Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

IP Security - Babu Ram Dawadi

advertisement 
IPv6 Security & QoS
Babu Ram Dawadi
1
Outline
•
•
•
•
•
•
•
IP Security Overview
IP Security Architecture
Authentication Header
Encapsulating Security Payload
Combinations of Security Associations
Key Management
QoS Overview
2
The need...
• the most serious involving:
– IP spoofing
• intruders creating packets with false address then
taking advantages of OS exploits
– eavesdropping and sniffing
• attackers listen for userids and passwords and then
just walk into target systems
– as a result the IAB included authentication and
encryption in the next generation IP (IPv6)
3
IP Security
• We’ve considered some application
specific security mechanisms
– eg. S/MIME, PGP, Kerberos, SSL/HTTPS
• however there are security concerns
that cut across protocol layers
• would like security implemented by the
network for all applications
4
IP Security Overview
• IPSec is not a single protocol.
• Instead, IPSec provides a set of security
algorithms plus a general framework that allows a
pair of communicating entities to use whichever
algorithms to provide security appropriate for the
communication.
• Applications of IPSec
– Secure branch office connectivity over the
Internet
– Secure remote access over the Internet
– Establisihing extranet and intranet connectivity
with partners
– Enhancing electronic commerce security
5
IP Security Scenario
6
IPSec
• general IP Security mechanisms
provides
–
–
–
–
–
authentication
Confidentiality
Integrity
Obligation
key management
• applicable to use over LANs, across
public & private WANs, & for the
Internet
7
Benefits of IPSec
• in a firewall/router provides strong security to all
traffic crossing the perimeter
• is resistant to bypass
• is below transport layer, hence transparent to
applications
• can be transparent to end users
• can provide security for individual users if desired
• additionally in routing applications:
– assure that router advertisments come from authorized
routers
– neighbor advertisments come from authorized Neighbors
– insure redirect messages come from the router to which initial
packet was sent
– insure no forgoing of router update
8
IPSec Services
• Two protocols are used to provide security:
– Authentication Header Protocol (AH)
– Encapsulation Security Payload (ESP)
• Services provided are:
– Access control
• integrity
– Data origin authentication
– Rejection of replayed packets
• a form of partial sequence integrity
– Confidentiality (encryption)
– Limited traffic flow confidentiality
9
Security Associations
• a one-way relationship between sender &
receiver that affords security for traffic
flow
• defined by 3 parameters:
– Security Parameters Index (SPI)
• a bit string (which algorithm to use?)
– IP Destination Address
• only unicast allowed
• could be end user, firewall, router
– Security Protocol Identifier
• indicates if SA is AH or ESP
• has a number of other parameters
– seq no, AH & EH info, lifetime etc
• have a database of Security Associations
10
Authentication Header (AH)
• RFC 2402
• provides support for data integrity & authentication of
IP packets
– end system/router can authenticate user/app
– prevents address spoofing attacks by tracking sequence
numbers
• based on use of a MAC (message authentication code)
– HMAC-MD5-96 or HMAC-SHA-1-96
– MAC is calculated:
• immutable IP header fields
• AH header (except for Authentication Data field)
• the entire upper-level protocol data (immutable)
• parties must share a secret key
11
Authentication Header
12
Transport and Tunnel Modes
• Both AH and ESP have two modes
– transport mode is used to encrypt &
optionally authenticate IP data
• data protected but header left in clear
• can do traffic analysis but is efficient
• good for ESP host to host traffic
– tunnel mode encrypts entire IP packet
• add new header for next hop
• good for VPNs, gateway to gateway security
13
Transport & Tunnel Modes
14
Encapsulating Security Payload
(ESP)
• RFC 2406
• provides message content confidentiality &
limited traffic flow confidentiality
• can optionally provide the same
authentication services as AH
• supports range of ciphers, modes, padding
– incl. DES, Triple-DES, RC5, IDEA, CAST etc
– CBC most common
