[16] N. Ferguson and B. Schneier, A Cryptographic Evaluation of IPsec, http://www.schneier.com/paper-ipsec.htmlSONG-1 -A view point of Internet Protocol Security (IPSec)Sheng-Liang SongCS265 Mark StampIPSec is about Internet Protocol Security. As we come to the information age, the network shrinks the world into a second-distance range. Information is fully shared within the network. Data are moving from one point to another point every second.As the network come into our daily life, the demand for network security is increasing. We need a security system to protect our private data that are moving across the public network. Hence, IPSec was born. In my following paper, I will give a short introduction of IPSec, and discuss some limitations of IPSec.The OSI (Open System Interconnection) classify the network as seven fundamental layers: physical, data link, network, transport, session, presentation, and application. Different levels of securities are implementing on different layer of the networks. Majority of today’s network are built on the top of Internet Protocol (IP) infer structure. IP plays a key role at the network layer. Data are segmented as packets. In order to send a packet one machine to another machine, a header is added on the top of the packet, namely IP Header. IP Header contains a source address and a destination of address. Thefollowing graphs are two versions of IP Headers. For more detail information about IP Headers, please reference IPv4 (RFC791) and IPv6 (RFC2460).SONG-2 -It is time for IPSec to jump in right now. We just see these IP Headers. Where do we add a security lock? Designers have come up with two different encryption modes: Transport and Tunnel. A packet is defined as a IP header and a payload. Transport modeencrypts the data only, and then inserts the encryption header between the IP header and the payload. Tunnel Mode encrypts the whole packet as a new payload and an encryption header, and then adds a new IP header in the front of it.What is the encryption header? The encryption header mainly implemented with the Encapsulating Security Payload (ESP, RFC2406) protocol that encrypts and/or authenticates data. How to encrypt these data? First of all, we choose a key or keys for any encryption algorithm. The Internet Key Exchange (IKE, RFC2409) is one of underline systems that help setting up these communication keys. With these joined efforts, IPSec proves: “access control, connectionless integrity, data origin authentication, rejection of replayed packets, confidentiality (RFC2401)”. IPSec provides one or more security path(s) between two IP addresses (or two points). Each point can be a host or a security gateway (or a router). How everything works together? First, IKE sets up a keying channel (ISAKRMP SA) between two points. Second, IKE sets up data channels (IPSec SAs). Third, two points exchanges the IPSec packets. Please note that’s IKE are requiring a periodically re-SONG-3 -keying process running at background. For example, Cisco Router sends keep alive IKE packets within each others. The Cisco IOS command is “crypto isakmp keepalive <sec> <retry interval> default: 600 seconds and 2 seconds”. With this mechanism in place, we detect a broken security path (channel), and then recover a redundant security path (channel). What are the advantages and limitations of IPSec? FreeS/WAN [17] says, “IPSec is the most general way to provide [security] services for the Internet.” FreeS/WAN also mentioned several limitations of IPSec as well. First, IPSec rely on the system security gateways (routers). Second, IPSec does not provide an end-to-end security service. Third, IPSec authenticates machines, not users. Forth, IPSec does not stop denial of service attacks. Firth, IPSec does not stop traffic analysis.Here is my point of views of FreeS/WAN’s limitations of IPSec. First, the network a nested connected points. One of key elements is the security gateway. Of cause, IPSec rely on the system security gateways. This is not a limitation. This is a fact. Second, IPSec does provide an end-to-end security service within a security path betweentwo points. Here is his common setup example: “IPSec encrypts packets at a security gateway as they leave the sender’s site and decrypts them on arrival at the gateway to the recipient’s site. This only encrypted data is passed over the Internet -- but it does not even come close to providing an end-to-end service. In particular, anyone with appropriate privileges on either site's LAN can intercept the message in unencryptedSONG-4 -form.” His common setup is not complete. It is an example of partially using IPSec that ends with a security hole. If knowing the “LAN” is not security at all, one need extend IPSec path within the LAN as well. Third, IPSec can help authenticate users as well. IPSec does not provide security by itself only. IPSec Security is a product function of three nucleuses: IPSec, ESP, and IKE. For simplicity, IPSec is a function of IP and Keys. IPSec authenticates machines only because he is looking at the IP attribute only. Yes, each machine is assigned to one IP. Keys do not tight to machine at all. Keys are generated by two agents: a host software (the OS Kernel, or the Database server) and IKE service software. Kernel software has the concept of the current user(s). If these two agents are managed correctly and properly, the task of authenticates users can be done.Fourth, IPSec does not stop denial of service attacks (DoSA). (“Denial of service attacks aim at causing a system to crash, overload, or become confused so that legitimate users cannot get whatever services the system is supposed to provide.”) Yes, I totally agree here. Even worse, from encryption point of view, ESP create harder job for a security gateway to anti-DoSA. At today’s gateway, some security technique are impalements: higher layer analyzing: L2,L3,L4 Parsing, header (IP,TCP,UDP) Checking , packet actionclassifying, and probabilistic content matching. For IPSec Packets, today’s gateway need revisit these security techniques since the packet are encrypted. The same virus packets are looked differently at IPSec packet level. Then, is there any solution for thisSONG-5 -problem? Yes, there is one. IKE can help detect DoSA at earlier states while setting up keying channel or data channels. Firth, IPSec does not stop
View Full Document
Unlocking...