IPSec IP Security IPSec 126 Groep T Leuven
- Slides: 26
IPSec IP Security (IPSec) 1/26 Groep T Leuven – Information department 2003 -2004 - Information management 1
IP Security (IPSec) • • IPSec overview Authentication Header (AH) Encapsulating Security Payload (ESP) Internet Key Exchange (IKE) Main Mode negotiation Quick Mode negotiation Retransmit behavior 2/26 Groep T Leuven – Information department 2003 -2004 - Information management 2
Overall Architecture (RFC 1825) • Framework for security protocols to provide: – Data integrity – Data authentication – Data confidentiality – Security association management – Key management 3/26 Groep T Leuven – Information department 2003 -2004 - Information management 3
Authentication Header (RFC 1826) IP Header plus Data Authentication Data (00 ABCDEF) Router • • IP HDR AH Data Router Data integrity—no twiddling of bits Origin authentication—definitely came from router Uses keyed-hash mechanism Does not provide confidentiality 4/26 Groep T Leuven – Information department 2003 -2004 - Information management 4
Encapsulating Security Payload (RFC 1827) Router • • All Data-Encrypted Router Confidentiality Data origin authentication Data integrity Replay protection (optional) 5/26 Groep T Leuven – Information department 2003 -2004 - Information management 5
Security Association (SA) Firewall Router Insecure Channel • Agreement between two entities on method to communicate securely • Unidirectional—two way communication consists of two SAs 6/26 Groep T Leuven – Information department 2003 -2004 - Information management 6
IKE Policy Negotiation Encryption Algorithm, Hash Algorithm, and Method of Authentication 3 DES, MD 5, and RSA Signatures, or IDEA, SHA, and DSS Signatures, or Blowfish, SHA, and RSA Encryption IDEA, SHA, and DSS Signatures ISAKMP Policy Tunnel 7/26 Groep T Leuven – Information department 2003 -2004 - Information management 7
IPSec Model • Device authentication – Crypto devices obtain digital certificates from CAs • Authorization – Packet selection via ACLs – Security Association (SA) established via ISAKMP/OAKLAY • Privacy and integrity Internal Network Certificate Authority Digital Certificate E IK Digital Certificate on i ss SA e S – IPSec-based encryption and digital signature Authenticated Encrypted Tunnel Internal Network 8/26 Groep T Leuven – Information department 2003 -2004 - Information management Clear Text Encrypted 8
IPsec Protocols and Formats Headers Authentication • Integrity, authentication Header Encapsulating • Adds confidentiality Security Payload ISAKMP/Oakley • Negotiates security parameters • Uses digital certificates Diffie-Hellman • Generates shared secret keys Transport • IP payload only, Layer 4 is obscured • Both end systems need IPsec Tunnel • Entire datagram • No changes to intermediate systems Key Exchange Modes Encryption • DES, 3 DES, RC 4, IDEA, AES. . . Hashing • HMAC MD 5, HMAC SHA 1 9/26 Groep T Leuven – Information department 2003 -2004 - Information management 9
IPSec Modes IP HDR DATA Tunnel Mode New IP HDR IPSec HDR IP HDR DATA Encrypted DATA Transport Mode IP HDR IPSec HDR DATA Encrypted 10/26 Groep T Leuven – Information department 2003 -2004 - Information management 10
Tunnel and Transport Modes • Transport mode for end-to-end session • Tunnel mode for everything else Transport Mode Tunnel Mode Joe’s PC 11/26 Groep T Leuven – Information department HR Server 2003 -2004 - Information management 11
Ipsec—Standards Based Internet IPsec Dial IPsec VLANs IPsec Firewall Campus 12/26 Groep T Leuven – Information department 2003 -2004 - Information management 12
IPSec Overview • Proposed Internet standard for IPlayer cryptography with IPv 4 and IPv 6 Router to Firewall Router to Router PC to Server 13/26 Groep T Leuven – Information department 2003 -2004 - Information management 13
IPSec Process • Initiating the IPSec session – Phase one—exchanging keys – Phase two—setting up security associations • Encrypting/decrypting packets • Rebuilding security associations • Timing out security associations 14/26 Groep T Leuven – Information department 2003 -2004 - Information management 14
