UND CSCI 389 - Chapter 18 Security at the Network Layer - I

Unformatted text preview:

Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide 33Slide 34Slide 35Slide 36Slide 37Slide 38Slide 39Slide 40Slide 41Slide 42Slide 43Slide 44Slide 45Slide 46Slide 47Slide 48Slide 49Slide 50Slide 51Slide 52Slide 53Slide 54Slide 55Slide 56Slide 57Slide 58Slide 59Slide 60Slide 61Slide 6218.1Chapter 18Security at the Network Layer: IPSecCopyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.18.2Objectives ❏ To define the architecture of IPSec ❏ To discuss the application of IPSec in transport and tunnel modes ❏ To discuss how IPSec can be used to provide only authentication ❏ To discuss how IPSec can be used to provide both confidentiality and authentication ❏ To define Security Association and explain how it is implemented for IPSec ❏ To define Internet Key Exchange and explain how it is used by IPSec.Chapter 1818.3Figure 18.1 TCP/IP Protocol Suite and IPSecChapter 18 (Continued)18.418-1 TWO MODES18-1 TWO MODESIPSec operates in one of two different modes: IPSec operates in one of two different modes: transport mode or tunnel mode.transport mode or tunnel mode.18.1.1 Transport Mode18.1.2 Tunnel Mode18.1.3 ComparisonTopics discussed in this section:Topics discussed in this section:18.5In transport mode, IPSec protects what is delivered from the transport layer to the network layer. 18.1.1 Transport ModeIPSec in transport mode does not protect the IP header; it only protects the informationcoming from the transport layer.Note18.6Figure 18.2 IPSec in transport mode18.1.1 (Continued)18.7Figure 18.3 Transport mode in action18.1.1 (Continued)18.8In tunnel mode, IPSec protects the entire IP packet. It takes an IP packet, including the header, applies IPSec security methods to the entire packet, and then adds a new IP header.18.1.2 Tunnel ModeIPSec in tunnel mode protects the original IP header.Note18.9Figure 18.4 IPSec in tunnel mode18.1.2 (Continued)18.10Figure 18.5 Tunnel mode in action18.1.2 (Continued)18.1118.1.3 Comparison Figure 18.6 Transport mode versus tunnel mode18.1218-218-2TWO SECURITY PROTOCOL TWO SECURITY PROTOCOL IPSec defines two protocols—the Authentication IPSec defines two protocols—the Authentication Header (AH) Protocol and the Encapsulating Security Header (AH) Protocol and the Encapsulating Security Payload (ESP) ProtocolPayload (ESP) Protocolto provide authentication to provide authentication and/or encryption for packets at the IP level.and/or encryption for packets at the IP level.18.2.1 Authentication Header (AH)18.2.2 Encapsulating Security Payload (ESP)18.2.3 IPv4 and IPv618.2.4 AH versus ESP18.2.5 Services Provided by IPSecTopics discussed in this section:Topics discussed in this section:18.1318.2.1 Authentication Header (AH)The AH protocol provides source authentication and data integrity, but not privacy.Note18.14Figure 18.7 Authentication Header (AH) protocol18.2.1 (Continued)18.1518.2.2 Encapsulating Security Payload (ESP)ESP provides source authentication, data integrity, and privacy.Note18.16Figure 18.8 ESP18.2.2 (Continued)18.17IPSec supports both IPv4 and IPv6. In IPv6, however, AH and ESP are part of the extension header.18.2.3 IPv4 and IPv618.18The ESP protocol was designed after the AH protocol was already in use. ESP does whatever AH does with additional functionality (privacy). 18.2.4 AH versus ESP18.1918.2.5 Services Provided by IPSecTable 18.1 IPSec services18.20Figure 18.9 Replay window18.2.5 (Continued)18.2118-3 SECURITY ASSOCIATION18-3 SECURITY ASSOCIATIONSecurity Association is a very important aspect of Security Association is a very important aspect of IPSec. IPSec requires a logical relationship, called a IPSec. IPSec requires a logical relationship, called a Security Association (SA), between two hosts. This Security Association (SA), between two hosts. This section first discusses the idea and then shows how it section first discusses the idea and then shows how it is used in IPSec. is used in IPSec. 18.3.1 Idea of Security Association18.3.2 Security Association Database (SAD)Topics discussed in this section:Topics discussed in this section:18.2218.3.1 Idea of Security AssociationFigure 18.10 Simple SA18.2318.3.2 Security Association Database (SAD)Figure 18.11 SAD18.2418.3.2 (Continued)Table 18.2 Typical SA ParametersParameters Description18.2518-4 SECURITY POLICY18-4 SECURITY POLICYAnother import aspect of IPSec is the Security Policy Another import aspect of IPSec is the Security Policy (SP), which defines the type of security applied to a (SP), which defines the type of security applied to a packet when it is to be sent or when it has arrived. packet when it is to be sent or when it has arrived. Before using the SAD, discussed in the previous Before using the SAD, discussed in the previous section, a host must determine the predefined policy section, a host must determine the predefined policy for the packet.for the packet.18.4.1 Security Policy DatabaseTopics discussed in this section:Topics discussed in this section:18.26Figure 18.12 Connection identifiers18.4.1 (Continued)18.27Figure 18.13 Outbound processing18.4.1 (Continued)18.28Figure 18.14 Inbound processing18.4.1 (Continued)18.2918-5 INTERNET KEY EXCHANGE (IKE)18-5 INTERNET KEY EXCHANGE (IKE)The Internet Key Exchange (IKE) is a protocol The Internet Key Exchange (IKE) is a protocol designed to create both inbound and outbound designed to create both inbound and outbound Security Associations. Security Associations. 18.5.1 Improved Diffie-Hellman Key Exchange18.5.2 IKE Phases18.5.3 Phases and Modes18.5.4. Phase I: Main Mode18.5.5 Phase I: Aggressive Mode18.5.6 Phase II: Quick Mode18.5.7 SA AlgorithmsTopics discussed in this section:Topics discussed in this section:18.30IKE creates SAs for IPSec.Note18.5 (Continued)18.31Figure 18.15 IKE components18.5 (Continued)18.3218.5.1 Improved Diffie-HellmanFigure 18.16 Diffie-Hellman key exchange18.33Figure 18.17 Diffie-Hellman with cookies18.5.1 (Continued)18.3418.5.1 ContinuedTo protect against a clogging


View Full Document

UND CSCI 389 - Chapter 18 Security at the Network Layer - I

Download Chapter 18 Security at the Network Layer - I
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Chapter 18 Security at the Network Layer - I and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Chapter 18 Security at the Network Layer - I 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?