Slide 1IP SecurityIPSecIPSec UsesVPNBenefits of IPSecIP Security ArchitectureSlide 8Transport ModeTunnel ModeIPSec ProsIPSec ConsArchitecture & ConceptsAuthentication HeaderIPSec Authentication HeaderIntegrity Check Value - ICVAH: Tunnel and Transport ModeEncapsulating Security Payload (ESP)ESP: Tunnel and Transport ModeOutbound Packet ProcessingESP Transport ExampleInbound Packet Processing...Slide 23NATsNAT typesNAT ExampleWill IPSec Work with NAT ?Backup SlidesSlide 29Security Association - SASecurity Parameters Index - SPISA Database - SADSecurity Policy Database - SPDSlide 34SPD Entry ActionsSPD Protect ActionOutbound ProcessingInbound ProcessingCombining Security AssociationsSlide 40SA BundleOutbound Packet Processing...Inbound Packet ProcessingAnti-replay FeatureAnti-replay Sliding WindowESP Processing - Header Location...Key ManagementIP SecurityIP SecurityHave a range of application specific Have a range of application specific security mechanismssecurity mechanismseg. S/MIME, PGP, Kerberos, SSL/HTTPSeg. S/MIME, PGP, Kerberos, SSL/HTTPSHowever there are security concerns that However there are security concerns that cut across protocol layerscut across protocol layersWould like security implemented by the Would like security implemented by the network for all applicationsnetwork for all applicationsIPSecGeneral IP Security mechanismsGeneral IP Security mechanismsProvidesProvidesauthenticationauthenticationconfidentialityconfidentialitykey managementkey managementApplicable to use over LANs, across public Applicable to use over LANs, across public & private WANs, & for the Internet& private WANs, & for the InternetIPSec UsesTransparencyTransparencyVPNApplication-level VPNE.g., tunnel through sshAnalogous to app-level gatewaysIPSec-based VPNAnalogous to packet-filtering firewallsBenefits of IPSecIn a firewall/router, provides strong security to In a firewall/router, provides strong security to all traffic crossing the perimeterall traffic crossing the perimeterIs below transport layer, hence transparent to Is below transport layer, hence transparent to applicationsapplicationsCan be transparent to end usersCan be transparent to end usersCan provide security for individual even mobile Can provide security for individual even mobile usersusersSecures routing architectureSecures routing architectureIP Security ArchitectureSpecification is quite complexSpecification is quite complexDefined in numerous RFC’sDefined in numerous RFC’sincl. RFC 2401/2402/2406/2408incl. RFC 2401/2402/2406/2408many others, grouped by categorymany others, grouped by categoryMandatory in IPv6, optional in IPv4Mandatory in IPv6, optional in IPv4Have two security header extensions:Have two security header extensions:Authentication Header (AH)Authentication Header (AH)Encapsulating Security Payload (ESP)Encapsulating Security Payload (ESP)A BEncrypted TunnelGateway 1 Gateway 2New IP HeaderAH or ESP HeaderTCP DataOrig IP HeaderEncryptedUnencryptedUnencryptedTransport Mode vs. Tunnel ModeTransport mode: host -> hostTransport mode: host -> hostTunnel mode: host->gateway or gateway->gatewayTunnel mode: host->gateway or gateway->gatewayTransport ModeESP protects higher layer payload onlyESP protects higher layer payload onlyAH can protect IP headers as well as higher AH can protect IP headers as well as higher layer payloadlayer payloadIPheaderIPoptionsIPSecheaderHigherlayer protocolESPAHReal IPdestinationTunnel ModeESP applies only to the tunneled packetESP applies only to the tunneled packetAH can be applied to portions of the outer AH can be applied to portions of the outer headerheaderOuter IPheaderInner IPheaderIPSecheaderHigherlayer protocolESPAHReal IP destinationDestinationIPSecentityIPSec ProsHides the identity of your networkProvides secure channel: confidentiality, authenticity, and integrityConnects sites (e.g., branch offices) with a cost-effective secure network compared with leased linesAllows user to work from home and mobile hostsIPSec ConsA single failure in the path disconnect the entire network. Also cause performance bottlenecks.Incompatible with NAT/PAT depending on the architectureTunneled traffic is undetected by IDS VPN gateways might be compromised which leads to uncovering protected dataArchitecture & ConceptsTunnel vs. Transport modeTunnel vs. Transport modeSecurity association (SA)Security association (SA)Security parameter index (SPI)Security parameter index (SPI)Security policy database (SPD)Security policy database (SPD)SA database (SAD)SA database (SAD)Authentication header (AH)Authentication header (AH)Encapsulating security payload (ESP)Encapsulating security payload (ESP)Practical Issues w/ NATPractical Issues w/ NATAuthentication HeaderData integrityData integrityEntire packet has not been tampered withEntire packet has not been tampered withAuthenticationAuthenticationCan “trust” IP address sourceCan “trust” IP address sourceAnti-replay featureAnti-replay featureIntegrity check valueIntegrity check value……SADSPISequence NumberICVNext Header (TCP/UDP)Payload LengthReservedIPSec Authentication HeaderLength of the authentication headerLength of the authentication headerIntegrity Check Value - ICVKeyed Message authentication code (MAC) Keyed Message authentication code (MAC) calculated overcalculated overIP header field that do not change or are predictableIP header field that do not change or are predictableSource IP address, destination IP, header length, etc.Source IP address, destination IP, header length, etc.Prevent spoofingPrevent spoofingMutable fields excluded: e.g., time-to-live (TTL), IP Mutable fields excluded: e.g., time-to-live (TTL), IP header checksum, etc.header checksum, etc.IPSec protocol header except the ICV value fieldIPSec protocol header except the ICV value fieldUpper-level dataUpper-level dataCode may be truncated to first 96 bitsCode may be truncated to first 96 bitsAH: Tunnel and Transport ModeOriginalOriginalTransport ModeTransport ModeCover most of the Cover most of the original packetoriginal packetTunnel ModeTunnel ModeCover entire Cover entire original packetoriginal packetEncapsulating Security Payload (ESP)Provide Provide message content confidentialitymessage content confidentialityProvideProvide limited traffic
View Full Document