DOC PREVIEW
NCSU CSC (ECE) 574 - Topic 8.1 - IPsec

This preview shows page 1-2 out of 6 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 6 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 6 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 6 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Computer Science CSC/ECE 574 Computer and Network Security Topic 8.1IPsec CSC/ECE 574 Dr. Peng Ning 1 Computer Science CSC/ECE 574 Dr. Peng Ning 2 Outline • IPsec Objectives • IPsec architecture & concepts • IPsec authentication header • IPsec encapsulating security payload Computer Science CSC/ECE 574 Dr. Peng Ning 3 IPsec Objectives • Why do we need IPsec? – IP V4 has no authentication • IP spoofing • Payload could be changed without detection. – IP V4 has no confidentiality mechanism • Eavesdropping – Denial of service (DOS) attacks • Cannot hold the attacker accountable due to the lack of authentication. Computer Science CSC/ECE 574 Dr. Peng Ning 4 IPsec Objectives (Cont’d) • IP layer security mechanism for IPv4 and IPv6 – Not all applications need to be security aware – Can be transparent to users – Provide authentication and confidentiality mechanisms. Computer Science CSC/ECE 574 Dr. Peng Ning 5 IPsec Architecture IPsec module 1 IPsec module 2 SPD IKE SAD IPsec SPD IKE SAD IPsec SA SPD: Security Policy Database; IKE: Internet Key Exchange; SA: Security Association; SAD: Security Association Database. Computer Science CSC/ECE 574 Dr. Peng Ning 6 IPsec Architecture (Cont’d) • Two Protocols (Mechanisms) – Authentication Header (AH) – Encapsulating Security Payload (ESP) • IKE Protocol – Internet Key ManagementComputer Science CSC/ECE 574 Dr. Peng Ning 7 IPsec Architecture (Cont’d) • Can be implemented in – Host or gateway • Can work in two Modes – Tunnel mode – Transport mode Computer Science CSC/ECE 574 Dr. Peng Ning 8 Hosts & Gateways • Hosts can implement IPsec to connect to: – Other hosts in transport or tunnel mode – Or Gateways in tunnel mode • Gateways to gateways – Tunnel mode Computer Science CSC/ECE 574 Dr. Peng Ning 9 A B Encrypted Tunnel Gateway Gateway New IP Header AH or ESP Header TCP Data Orig IP Header Encrypted Unencrypted Unencrypted Tunnel Mode Computer Science CSC/ECE 574 Dr. Peng Ning 10 Outer IP header Inner IP header IPsec header Higher layer protocol ESP AH Real IP destination Destination IPsec entity Tunnel Mode (Cont’d) • ESP applies only to the tunneled packet • AH can be applied to portions of the outer header Computer Science CSC/ECE 574 Dr. Peng Ning 11 A B New IP Header AH or ESP Header TCP Data Encrypted/Authenticated Transport Mode Computer Science CSC/ECE 574 Dr. Peng Ning 12 IP header IP options IPsec header Higher layer protocol ESP AH Real IP destination Transport Mode (Cont’d) • ESP protects higher layer payload only • AH can protect IP headers as well as higher layer payloadComputer Science CSC/ECE 574 Dr. Peng Ning 13 Security Association (SA) • An association between a sender and a receiver – Consists of a set of security related parameters – E.g., sequence number, encryption key • One way relationship • Determine IPsec processing for senders • Determine IPsec decoding for destination • SAs are not fixed! Generated and customized per traffic flows Computer Science CSC/ECE 574 Dr. Peng Ning 14 Security Parameters Index (SPI) • A bit string assigned to an SA. • Carried in AH and ESP headers to enable the receiving system to select the SA under which the packet will be processed. • 32 bits • SPI + Dest IP address + IPsec Protocol – Uniquely identifies each SA in SA Database (SAD) Computer Science CSC/ECE 574 Dr. Peng Ning 15 SA Database (SAD) • Holds parameters for each SA – Sequence number counter – Lifetime of this SA – AH and ESP information – Tunnel or transport mode • Every host or gateway participating in IPsec has their own SA database Computer Science CSC/ECE 574 Dr. Peng Ning 16 SA Bundle • More than 1 SA can apply to a packet • Example: ESP does not authenticate new IP header. How to authenticate? – Use SA to apply ESP w/out authentication to original packet – Use 2nd SA to apply AH Computer Science CSC/ECE 574 Dr. Peng Ning 17 Security Policy Database (SPD) • Decide – What traffic to protect? – Has incoming traffic been properly secured? • Policy entries define which SA or SA Bundles to use on IP traffic • Each host or gateway has their own SPD • Index into SPD by Selector fields – Selectors: IP and upper-layer protocol field values. – Examples: Dest IP, Source IP, Transport Protocol, IPSec Protocol, Source & Dest Ports, … Computer Science CSC/ECE 574 Dr. Peng Ning 18 SPD Entry Actions • Discard – Do not let in or out • Bypass – Outbound: do not apply IPSec – Inbound: do not expect IPSec • Protect – will point to an SA or SA bundle – Outbound: apply security – Inbound: security must have been appliedComputer Science CSC/ECE 574 Dr. Peng Ning 19 SPD Protect Action • If the SA does not exist… – Outbound processing • Trigger key management protocols to generate SA dynamically, or • Request manual specification, or • Other methods – Inbound processing • Drop packet Computer Science CSC/ECE 574 Dr. Peng Ning 20 Is it for IPsec? If so, which policy entry to select? … SPD (Policy) … SA Database IP Packet Outbound packet (on A) A B SPI & IPsec Packet Send to B Determine the SA and its SPI IPSec processing Outbound Processing Computer Science CSC/ECE 574 Dr. Peng Ning 21 Use SPI to index the SAD … SA Database Original IP Packet SPI & Packet Inbound packet (on B) A B From A Inbound Processing … SPD (Policy) Was packet properly secured? “un-process” Computer Science CSC/ECE 574 Dr. Peng Ning 22 Authentication Header (AH) • Data integrity – Entire packet has not been tampered with • Authentication – Can “trust” IP address source – Use MAC to authenticate • Anti-replay feature • Integrity check value Computer Science CSC/ECE 574 Dr. Peng Ning 23 Integrity Check Value - ICV • Message authentication code (MAC) calculated over – IP header fields that do not change or are predictable – IP header fields that are unpredictable are set to zero. – IPsec AH header with the ICV field set to zero. – Upper-level data • Code may be truncated to first 96 bits Computer Science CSC/ECE 574 Dr. Peng


View Full Document

NCSU CSC (ECE) 574 - Topic 8.1 - IPsec

Download Topic 8.1 - IPsec
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Topic 8.1 - IPsec and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Topic 8.1 - IPsec 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?