– pad to meet blocksize, for traffic flow
15
Encapsulating Security
Payload
16
Combining Security
Associations
• SA’s can implement either AH or ESP
• to implement both need to combine
SA’s
– form a security bundle
• have 4 cases (see next)
17
Combining Security Associations
a. AH in transport mode
b.ESP in transport mode
c. AH followed by ESP in transport mode(ESP SA inside an AH SA
d. any one a, b, c inside an AH or ESP in tunnel mode
18
Key Management
• Two types:
– Manual
– Automated
• Oakley Key Determination Protocol
• Internet Security Association and Key
Management Protocol (ISAKMP)
19
Key Management
• handles key generation & distribution
• typically need 2 pairs of keys
– 2 per direction for AH & ESP
• manual key management
– sysadmin manually configures every system
• automated key management
– automated system for on demand creation of
keys for SA’s in large systems
– has Oakley & ISAKMP elements
20
ISAKMP
• Internet Security Association and Key
Management Protocol (RFC 2407)
• provides framework for key management
• defines procedures and packet formats to
establish, negotiate, modify and delete
SAs
• independent of key exchange protocol,
encryption algorithm and authentication
21
method
IP Security Architecture
• Internet Key Exchange (IKE)
A method for establishing a security association
(SA) that authenticates users, negotiates the
encryption method and exchanges the secret
key. IKE is used in the IPsec protocol. Derived
from the ISAKMP framework for key exchange
and the Oakley and SKEME key exchange
techniques, IKE uses public key cryptography to
provide the secure transmission of the secret
key to the recipient so that the encrypted data
may be decrypted at the other end. (http://computingdictionary.thefreedictionary.com/IKE)
23
IPSec Document Overview
24
Transport Mode SA Tunnel Mode SA
AH
Authenticates IP payload
and selected portions of IP
header and IPv6 extension
headers
Authenticates entire inner
IP packet plus selected
portions of outer IP header
ESP
Encrypts IP payload and any
IPv6 extesion header
Encrypts inner IP packet
ESP with
authentication
Encrypts IP payload and any
IPv6 extesion header.
Authenticates IP payload
but no IP header
Encrypts inner IP packet.
Authenticates inner IP
packet.
25
Before applying AH
26
Transport Mode
(AH Authentication)
27
Tunnel Mode
(AH Authentication)
28
ESP Encryption and
Authentication
29
ESP Encryption and
Authentication
30
QoS in IPv6 Protocols
• IPv6 protocols carry a small number of
QoS-Specific service elements in the IP
based & Extension Header
• Flows
– Sequence of packets sent from a particular
source to a particular destination(s) for
which the source require special handling in
intermediate routers by control protocols
like RSVP
31
Flows
• Packets that do not belongs to a flow
carry a flow level of all zeros.
• All packets belonging to the same flow
must be sent with same IP source
address and destination address with
non-zero flow label.
• The Flow label field in IPv6 may be used
by source to label packets for which it
request special handling by the IPv6
routers like real time service.
32
IPv6 extension Headers
• Two external headers to signal QoS
requirements
– The Routing extension header can be used to
request a specific route by indicating a
sequence of IP address.
– HOP-by-HOP extension headers can be used
to transport a maximum of one router alert
signaling message per IP packet to every
router on the path of QoS-sensitive traffic,
indicating that each router should
specifically process the packets
33
Related documents
Chapter 6: Internet Protocol Security
Chapter 6: Internet Protocol Security
ch19
ch19
CS 2813 - Loyola College
CS 2813 - Loyola College
NOTICE to potential Bidders: MMIS Access provisions are currently
NOTICE to potential Bidders: MMIS Access provisions are currently
Vocabulary Words for Chapter 4
Vocabulary Words for Chapter 4
CCNA Security - Skill Exam 2012
CCNA Security - Skill Exam 2012
Chapter 11 HW
Chapter 11 HW
CH20 Testbank Crypto6e
CH20 Testbank Crypto6e
Extension 美國推廣教育
Extension 美國推廣教育
Chapter 1:
Chapter 1:
IP Security
IP Security
5th module
5th module
U.S. NAVAL ACADEMY COMPUTER SCIENCE DEPARTMENT TECHNICAL REPORT
U.S. NAVAL ACADEMY COMPUTER SCIENCE DEPARTMENT TECHNICAL REPORT
Download
advertisement