IP Security IPSec Matt Hermanson What is IPSec

IP Security (IPSec) Matt Hermanson

What is IPSec? • It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation between two hosts. • This is the most popular method for encrypting data.

How does it work? • IPSec works by establishing an association between two communicating devices. • An association is formed by two devices authenticating their identities via a preshared key, Kerberos authentication, or digital certificates.

A preshared key • is a series of lette. Is, numbers, and special characters, much like a password, that both communicating devices use to authenticate each other's identity. • A network administrator must enter the same preshared key in the IPSec configuration settings on both devices.

Kerberos authentication • is used in a Windows domain environment or on a Linux system to authenticate users and computers. • Kerberos authentication also uses keys, but the OS generates the keys, which makes this method more secure than having an administrator enter keys.

Digital certificates • involve a third party called a certification authority (CA). • Someone wanting to send encrypted data must apply for a digital certificate from a CA, which is responsible for verifying the applicant's authenticity. • When an IPSec communication session begins, the communicating parties exchange certificates, and each party sends the certificate to the CA electronically to verify its authenticity.

Three standard IPSec policies • Three standard IPSec policies – Client (Respond Only) – Server (Request Security) – Secure Server (Require Security) • These policies are intended as models for administrators to create their own policies suitable for their networks, but they can be used as is or edited.

The Client (Respond Only) • The Client (Respond Only) policy is intended primarily for client computers that need to access secure resources. • With this policy, the computer uses encrypted communications only if the device it's communicating with requests secure communications.

Server (Request Security) • If the Server (Request Security) policy is set, the computer requests IPSecencrypted communication but allows unencrypted communication if the other device doesn't support IPSec.

Secure Server (Require Security) • The Secure Server (Require Security) policy should be used when all communication of the type specified in the policy must be secure. A computer with this policy set rejects attempts to communicate if encryption is not used.

OSI Model • In the OSI Model IPSec protocols operates at the network layer. • Other Internet security protocols in widespread use, such as SSL, TLS and SSH, operate from the transport layer in the OSI. • This makes IPSec more flexible, as it can be used for protecting 4 protocols layers including both TCP and UDP, which are the most commonly used transport layer protocols. • IPSec has an advantage over SSL and other methods that operate at higher layers.

OSI Model cont. • For an application to use IPSec no code change in the applications is required whereas to use SSL and other higher level protocols, applications must undergo code changes. • IPSec has an advantage over SSL and other methods that operate at higher layers. • For an application to use IPSec no code change in the applications is required whereas to use SSL and other higher level protocols, applications must undergo code changes.

Security architecture • IPSec is implemented by a set of cryptographic protocols for – (1) securing packet flows – (2) mutual authentication – (3) establishing cryptographic parameters

Security architecture • The IP security architecture uses the concept of a security association as the basis for building security functions into IP. A security association is simply the bundle of algorithms and parameters (such as keys) that is being used to encrypt and authenticate a particular flow in one direction. Therefore, in normal bi-directional traffic, the flows are secured by a pair of security associations. The actual choice of encryption and authentication algorithms (from a defined list) is left to the IPsec administrator.

Security architecture • In order to decide what protection is to be provided for an outgoing packet, IPSec uses the security parameter index (SPI), an index to the security association database (SADB), along with the destination address in a packet header, which together uniquely identify a security association for that packet. A similar procedure is performed for an incoming packet, where IPSec gathers decryption and verification keys from the security association database.

Security architecture • For multicast, a security association is provided for the group, and is duplicated across all authorized receivers of the group. There may be more than one security association for a group, using different SPIs, thereby allowing multiple levels and sets of security within a group. Indeed, each sender can have multiple security associations, allowing authentication, since a receiver can only know that someone knowing the keys sent the data. Note that the relevant standard does not describe how the association is chosen and duplicated across the group; it is assumed that a responsible party will have made the choice.

Design intent • IPSec was intended to provide either transport mode (end-to-end) security of packet traffic in which the end-point computers do the security processing, or tunnel mode (portal-to-portal) communications security in which security of packet traffic is provided to several machines (even to whole LANs) by a single node.

Design intent • IPSec can be used to create Virtual Private Networks (VPN) in either mode, and this is the dominant use. • However, that the security implications are quite different between the two operational modes.

Design intent • Since the IP does not inherently provide any security capabilities, IPSec was introduced to provide security services such as the following: 1. Encrypting traffic (so it cannot be read by parties other than those for whom it is intended) 2. Integrity validation (ensuring traffic has not been modified along its path) 3. Authenticating the peers (ensuring that traffic is from a trusted party) 4. Anti-replay (protecting against replay of the secure session).

Modes • IPSec supports two encryption modes: Transport and Tunnel. • Transport mode encrypts only the data portion (payload) of each packet, but leaves the header untouched. • The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an IPSec-compliant device decrypts each packet.

Sources • IPSec-Wikipedia http: //en. wikipedia. org/wiki/IPsec • http: //www. webopedia. com/TERM/I/IPsec. html • Guide to Networking Essentials