IP SEC
Edited by
Akhyari Nasir
IP Security Overview
• IPSec is not a single protocol.
• Instead, IPSec provides a set of security algorithms
plus a general framework that allows a pair of
communicating entities to use whichever algorithms to
provide security appropriate for the communication.
• Applications of IPSec
–
–
–
–
Secure branch office connectivity over the Internet
Secure remote access over the Internet
Establsihing extranet and intranet connectivity with partners
Enhancing electronic commerce security
http://sce.uhcl.edu/yang/teaching/.
...../IPsecurity.ppt
2
IP Security Scenario
http://sce.uhcl.edu/yang/teaching/.
...../IPsecurity.ppt
3
IP Security Overview
• Benefits of IPSec
– Transparent to applications - below transport layer
(TCP, UDP)
– Provide security for individual users
• IPSec can assure that:
– A router or neighbor advertisement comes from an
authorized router
– A redirect message comes from the router to
which the initial packet was sent
– A routing update is not forged
http://sce.uhcl.edu/yang/teaching/.
...../IPsecurity.ppt
4
Goal/Services of IPsec
• Provides security services at IP layer
– Access Control
– Connectionless integrity
– Data origin authentication
– Rejection of replayed packets
– Confidentiality (encryption)
– Limited traffic flow confidentiallity
IPsec Architecture
• Components
–
–
–
–
Security Protocols
Security Associations
Key Management
Algorithms for authentication and encryption
Security Protocols
• Authentication Header (AH)
– Data Origin Authentication
– Anti-replay service
– Data Integrity
• Encapsulating Security Payload (ESP)
–
–
–
–
Confidentiality
Data Origin Authentication
Anti-replay service
Connectionless Integrity
AH
• AH provides authentication for as much of
the IP header as possible, as well as for
upper level protocol data
• Tow modes: transport mode/tunnel mode
IP Security (IPSec)
• Different security tools function at different
layers of the Open System Interconnection
(OSI) model
• Secure/Multipurpose Internet Mail
Extensions (S/MIME) and Pretty Good
Privacy (PGP) operate at the Application
layer
• Kerberos functions at the Session layer
IP Security (IPSec) (continued)
IP Security (IPSec) (continued)
• IPSec is a set of protocols developed to
support the secure exchange of packets
• Considered to be a transparent security
protocol
• Transparent to applications, users, and
software
• Provides three areas of protection that
correspond to three IPSec protocols:
– Authentication
– Confidentiality
IP Security (IPSec) (continued)
• Supports two encryption modes:
– Transport mode encrypts only the data portion
(payload) of each packet, yet leaves the
header encrypted
– Tunnel mode encrypts both the header and
the data portion
• IPSec accomplishes transport and tunnel
modes by adding new headers to the IP
packet
• The entire original packet is then treated
as the data portion of the new packet
IP Security (IPSec) (continued)
IP Security (IPSec) (continued)
• Both Authentication Header (AH) and
Encapsulating Security Payload (ESP) can
be used with Transport or Tunnel mode,
creating four possible transport
mechanisms:
– AH in transport mode
– AH in tunnel mode
– ESP in transport mode
– ESP in tunnel mode
Figure 32.2 TCP/IP protocol suite and IPSec
32.15
Figure 32.3 Transport mode and tunnel modes of IPSec protocol
32.16
Note
IPSec in the transport mode does not protect the IP header; it only protects
the information coming from the transport layer.
32.17
Figure 32.4 Transport mode in action
32.18
Figure 32.5 Tunnel mode in action
32.19
Note
IPSec in tunnel mode protects the original IP header.
32.20
Figure 32.6 Authentication Header (AH) Protocol in transport mode
32.21
Note
The AH Protocol provides source authentication and data integrity,
but not privacy.
32.22
Figure 32.7 Encapsulating Security Payload (ESP) Protocol in transport mode
32.23
Note
ESP provides source authentication, data integrity, and privacy.
32.24
Table 32.1 IPSec services
32.25
Figure 32.8 Simple inbound and outbound security associations
32.26
Note
IKE creates SAs for IPSec.
32.27
Security Associations (SA)
• A one way relationsship between a sender
and a receiver.
• Identified by three parameters:
– Security Parameter Index (SPI)
– IP Destination address
– Security Protocol Identifier
http://sce.uhcl.edu/yang/teaching/.
...../IPsecurity.ppt
28
Transport Mode SA Tunnel Mode SA
AH
Authenticates IP payload
and selected portions of IP
header and IPv6 extension
headers
Authenticates entire inner
IP packet plus selected
portions of outer IP header
ESP
Encrypts IP payload and any
IPv6 extesion header
Encrypts inner IP packet
ESP with
authentication
Encrypts IP payload and any
IPv6 extesion header.
Authenticates IP payload
but no IP header
Encrypts inner IP packet.
Authenticates inner IP
packet.
http://sce.uhcl.edu/yang/teaching/.
...../IPsecurity.ppt
29
Key Management
• Two types:
– Manual
– Automated
• Oakley Key Determination Protocol
• Internet Security Association and Key
Management Protocol (ISAKMP)
http://sce.uhcl.edu/yang/teaching/.
...../IPsecurity.ppt
30
Oakley
• Three authentication methods:
– Digital signatures
– Public-key encryption
– Symmetric-key encryption (aka. Preshare
key)
http://sce.uhcl.edu/yang/teaching/.
...../IPsecurity.ppt
31
ISAKMP
http://sce.uhcl.edu/yang/teaching/.
...../IPsecurity.ppt
32
Recommended Reading
• Comer, D. Internetworking with TCP/IP,
Volume I: Principles, Protocols and
Architecture. Prentic Hall, 1995
• Stevens, W. TCP/IP Illustrated, Volume 1:
The Protocols. Addison-Wesley, 1994
http://sce.uhcl.edu/yang/teaching/.
...../IPsecurity.ppt
33