Transcript IPSEC with narration

IPsec
IPsec (IP security)
 Security for transmission over IP
networks

• The Internet
• Internal corporate IP networks
• IP packets sent over public switched
data Local
networks (PSDN)
Local
Network
Internet
Network
IPsec

Why do we need IPsec?
• IP has no security
• Add security to create a virtual
private network (VPN) to give
secure communication over the
Internet or another IP network
Local
Network
Internet
Local
Network
IPsec

Genesis
• Being created by the Internet
Engineering Task Force
• For both IP version 4 and IP version 6
IPsec
Two Modes of operation
 Tunnel Mode

• IPsec server at each site
• Secures messages going through the
Internet Local
Local
Internet
Network
Secure Communication
Network
IPsec
Server
IPsec

Tunnel Mode
• Hosts operate in their usual way

Tunnel mode IPsec is transparent to the
hosts
• No security within the site networks
Local
Network
Secure Communication
Internet
Local
Network
IPsec
Server
IPsec

Two Modes of operation

Transport Mode
• End-to-end security between the
hosts
• Security within site networks as well
• Requires hosts to implement IPsec
Local
Network
Secure Communication
Internet
Local
Network
IPsec

Transport Mode
• Adds a security header to IP packet
• After the main IP header
• Source and destination addresses of
hosts can be learned by interceptor
• Only the original data field is protected
Original
IP Header
Transport
Security
Header
Protected
Original Data Field
IPsec

Tunnel Mode
• Adds a security header before the
original IP header
• Has IP addresses of the source and
destination IPsec servers only, not
those of the source and destination
hosts
• Protects the main IP header
Tunnel
Security
Header
Protected
Original
IP Header
Protected
Original Data Field
IPsec

Can combine the two modes
• Transport mode for end-to-end
security
• Plus tunnel mode to hide the IP
addresses of the source and
destination hosts during passage
through the Internet
Local
Network
Tunnel Mode
Internet
Local
Network
Transport Mode
IPsec



Two forms of protection
Encapsulating Security Protocol (ESP)
security provides confidentiality as well as
authentication
Authentication Header (AH) security
provides authentication but not
confidentiality
• Useful where encryption is forbidden by law
• Provides slightly better authentication by
providing authentication over a slightly larger
part of the message, but this is rarely decisive
IPsec

Modes and protection methods can
be applied in any combination
Tunnel
Mode
Transport
Mode
ESP Supported Supported
AH
Supported Supported
IPsec


Security Associations (SAs) are
agreements between two hosts or
two IPsec servers, depending on
the mode
“Contracts” for how security will be
performed

Negotiated

Governs subsequent transmissions
Host A
Negotiate
Security Association
Host B
IPsec

Security Associations (SAs) can be
asymmetrical
• Different strengths in the two
directions
• For instance, clients and servers may
have different security needs
SA for messages
From A to B
Host A
Host B
SA for messages
From B to A
IPsec
Policies may limit what SAs can be
negotiated
• To ensure that adequately strong SAs
for the organization’s threats
• Gives uniformity to negotiation
decisions
Host A
Security Association
Negotiations Limited
By Policies
Host B
IPsec

First, two parties negotiate IKE
(Internet Key Exchange) Security
Associations
• IKE is not IPsec-specific
• Can be used in other security
protocols
Host A
Communication
Governed by
IKE SA
Host B
IPsec

Under the protection of
communication governed by this IKE
SA, negotiate IPsec-specific security
associations
Host A
Communication
Governed by
IKE SA
IPsec SA Negotiation
Host B
IPsec

Process of Creating IKE SAs (and
other SAs)
• Negotiate security parameters within
policy limitations
• Authenticate the parties using SA-agreed
methods
• Exchange a symmetric session key using
SA-agreed method
• Communicate securely with
confidentiality, message-by-message
authentication, and message integrity
using SA-agreed method
IPsec

IPsec has mandatory security
algorithms
• Uses them as defaults if no other
algorithm is negotiated
• Other algorithms may be negotiated
• But these mandatory algorithms MUST
be supported
IPsec

Diffie-Hellman Key Agreement
• To agree upon a symmetric session key
to be used for confidentiality during this
session
• Also does authentication
Party A
Party B
IPsec

Diffie-Hellman Key Agreement
• Each party sends the other a nonce
(random number)
• The nonces will almost certainly be
different
• Nonces are not sent confidentially
Nonce B
Party A
Party B
Nonce A
IPsec

Diffie-Hellman Key Agreement
• From the different nonces, each party
will be able to compute the same
symmetric session key for
subsequent use
• No exchange of the key; instead,
agreement on the key
Symmetric Key
Party A
Symmetric Key
From nonces,
independently compute
same symmetric
session key
Party B