
� Applications of IPSec
Secure Branch Office Connectivity Over the
Internet
Secure Remote Access Over the Internet
Establishing Extranet and Intranet Connectivity
with Business partners
Enhancing Electronic Commerce Security
10
� IP Security Architecture
Defined by IPSec Documents (RFCs)
IP Security Protocol Working Group of IETF
IP Security Evolving with the passage of time
IPSec provides security services at the IP layer
by enabling a system to select required security
protocols, determine the algorithms to use for
the services, and put in place any cryptographic
keys required.
11
� IPSec Documents Overview
Relevant RFCs
RFC 1825: An overview of a
security architecture
RFC 1826: Description of a
packet authentication extension
to IP
RFC 1828: A specific
authentication mechanism
RFC 1827: Description of a
packet encryption extension to
IP
RFC 1829: A specific encryption
mechanism
12
� AH and ESP
AH
The Authentication Header provides support for
data integrity and authentication of IP packets
ESP
The Encapsulating Security Payload provides
confidentiality services, including confidentiality of
message contents and limited traffic flow
confidentiality. As an optional feature, ESP can also
provide the same authentication service as AH.
13
�IPSec Services
14
� Security Associations
What is a SA?
An SA is a one way relationship between a sender
and a received that affords security services to the
traffic carried on it.
SA Parameters
Security Association Database stores parameters
associated with each of the SAs
SA Selectors
Each SPD entry is defined by a set of IP and upper
layer protocol field values called selectors.
15
� Transport and Tunnel
Modes
Tunnel Mode means that one outgoing IP
packet is encapsulated in another packet with
typically a different IP destination
Tunnels can be (1) Router to Router (2) Router
to host or host to router (3) host to host
16
�Transport and Tunnel
Modes
17
�Tunnel Mode and Transport
Mode Functionality
18
�Authentication Header
19
� Services Provided by AH
Anti-Replay Service
Integrity Check Value
20
�Anti-Replay Service
21
�Transport and Tunnel
Modes
22
�Scope of Authentication
Header
23
�Scope of Authentication
Header
24
� Encapsulating Security
Payload - ESP
ESP Services
Confidentiality
Authentication Services
ESP Format
SPI
SN
PD
Padding
Pad Length
Next Header
Authentication Data
25
�ESP
26
�ESP Format
27
�Transport-level security
28
�A virtual private network via
Tunnel Mode
29
�Scope of ESP Encryption
and Authentication
30
�Combining Security
Associations
31
�Combining Security
Associations
32
�Combining Security
Associations
33
�Combining Security
Associations
34
� Key Management
Involves the determination and distribution of
secret keys
Typically four keys are used between two
applications
Two types of key management
Manual
Automated
35
� ISAKMP
•The default
automated key
management
protocol from
IPSec is referred to
as
ISAKMP/Oakley
•Oakley is a
refinement of
Diffie Hellman
Key Exchange
Protocol
36
�ISAKMP
Exchange
Types
37
�ISAKMP Payload Types
38
� Conclusion
IPSec provides Universal IP level security for
all applications
Two choices are available AH and ESP
IPSec can be used in a transport mode for end
to end authentication and encryption or in
tunnel mode for router to router authentication
and encryption
IPSec can be implemented IPV4 as options and
is a required part of the implementation of IPV6
39