IPSec Zeen Rachidi David Salim Archana Mehta Agenda Definition of IPSec IPSec Architecture Encapsulating Security Payload and Authentication Header Encryption and Authentication Algorithms Internet Key Exchange mechanism Scenarios for deploying Implementation Benefits Limitations Current areas of research Definition of IPSec IPSec is an abbreviation for IP security, which is used to transfer data securely over unprotected networks like “Internet”. It acts at the networks layer and is part of IPv6. The protocol/process is as follows : Sender encrypts packets before sending them on the network. Receiver authenticates packets. Anti replay checks to reject duplicate packets preventing DOS attack. IKE is the key exchange mechanism to securely exchange keys IPSec Architecture Below are the various RFC defined for IPSec Source: IPSec Architecture Overview IPSec Architecture RFC 2401 - Overall security architecture and services offered by IPSec. Authentication Protocols RFC 2402 – IP Authentication Header processing (in/out bound packets ) RFC 2403 – Use of MD-5 with Encapsulating Security Payload and Authentication Header RFC 2404 - Use of Sha1with Encapsulating Security Payload and Authentication Header ESP Protocol RFC 2405 – Use of DES-CBS which is a symmetric secret key block algorithm (block size 64 bits). RFC 2406 – IP Encapsulating Security Payload processing (in/out bound packets) RFC 2407 – Determines how to use ISAKMP for IPSec IPSec Architecture – Key Management RFC 2408 (Internet Security Association and Key Management Protocol - ISAKMP) Common frame work for exchanging key securely. Defines format of Security Association (SA) attributes, and for negotiating, modifying, and deleting SA. Security Association contains information like keys, source and destination address, algorithms used. Key exchange mechanism independent. RFC 2409 – Internet key exchange Mechanisms for generating and exchanging keys securely. Encapsulation Security Payload Designed to provide both confidentiality and integrity protection Everything after the IP header is encrypted The ESP header is inserted after the IP header Authentication Header Designed for integrity only Certain fields of the IP header and everything after the IP header is protected Provides protection to the immutable parts of the IP header Encryption Algorithms Some of the standard encryption algorithms implemented in IPSec are: 3DES AES NULL Authentication Algorithms Used to achieve integrity protection of data Everything after the IP header is hashed Hash is attached to the IP header as an integrity checksum Destination host generates a hash using the same algorithm and compares it to the one attached to the packet Internet Key Exchange Phase 1 Achieves mutual authentication and establishes and IKE Security Association (SA). Three key options include: Public Key Encryption Public Key Signature Symmetric Key Phase 2 achieves ESP/AH SA IPSec Transport Mode AH or ESP header is inserted between the IP header and payload IP Header AH/ESP Data Encrypts only the data portion of packet Designed for host-to-host communication where routing information is needed IPSec Tunnel Mode Original IP packet is placed in new IP packet with AH or ESP header IP Header Data Original IP Packet IP Header AH/ESP Data Designed for gateway-to-gateway communication Tunnel vs Transport Mode Transport mode is more efficient Transport mode hides all information of the original packet Transport mode is not needed IPSec Implementation Bump-in-stack Update OS network stack Adding software that’s binds to network stack can cause software conflicts Bump-in-wire Attach network device that performs IPSec processing Transparent to hosts Benefits of IPSec Operates at the network layer Application agnostic An Internet standard Extensible hash and encryption algorithms Limitations of IPSec Complex Configuration Lengthy key pairs need to be configured on client and server Performance / Processing Overhead NAT incompatibilities Firewall incompatibilities Current areas of research Stronger encryption and authentication algorithms. Better Public Key Infrastructure to make it simple, less complex and easy to manage and more secure. Security with non IP protocols like Fiber channel. References 1. IP Encapsulating Security Payload, http://www.ietf.org/rfc/rfc2406.txt 2. IPSec, http://www.mywiseowl.com/articles/IPsec 3. IP Security (RFC – 2411), http://rfc.net/rfc2411.html 4. IPSec Product Overview, http://66.102.7.104/search?q=cache:S6usqPxYnIJ:www.freesoft.org/CIE/Topics/141.htm+Ipsec&hl=en&start=3 3 5. IPsec (IP Security Protocol), http://www.nwfusion.com/details/720.html 6. Understanding IPsec, http://www.intranetjournal.com/articles/200206/se_06_13_02c.html 7. Information Security, Principles and Practice, Mark Stamp 8. www.solaris.com