Document Sample
IPSec Powered By Docstoc
Shu Zhang
  Definition: (Webopedia)
     Short for IP Security, a set of protocols
      developed by the IETF to support secure
      exchange of packets at the IP layer. IPsec
      has been deployed widely to implement
      Virtual Private Networks (VPNs)
Virtual Private Network (VPN)
  More and more across-country or
  worldwide companies due to global
  there is a problem for all of them
     how to maintain fast, secure and reliable
      communications wherever their offices are
        Leased lines
             very expensive
Virtual Private Network (VPN)
  VPN: using public wires, usually
  Internet to connect company’s private
  network, remote sites and users
  together, instead of using a dedicate,
  real-world connection.
Virtual Private Network (VPN)
  Features of VPN:
     Security
     Reliability
     Scalability
     Network management
     Policy management
VPN Security
  Several Methods:
     Firewall
     Encryption
     IPsec
     AAA server
Goal of IPsec
  Provides security services at IP layer
     Access control
     Integrity
     Data origin Authentication
     Rejection of replayed packets
     Confidentiality
IPsec Architecture
     Security Protocols
     Security Associations
     Key Management
     Algorithms for authentication and
Security Protocols
  Authentication Header (AH)
     Data Origin Authentication
     Anti-replay service
     Data Integrity
  Encapsulating Security Payload (ESP)
     Confidentiality
     Data Origin Authentication
     Anti-replay service
     Connectionless Integrity
 AH provides authentication for as much
 of the IP header as possible, as well as
 for upper level protocol data
 Tow modes: transport mode/tunnel
AH Location
AH Algorithms
  Keyed Message Authentication Codes
  (MAC) based on Symmetric Key
  Encryption( DES)
  One-way hash function (MD5/SHA-1)
 Provides Data Confidentiality to IP
 payload using Encryption
 It can provides Data Integrity and
 connectionless Integrity, but the
 coverage is different from AH
 Two: transport Mode/Tunnel Mode
ESP Format
ESP Algorithms
  Encryption Algorithms
     Symmetric Encryption Algorithms
  Authentication Algorithms
     The same as AH
Security Associations (SA)
  A management Component used to enforce a
  security policy in the IPsec environment
  A simplex “connection” that affords security
  services to the traffic it carries
  The set of security services depends on:
     Protocol selected
     SA mode
     Endpoints of the SA
SA’s Mode
  Transport Mode
     Between 2 hosts
     Transport Mode AH
       The protection is to selected portions of IP
        header and higher layer protocol header
     Transport Mode ESP
       The protection is only for the higher layer
SA’s Mode
  Tunnel Mode
     Applied to an IP tunnel
     Tunnel Mode AH
        Portions of “outer” IP header, as well as all of
        “inner” IP packet
     Tunnel Mode ESP
        Only to the tunneled packet
DataBases in IPsec
  Two databases are maintained in each
  IPsec implementation:
     Security Policy Database (SPD)
     Security Association Database (SAD)
 Contains an ordered list of policy entries
 keyed by selectors
     Destination/Source IP Address
     Transport Layer protocol
     Destination/Source Port
 Each entry includes:
     SA specification
     IPsec protocol
     Modes
     algorithms
 An administrative interface must be
 provided to user or system
 Must be consulted during the all the
 traffic processing, including non-IPsec
 Each entry defines the parameters associated
 with one SA
     Sequence Number Counter
     Anti_replay window
     AH Authentication algorithm, keys
     ESP Encryption algorithm, keys
     ESP Authentication algorithm, keys
     Lifetime of SA
     IPsec Protocol Mode
IPsec Processing
  Differentiate inbound/outbound traffic
     For outbound
       Entries are pointed to by entries in SPD
       If not, create a new SA
     For inbound
       A triple is used to uniquely identify a SA
        <Destination IP address, IPsec Protocol,
        Security Parameters Index>
Security Parameter Index
  32-bit value
  Selected by destination system when a
  new SA is established
SA Management Protocol
  Internet Security Association and Key
  Management Protocol (ISAKMP) is the
  framework for SA management
  It defines:
     Procedure and Packet format to establish,
      negotiate, modify and delete SAs
     Payloads for exchanging key generation
      and authentication data
 ISAKMP has 3 main functions
     Security Associations and Management
        Negotiation:
             authentication mechanism
             cryptographic algorithm
             algorithm mode
             key length
             nitialization Vector (IV)
             ……
        Establishment
     Authentication
        Authenticate the entity at the other end of
        Strong Authentication must be provided
             Digital signature
     Public Key Encryption
        obtain shared secrets and session keys
        Key Establishment: Key generation/Key
        Key Exchange Authentication
ISAKMP Negotiation
  Offer 2-phase negotiation
     Phase 1: establish an ISAKMP SA to protect
      further negotiation
     Phase 2: establish real protocol SAs
  Higher start-up cost
     Multiple Protocol SAs can be established
     Allow to use simpler second phase exchanges
      ISAKMP SA reduces ISAKMP management
ISAKMP Protection
     A anti-clogging token (ACT)
  Man-in-the-middle attack
     Authentication and Encryption
  Not bounded to any specific
  cryptographic algorithm, key generation
  technique, or security mechanism
     Supports the dynamic communications
     Provides a forward migration path to better
      mechanisms and algorithms

Shared By: