Slide 1IP SecurityIPSecIPSec UsesVPNBenefits of IPSecIP Security ArchitectureSlide 8Transport ModeTunnel ModeIPSec ProsIPSec ConsBackup SlidesArchitecture & ConceptsSecurity Association - SASecurity Parameters Index - SPISA Database - SADSecurity Policy Database - SPDSlide 19SPD Entry ActionsSPD Protect ActionOutbound ProcessingInbound ProcessingSlide 24Authentication HeaderIPSec Authentication HeaderIntegrity Check Value - ICVAH: Tunnel and Transport ModeEncapsulating Security Payload (ESP)ESP: Tunnel and Transport ModeOutbound Packet ProcessingESP Transport ExampleInbound Packet Processing...Slide 34NATsNAT typesNAT ExampleWill IPSec Work with NAT ?Combining Security AssociationsSlide 40SA BundleOutbound Packet Processing...Inbound Packet ProcessingAnti-replay FeatureAnti-replay Sliding WindowESP Processing - Header Location...Key ManagementIP SecurityIP SecurityHave a range of application specific Have a range of application specific security mechanismssecurity mechanismseg. S/MIME, PGP, Kerberos, SSL/HTTPSeg. S/MIME, PGP, Kerberos, SSL/HTTPSHowever there are security concerns that However there are security concerns that cut across protocol layerscut across protocol layersWould like security implemented by the Would like security implemented by the network for all applicationsnetwork for all applicationsIPSecGeneral IP Security mechanismsGeneral IP Security mechanismsProvidesProvidesauthenticationauthenticationconfidentialityconfidentialitykey managementkey managementApplicable to use over LANs, across public Applicable to use over LANs, across public & private WANs, & for the Internet& private WANs, & for the InternetIPSec UsesTransparencyTransparencyVPNApplication-level VPNE.g., tunnel through sshAnalogous to app-level gatewaysIPSec-based VPNAnalogous to packet-filtering firewallsBenefits of IPSecIn a firewall/router, provides strong security to In a firewall/router, provides strong security to all traffic crossing the perimeterall traffic crossing the perimeterIs below transport layer, hence transparent to Is below transport layer, hence transparent to applicationsapplicationsCan be transparent to end usersCan be transparent to end usersCan provide security for individual even mobile Can provide security for individual even mobile usersusersSecures routing architectureSecures routing architectureIP Security ArchitectureSpecification is quite complexSpecification is quite complexDefined in numerous RFC’sDefined in numerous RFC’sincl. RFC 2401/2402/2406/2408incl. RFC 2401/2402/2406/2408many others, grouped by categorymany others, grouped by categoryMandatory in IPv6, optional in IPv4Mandatory in IPv6, optional in IPv4Have two security header extensions:Have two security header extensions:Authentication Header (AH)Authentication Header (AH)Encapsulating Security Payload (ESP)Encapsulating Security Payload (ESP)A BEncrypted TunnelGateway 1 Gateway 2New IP HeaderAH or ESP HeaderTCP DataOrig IP HeaderEncryptedUnencryptedUnencryptedTransport Mode vs. Tunnel ModeTransport mode: host -> hostTransport mode: host -> hostTunnel mode: host->gateway or gateway->gatewayTunnel mode: host->gateway or gateway->gatewayTransport ModeESP protects higher layer payload onlyESP protects higher layer payload onlyAH can protect IP headers as well as higher AH can protect IP headers as well as higher layer payloadlayer payloadIPheaderIPoptionsIPSecheaderHigherlayer protocolESPAHReal IPdestinationTunnel ModeESP applies only to the tunneled packetESP applies only to the tunneled packetAH can be applied to portions of the outer AH can be applied to portions of the outer headerheaderOuter IPheaderInner IPheaderIPSecheaderHigherlayer protocolESPAHReal IP destinationDestinationIPSecentityIPSec ProsHides the identity of your networkProvides secure channel: confidentiality, authenticity, and integrityConnects sites (e.g., branch offices) with a cost-effective secure network compared with leased linesAllows user to work from home and mobile hostsIPSec ConsA single failure in the path disconnect the entire network. Also cause performance bottlenecks.Incompatible with NAT/PAT depending on the architectureTunneled traffic is undetected by IDS VPN gateways might be compromised which leads to uncovering protected dataBackup SlidesArchitecture & ConceptsTunnel vs. Transport modeTunnel vs. Transport modeSecurity association (SA)Security association (SA)Security parameter index (SPI)Security parameter index (SPI)Security policy database (SPD)Security policy database (SPD)SA database (SAD)SA database (SAD)Authentication header (AH)Authentication header (AH)Encapsulating security payload (ESP)Encapsulating security payload (ESP)Practical Issues w/ NATPractical Issues w/ NATSecurity Association - SAHave a database of Security Associations Have a database of Security Associations Determine IPSec processing for sendersDetermine IPSec processing for sendersDetermine IPSec decoding for destinationDetermine IPSec decoding for destinationSAs are not fixed! Generated and customized per SAs are not fixed! Generated and customized per traffic flowstraffic flowsSecurity Parameters Index - SPI Can be up to 32 bits largeCan be up to 32 bits largeThe SPI allows the destination to select the The SPI allows the destination to select the correct SA under which the received packet correct SA under which the received packet will be processed will be processed According to the agreement with the senderAccording to the agreement with the senderThe SPI is sent with the packet by the senderThe SPI is sent with the packet by the senderSPI + Dest IP address + IPSec Protocol (AH or SPI + Dest IP address + IPSec Protocol (AH or ESP) uniquely identifies a SAESP) uniquely identifies a SASA Database - SADHolds parameters for each SAHolds parameters for each SALifetime of this SALifetime of this SAAH and ESP informationAH and ESP informationTunnel or transport modeTunnel or transport modeEvery host or gateway participating in Every host or gateway participating in IPSec has their own SA databaseIPSec has their own SA databaseSecurity Policy Database - SPDWhat traffic to protect?What traffic to protect?Policy entries define which SA or SA Policy entries define which SA or SA bundles to use on IP trafficbundles to use on IP trafficEach host or
View Full Document