Initiating the IPSec Session Phase One — ISAKMP • Internet Security Association Key Management Protocol (ISAKMP) • Both sides need to agree on the ISAKMP security parameters (ISAKMP SADB) – ISAKMP parameters • Encryption algorithm • Hash algorithm • Authentication method • Diffie-Hellman modulus • Group lifetime 15/26 Groep T Leuven – Information department 2003 -2004 - Information management 15
Initiating the IPSec Session Phase Two • Both sides need to agree on the IPSec security parameters (IPSec SADB) • IPSec parameters – IPSec peer • Endpoint of IPSec tunnel – IPSec proxy • Traffic to be encrypted/decrypted – IPSec transform • Encryption and hashing – IPSec lifetime • Phase two SA regeneration time 16/26 Groep T Leuven – Information department 2003 -2004 - Information management 16
Encrypting and Decrypting Packets • Phase one and phase two completes • Security Associations (SA) are created at both IPSec endpoints • Using the negotiated SADB information – Outbound packets are encrypted – Inbound packets are decrypted 17/26 Groep T Leuven – Information department 2003 -2004 - Information management 17
Rebuilding Security Associations • To ensure that keys are not compromised they are periodically refreshed • Security associations will be rebuilt when: – The lifetime expires, or – Data volume has been exceeded, or – Another SA is attempted with identical parameters 18/26 Groep T Leuven – Information department 2003 -2004 - Information management 18
Security Associations • Combination of mutually agreed security services, protection mechanisms, and cryptographic keys • ISAKMP SA • IPSec SAs – One for inbound traffic – One for outbound traffic • Security Parameters Index (SPI) – Helps identify an SA • Creating SAs – Main Mode for ISAKMP SA – Quick Mode for IPSec SAs 19/26 Groep T Leuven – Information department 2003 -2004 - Information management 19
IPSec Headers • Authentication Header (AH) – Provides data origin authentication, data integrity, and replay protection for the entire IP datagram • Encapsulating Security Payload (ESP) – Provides data origin authentication, data integrity, replay protection, and data confidentiality for the ESP-encapsulated portion of the packet 20/26 Groep T Leuven – Information department 2003 -2004 - Information management 20
IPSec Modes • Transport mode – Typically used for IPSec peers doing end-to-end security – Provides protection for upper-layer protocol data units (PDUs) • Tunnel mode – Typically used by network routers to protect IP datagrams – Provides protection for entire IP datagrams 21/26 Groep T Leuven – Information department 2003 -2004 - Information management 21
AH Transport Mode IP IP Upper layer PDU AH Upper layer PDU Authenticated 22/26 Groep T Leuven – Information department 2003 -2004 - Information management 22
AH Tunnel Mode IP (new) AH IP Upper layer PDU Authenticated 23/26 Groep T Leuven – Information department 2003 -2004 - Information management 23
ESP Transport Mode IP IP ESP Upper layer PDU ESP Auth Data Encrypted Authenticated 24/26 Groep T Leuven – Information department 2003 -2004 - Information management 24
ESP with AH Transport Mode IP IP AH ESP Upper layer PDU ESP Auth Encrypted Authenticated with ESP Authenticated with AH 25/26 Groep T Leuven – Information department 2003 -2004 - Information management 25
ESP Tunnel Mode IP (new) ESP IP Upper layer PDU ESP Auth Data Encrypted Authenticated 26/26 Groep T Leuven – Information department 2003 -2004 - Information management 26
- Ip security ipsec
- Privat security
- Vpn and ipsec concepts
- Vpp ipsec
- Spispy
- Ovn ipsec
- Openvpn oracle cloud
- Ipsec key management
- Ipsec protocol suite
- Untangle openvpn setup
- Ipsec
- Ipsec
- Lwip ipsec
- Ipsec
- Ipsec vpn vs ssl vpn
- Ipsec
- Randy marchany
- Febadvisor
- Smec kuleuven
- Toledo ku leuven
- Leo xiii leuven
- Gedocumenteerd kuleuven
- Trofozoiet
- Don bosco peda leuven
- Dorien steegmans
- Maya design principle
- Ku leuven exam results