IPSEC with narration
Download
Report
Transcript IPSEC with narration
IPsec
IPsec (IP security)
Security for transmission over IP
networks
• The Internet
• Internal corporate IP networks
• IP packets sent over public switched
data Local
networks (PSDN)
Local
Network
Internet
Network
IPsec
Why do we need IPsec?
• IP has no security
• Add security to create a virtual
private network (VPN) to give
secure communication over the
Internet or another IP network
Local
Network
Internet
Local
Network
IPsec
Genesis
• Being created by the Internet
Engineering Task Force
• For both IP version 4 and IP version 6
IPsec
Two Modes of operation
Tunnel Mode
• IPsec server at each site
• Secures messages going through the
Internet Local
Local
Internet
Network
Secure Communication
Network
IPsec
Server
IPsec
Tunnel Mode
• Hosts operate in their usual way
Tunnel mode IPsec is transparent to the
hosts
• No security within the site networks
Local
Network
Secure Communication
Internet
Local
Network
IPsec
Server
IPsec
Two Modes of operation
Transport Mode
• End-to-end security between the
hosts
• Security within site networks as well
• Requires hosts to implement IPsec
Local
Network
Secure Communication
Internet
Local
Network
IPsec
Transport Mode
• Adds a security header to IP packet
• After the main IP header
• Source and destination addresses of
hosts can be learned by interceptor
• Only the original data field is protected
Original
IP Header
Transport
Security
Header
Protected
Original Data Field
IPsec
Tunnel Mode
• Adds a security header before the
original IP header
• Has IP addresses of the source and
destination IPsec servers only, not
those of the source and destination
hosts
• Protects the main IP header
Tunnel
Security
Header
Protected
Original
IP Header
Protected
Original Data Field
IPsec
Can combine the two modes
• Transport mode for end-to-end
security
• Plus tunnel mode to hide the IP
addresses of the source and
destination hosts during passage
through the Internet
Local
Network
Tunnel Mode
Internet
Local
Network
Transport Mode
IPsec
Two forms of protection
Encapsulating Security Protocol (ESP)
security provides confidentiality as well as
authentication
Authentication Header (AH) security
provides authentication but not
confidentiality
• Useful where encryption is forbidden by law
• Provides slightly better authentication by
providing authentication over a slightly larger
part of the message, but this is rarely decisive
IPsec
Modes and protection methods can
be applied in any combination
Tunnel
Mode
Transport
Mode
ESP Supported Supported
AH
Supported Supported
IPsec
Security Associations (SAs) are
agreements between two hosts or
two IPsec servers, depending on
the mode
“Contracts” for how security will be
performed
Negotiated
Governs subsequent transmissions
Host A
Negotiate
Security Association
Host B
IPsec
Security Associations (SAs) can be
asymmetrical
• Different strengths in the two
directions
• For instance, clients and servers may
have different security needs
SA for messages
From A to B
Host A
Host B
SA for messages
From B to A
IPsec
Policies may limit what SAs can be
negotiated
• To ensure that adequately strong SAs
for the organization’s threats
• Gives uniformity to negotiation
decisions
Host A
Security Association
Negotiations Limited
By Policies
Host B
IPsec
First, two parties negotiate IKE
(Internet Key Exchange) Security
Associations
• IKE is not IPsec-specific
• Can be used in other security
protocols
Host A
Communication
Governed by
IKE SA
Host B
IPsec
Under the protection of
communication governed by this IKE
SA, negotiate IPsec-specific security
associations
Host A
Communication
Governed by
IKE SA
IPsec SA Negotiation
Host B
IPsec
Process of Creating IKE SAs (and
other SAs)
• Negotiate security parameters within
policy limitations
• Authenticate the parties using SA-agreed
methods
• Exchange a symmetric session key using
SA-agreed method
• Communicate securely with
confidentiality, message-by-message
authentication, and message integrity
using SA-agreed method
IPsec
IPsec has mandatory security
algorithms
• Uses them as defaults if no other
algorithm is negotiated
• Other algorithms may be negotiated
• But these mandatory algorithms MUST
be supported
IPsec
Diffie-Hellman Key Agreement
• To agree upon a symmetric session key
to be used for confidentiality during this
session
• Also does authentication
Party A
Party B
IPsec
Diffie-Hellman Key Agreement
• Each party sends the other a nonce
(random number)
• The nonces will almost certainly be
different
• Nonces are not sent confidentially
Nonce B
Party A
Party B
Nonce A
IPsec
Diffie-Hellman Key Agreement
• From the different nonces, each party
will be able to compute the same
symmetric session key for
subsequent use
• No exchange of the key; instead,
agreement on the key
Symmetric Key
Party A
Symmetric Key
From nonces,
independently compute
same symmetric
session key
Party B