Transcript Slide 1
IP Security
By Chetan Dhakan
What is IP Security?
- IP security refers to security mechanisms implemented at the IP (Internet
Protocol) Layer to ensure integrity, authentication and confidentiality of data
during transmission in the open Internet environment.
- A common protocol used is IPsec, which is developed by IETF (Internet
Engineering Task Force), the main standards organization for the Internet.
What is TCP/IP?
TCP/IP (Transmission Control Protocol/Internet Protocol) is a set of
protocols that enable communication between Computers.
It is the most widely used suite of communication protocol used,
and is required for Communication on the Internet.
Features of TCP/IP
Support from vendors
-TCP/IP receives support from major software and hardware vendors.
Interoperability
-A reason for its popularity is that the suite can be installed and used on virtually
every platform. It eliminates cross platform boundaries. Eg. A unix host can
communicate and transfer data to a windows host.
Flexibility
- It is a very flexible protocol suite, giving the users flexibility in a number of
aspects. Eg. An administrator can automatically or manually assign an IP
address to a host, and TCP/IP converts it to a easy name.
Routability
- TCP/IP lets the routing of data from one segment of the network to another, or
from a host on a network to another in a different part of the world.
The origins of the Internet: ARPAnet
The Internet was originally conceived by the Advanced Research
Project Agency (ARPA) of the U.S. government in 1969 and was known
as ARPAnet.
It was designed to enable U.S. military leaders to stay in contact in
case of a nuclear war. The protocol used in ARPAnet was called
Network Control Protocol (NCP).
The protocol had too many limitations and was not robust enough for
the super network, which was in development.
After a lot of testing and development, on Jan 1, 1983 ARPRAnet
switched to TCP/IP
What are Protocols?
A Protocol is a rule or set of rules and standards for
communicating that computers use when they send data back
and forth.
When two computers want to communicate they need to
communicate on the what the data will look like or placement of
1s and 0s and the protocols to use.
A combination of protocols is called a protocol suite or a
protocol stack. Examples include IPX/SPX, Apple Talk, TCP/IP.
The OSI Reference Model
The Open Standards Interconnection (OSI) Model is made up of
seven layers and is used to break down the many tasks involved in
moving data from one host to another.
The OSI model acts as a baseline for creating and comparing
networking protocols.
The Seven Layers of the OSI Model
Application Layer
-The purpose is to manage communication between applications.
- The layer where applications receive and request data.
Presentation Layer
- Adds structure to packets of data being exchanged.
- Makes sure message transmitted is understood by the receiving computer.
Session Layer
- Controls the dialogue during communications.
- Allows machines to establish sessions between them.
Transport Layer
- It can guarantee that the packets are received.
- Determines the type of service to provide to the Session layer.
The Seven Layers of the OSI Model
Network Layer
- Is responsible for routing the packets based on its logical address.
Data-Link Layer
- Is where data is prepared for final delivery to the network. The packet is
encapsulated into a frame.
- Made up of two sub layers: Logical Link Control sub layer (LLC) and the
Media Access Control sub layer (MAC).
Physical Layer
- This is concerned with transmitting raw bits over a communication layer.
IP Security Overview
-
IPSec is not a single protocol.
Instead, IPSec provides a set of security algorithms plus a
general framework that allows a pair of communicating entities to
use whichever algorithms provide security appropriate for the
communication.
IP Security Overview
Applications of IPSec
Secure branch office connectivity over the Internet
Secure remote access over the Internet
Establsihing extranet and intranet connectivity with partners
Enhancing electronic commerce security
IP Security functional areas
Authentication
- Assures the received packet was transmitted by the party
identified as the source.
Confidentiality
- Protection of data content during transmission from third parties.
Key Management
- Is concerned with the secure exchange of keys.
How can IP Security be achieved?
There are two specific headers that can be attached to IP packet to
achieve security. They are the IP Authentication Header (AH) and
the IP Encapsulating Security Payload (ESP) header.
The IP Authentication Header (AH) is used to provide
connectionless integrity and data origin authentication for IP
datagrams and protection against replays.
The IP Encapsulating Security Payload (ESP) header provides
integrity, authentication, and confidentiality to IP datagrams .
IP Security Scenario
IP Security Overview
Benefits of IPSec
Transparent to applications (below transport layer (TCP, UDP)
Provide security for individual users
IPSec can assure that:
A router or neighbor advertisement comes from an authorized
router
A redirect message comes from the router to which the initial
packet was sent
A routing update is not forged
IP Security Architecture
IPSec documents:
RFC 2401: An overview of security architecture
RFC 2402: Description of a packet encryption extension to IPv4
and IPv6
RFC 2406: Description of a packet emcryption extension to IPv4
and IPv6
RFC 2408: Specification of key managament capabilities
IPSec Document Overview
IPSec Services
Access Control
Connectionless integrity
Data origin authentication
Rejection of replayed packets
Confidentiality (encryption)
Limited traffic flow confidentiallity
Security Associations (SA)
A one way relationsship between a sender and a
receiver.
Identified by three parameters:
Security Parameter Index (SPI)
IP Destination address
Security Protocol Identifier
Transport Mode
SA
Tunnel Mode
SA
AH
Authenticates IP payload
and selected portions of IP
header and IPv6
extension headers
Authenticates entire
inner IP packet plus
selected portions of
outer IP header
ESP
Encrypts IP payload and
any IPv6 extesion header
Encrypts inner IP
packet
ESP with
authentication
Encrypts IP payload and
any IPv6 extesion header.
Authenticates IP payload
but no IP header
Encrypts inner IP
packet. Authenticates
inner IP packet.
Before applying AH
Transport Mode (AH Authentication)
Tunnel Mode (AH Authentication)
Authentication Header
Provides support for data integrity and authentication (MAC
code) of IP packets.
Guards against replay attacks.
End-to-end versus End-to-Intermediate
Authentication
Encapsulating Security Payload
ESP provides confidentiality services
Encryption and Authentication Algorithms
Encryption:
Three-key triple DES
RC5
IDEA
Three-key triple IDEA
CAST
Blowfish
Authentication:
HMAC-MD5-96
HMAC-SHA-1-96
ESP Encryption and Authentication
ESP Encryption and Authentication
Combinations of Security Associations
Combinations of Security Associations
Combinations of Security Associations
Combinations of Security Associations
Key Management
Two types:
Manual
Automated
Oakley Key Determination Protocol
Internet Security Association and Key Management Protocol
(ISAKMP)
Oakley
Three authentication methods:
Digital signatures
Public-key encryption
Symmetric-key encryption
ISAKMP
Refrences
Network Security Essentials by William Stallings
http://www.ietf.org/html.charters/ipsec-charter.html
http://www.networkmagazine.com/article/NMG20000711
S0001
Good Bye and Have a
Nice Day.