Transcript Internet Protocol Security

Internet Protocol Security
Introduction
• Internet Protocol Security (IPsec) is a protocol suite for securing Internet
Protocol (IP) communications by authenticating and encrypting each IP
packet of a communication session.
• IPsec also includes protocols for establishing mutual authentication
between agents at the beginning of the session and negotiation of
cryptographic keys to be used during the session.
• IPsec is an end-to-end security scheme operating in the Internet Layer of
the Internet Protocol Suite.
•
It can be used in protecting data flows between a pair of hosts (host-tohost), between a pair of security gateways (network-to-network), or
between a security gateway and a host (network-to-host).
Cont..,
• Some other Internet security systems in widespread use, such as
Secure Sockets Layer (SSL), Transport Layer Security (TLS) and
Secure Shell (SSH), operate in the upper layers of the TCP/IP
model.
• In the past, the use of TLS/SSL had to be designed into an
application to protect the application protocols.
•
In contrast, since day one, applications did not need to be
specifically designed to use IPsec. Hence, IPsec protects any
application traffic across an IP network.
History
•
In December 1993, the experimental of IP Security swIPe (protocol) was researched
at Columbia University and AT&T Bell Labs. In July 1994, Wei Xu at Trusted
Information Systems continued this research. After several months, the research was
completed successfully on BSDI system.
•
By hacking the binary kernels, Wei had quickly extended his development on to Sun
OS, HP UX, and other UNIX system. One of the challenges was slow performance of
DES and 3DES. The software encryption can’t even support a T1 speed under the
Intel 80386 architecture. By exploring the Crypto cards from Germany, Wei Xu
further developed an automated device driver, known as plug-and-play today.
•
By achieving the throughput for more than a T1s, this work made the commercial
product practically feasible, that was released as a part of the well-known Gauntlet
firewall. In December 1994, it was the first time in production for securing some
remote sites between east and west coastal states of the United States.
Cont..,
•
Another IP Security Protocol was developed in 1995 at the Naval Research Laboratory as part
of a DARPA-sponsored research project.
•
ESP was originally derived from the SP3D protocol, rather than being derived from the ISO
Network-Layer Security Protocol (NLSP).
•
The SP3D protocol specification was published by NIST, but designed by the Secure Data
Network System project of the National Security Agency (NSA), AH is derived in part from
previous IETF standards work for authentication of the Simple Network Management
Protocol (SNMP).
•
Since 1996, the IP Security workshops were organized for standardizing the protocols. IPsec
is officially specified by the Internet Engineering Task Force (IETF) in a series of Request for
Comments documents addressing various components and extensions. It specifies the spelling
of the protocol name to be IPsec.
Authentication Header
• The authentication header provides support for data
integrity and authentication of IP packets. The data integrity
feature ensures that undetected modification to the content
of a packet in transit is not possible.
• The authentication feature enables an end system or
network device to authenticate the user or application and
filter traffic accordingly; it also prevents the address
spoofing attacks observed in today's Internet.
IPSec Authentication Header
Modes of Operation
•
•
•
•
•
•
•
IPsec can be implemented in a host-to-host transport mode, as well as in a network tunnel
mode.
Transport mode
In transport mode, only the payload of the IP packet is usually encrypted and/or authenticated.
The routing is intact, since the IP header is neither modified nor encrypted; however, when the
authentication header is used, the IP addresses cannot be translated, as this will invalidate the
hash value. The transport and application layers are always secured by hash, so they cannot be
modified in any way (for example by translating the port numbers).
A means to encapsulate IPsec messages for NAT traversal has been defined by RFC
documents describing the NAT-T mechanism.
Tunnel mode
In tunnel mode, the entire IP packet is encrypted and/or authenticated. It is then encapsulated
into a new IP packet with a new IP header. Tunnel mode is used to create virtual private
networks for network-to-network communications (e.g. between routers to link sites), host-tonetwork communications (e.g. remote user access) and host-to-host communications (e.g.
private chat).
Tunnel mode supports NAT traversal.
IPSec ESP Format
An IP Security Scenario
The Scope of IPSec
•
IPSec provides three main facilities: an authentication-only function, referred to as
Authentication Header (AH), a combined authentication/ encryption function called
Encapsulating Security Payload (ESP), and a key exchange function. For virtual
private networks, both authentication and encryption are generally desired, because
it is important both to (1) assure that unauthorized users do not penetrate the virtual
private network and (2) assure that eavesdroppers on the Internet cannot read
messages sent over the virtual private network. Because both features are generally
desirable, most implementations are likely to use ESP rather than AH. The key
exchange function allows for manual exchange of keys as well as an automated
scheme.
•
The IPSec specification is quite complex and covers numerous documents. The
most important of these, issued in November 1998, are RFCs 2401, 2402, 2406, and
2408.
Benefits of IPSec
• When IPSec is implemented in a firewall or router, it provides
strong security that can be applied to all traffic crossing the
perimeter. Traffic within a company or workgroup does not incur the
overhead of security-related processing.
• IPSec is below the transport layer (TCP, UDP), so is transparent to
applications. There is no need to change software on a user or server
system when IPSec is implemented in the firewall or router. Even if
IPSec is implemented in end systems, upper layer software,
including applications, is not affected.
Cont..,
• IPSec can be transparent to end users. There is no need
to train users on security mechanisms, issue keying
material on a per-user basis, or revoke keying material
when users leave the organization.
• IPSec can provide security for individual users if
needed. This feature is useful for offsite workers and
also for setting up a secure virtual subnetwork within
an organization for sensitive applications.
See more
• http://www.cisco.com/web/about/ac123/ac147/
ac174/ac197/about_cisco_ipj_archive_article0
9186a00800c830b.html
• http://en.wikipedia.org/wiki/IPsec
The End
Thank you