Transcript IPSec

IPSec
Zeen Rachidi
David Salim
Archana Mehta
Agenda
 Definition of IPSec
 IPSec Architecture
 Encapsulating Security Payload and Authentication
Header
 Encryption and Authentication Algorithms
 Internet Key Exchange mechanism





Scenarios for deploying
Implementation
Benefits
Limitations
Current areas of research
Definition of IPSec
 IPSec is an abbreviation for IP security, which is
used to transfer data securely over unprotected
networks like “Internet”.
 It acts at the networks layer and is part of IPv6.
 The protocol/process is as follows :
 Sender encrypts packets before sending them on the
network.
 Receiver authenticates packets.
 Anti replay checks to reject duplicate packets
preventing DOS attack.
 IKE is the key exchange mechanism to securely
exchange keys
IPSec Architecture
Below are the various RFC defined for IPSec
Source: IPSec Architecture Overview
IPSec Architecture
 RFC 2401 - Overall security architecture and services offered
by IPSec.
 Authentication Protocols
 RFC 2402 – IP Authentication Header processing (in/out bound
packets )
 RFC 2403 – Use of MD-5 with Encapsulating Security Payload
and Authentication Header
 RFC 2404 - Use of Sha1with Encapsulating Security Payload and
Authentication Header
 ESP Protocol
 RFC 2405 – Use of DES-CBS which is a symmetric secret key
block algorithm (block size 64 bits).
 RFC 2406 – IP Encapsulating Security Payload processing (in/out
bound packets)
 RFC 2407 – Determines how to use ISAKMP for IPSec
IPSec Architecture – Key
Management
 RFC 2408 (Internet Security Association and Key
Management Protocol - ISAKMP)
 Common frame work for exchanging key securely.
 Defines format of Security Association (SA) attributes, and for
negotiating, modifying, and deleting SA.
 Security Association contains information like keys, source and
destination address, algorithms used.
 Key exchange mechanism independent.
 RFC 2409 – Internet key exchange
 Mechanisms for generating and exchanging keys securely.
Encapsulation Security Payload
 Designed to provide both confidentiality
and integrity protection
 Everything after the IP header is encrypted
 The ESP header is inserted after the IP
header
Authentication Header
 Designed for integrity only
 Certain fields of the IP header and
everything after the IP header is protected
 Provides protection to the immutable parts
of the IP header
Encryption Algorithms
Some of the standard encryption algorithms
implemented in IPSec are:
 3DES
 AES
 NULL
Authentication Algorithms
 Used to achieve integrity protection of data
 Everything after the IP header is hashed
 Hash is attached to the IP header as an
integrity checksum
 Destination host generates a hash using the
same algorithm and compares it to the one
attached to the packet
Internet Key Exchange
Phase 1 Achieves mutual authentication and
establishes and IKE Security Association (SA).
Three key options include:
 Public Key Encryption
 Public Key Signature
 Symmetric Key
Phase 2 achieves ESP/AH SA
IPSec Transport Mode
 AH or ESP header is inserted between the
IP header and payload
IP Header
AH/ESP
Data
 Encrypts only the data portion of packet
 Designed for host-to-host communication
where routing information is needed
IPSec Tunnel Mode
 Original IP packet is placed in new IP
packet with AH or ESP header
IP Header
Data
Original IP Packet
IP Header
AH/ESP
Data
 Designed for gateway-to-gateway
communication
Tunnel vs Transport Mode
 Transport mode is more efficient
 Transport mode hides all information of the
original packet
 Transport mode is not needed
IPSec Implementation
 Bump-in-stack
 Update OS network stack
 Adding software that’s binds to network stack
can cause software conflicts
 Bump-in-wire
 Attach network device that performs IPSec
processing
 Transparent to hosts
Benefits of IPSec




Operates at the network layer
Application agnostic
An Internet standard
Extensible hash and encryption algorithms
Limitations of IPSec
 Complex
 Configuration
 Lengthy key pairs need to be configured on
client and server
 Performance / Processing Overhead
 NAT incompatibilities
 Firewall incompatibilities
Current areas of research
 Stronger encryption and authentication
algorithms.
 Better Public Key Infrastructure to make it
simple, less complex and easy to manage
and more secure.
 Security with non IP protocols like Fiber
channel.
References








1. IP Encapsulating Security Payload, http://www.ietf.org/rfc/rfc2406.txt
2. IPSec, http://www.mywiseowl.com/articles/IPsec
3. IP Security (RFC – 2411), http://rfc.net/rfc2411.html
4. IPSec Product Overview, http://66.102.7.104/search?q=cache:S6usqPxYnIJ:www.freesoft.org/CIE/Topics/141.htm+Ipsec&hl=en&start=3
3
5. IPsec (IP Security Protocol), http://www.nwfusion.com/details/720.html
6. Understanding IPsec,
http://www.intranetjournal.com/articles/200206/se_06_13_02c.html
7. Information Security, Principles and Practice, Mark Stamp
8. www.solaris.com