Transcript IPSec – IP Security Protocol

IPSec – IP Security Protocol
By
Archis Raje
What is IPSec
IP Security – set of extensions
developed by IETF to provide
privacy and authentication to IP.
 To protect the contents of an IP
datagram, the data is transformed
using cryptography.

Why do we need IPSec?
Because IP is insecure – you can
• Forge IP address
• modify packet contents
• replay old content
• inspect packet content during transit
How does it work?
combination of  Cryptographic protocols
 Security mechanisms
What Does IPSec Provide?






Access control to network elements.
Data origin authentication.
Connectionless integrity for protocols
such as UDP.
Detection and rejection of replayed
packets.
Use of encryption to provide data
confidentiality.
Limited traffic flow confidentiality.


Since the IPSec services are offered at
the network layer of the TCP/IP protocol
stack, these services can be used by any
of the upper-layer protocols such as TCP,
UDP, ICMP and IGMP or any application
layer protocol.
IPSec provides cryptographic based
security for ipv4 and ipv6 datagrams.
How?
Using two traffic security protocols:
 Authentication header (AH).
 Encapsulating security payload (ESP).
And through the use of cryptographic-key
management procedures and protocols
such as  Internet key exchange (IKE) protocol.
Together, the security protocols
provide  Data confidentiality
 Limited traffic flow confidentiality
 Connectionless integrity
 Data origin authentication
 Anti-replay service
Modes of Operation of AH
and ESP
Transport mode
 Tunnel mode

Transport Mode
AH transformation:
IP Header
TCP/UDP
Header
IP Header
AH Header
Upper layer
payload
TCP/UDP
Header
Authenticated
Upper layer
payload
Transport Mode
ESP transformation:
IP Header
IP Header
TCP/UDP
Header
ESP
Header
Upper layer
payload
TCP/UDP
Header
Upper layer
payload
Encrypted
Authenticated
ESP
Trailer
ESP
auth
Tunnel Mode
AH transformation:
IP Header
IP Header
AH Header
IP Header
Authenticated
TCP/UDP
Header
TCP/UDP
Header
Upper layer
payload
Upper layer
payload
Tunnel Mode
ESP transformation:
IP Header
IP Header
ESP
Header
IP Header
TCP/UDP
Header
TCP/UDP
Header
Upper layer
payload
Upper layer
payload
Encrypted
Authenticated
ESP
Trailer
ESP
auth
Communication



The IKE protocol is used to negotiate the
cryptographic algorithm choices, to be
utilized by AH and ESP, and put in place
the necessary cryptographic keys that the
algorithms require.
IPSec can implement different security
policy/encryption algorithm for different
subnets, nodes, etc.
It does this by the use of Security
Association (SA).
Security Association
An agreement between communicating
peers on factors such as  IPSec protocol
 Mode of operation of the protocols
(transport mode or tunnel mode)
 Cryptographic algorithms
 Cryptographic keys
 Lifetime of the keys
SAs are simplex (unidirectional)
SAD – Security Association Database


Stores SA parameters communicated by
IKE.
Contents are –






Sequence number counter.
Sequence counter overflow flag
Anti-replay window
IPSec protocol mode
Path maximum transfer unit (PMTU)
Lifetime of the SA
SPD - Security Policy Database


Contains policies that are to be applied to
the traffic destined to or originated from a
given host or network.
Contents are –





Destination IP address
Source IP address
Transport layer protocol
System name: FQDN or email id
User ID
Drawbacks
Complex - has too many options.
 Prone to Initialization Vector attacks.
