1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key...
-
date post
19-Dec-2015 -
Category
Documents
-
view
217 -
download
0
Transcript of 1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key...
1
IP SecurityIP Security
Outline of the session
– IP Security Overview– IP Security Architecture– Key Management
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
2
What Does IPSec Do??What Does IPSec Do??
• Provides security services at the IP layer for other TCP/IP protocols and applications to use.
• Provides the tools that devices on a TCP/IP need in order to communicate securely.
• It allows 2 devices to set up a secure path that may traverse across many insecure intermediate systems.
• Performs (at least) the following tasks:
– Defines the set of security protocols to use, so that each one sends data in a format the other can understand.
– Defines the specific encryption algorithm to use in encoding data.
– Enables key exchange to “unlock” the encrypted data
• Once this background work is completed, each device must use the protocols, methods and keys previously agreed upon to encode data and send it across the network
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
3
How Does It Do This?How Does It Do This?
• IPSec Authentication Header (AH):– Provides authentication services for IPSec.– All of
• Originator verification• Data integrity• Protection against replay attacks
• Encapsulating Security Payload (ESP): – Encrypts the payload of the IP datagram. – Can be used with or without authentication
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
4
Functions Supported by..Functions Supported by..
• Encryption/Hashing Algorithms: – AH and ESP
• Generic, do not specify the exact mechanism used for encryption.
• Negotiate which algorithms are used.. • Commonly use MD5 and SHA-1.
• Security Policies and Associations, and Management Methods: – Security Associations (SA) record algorithms and other
parameters for a one-way exchange between 2 principals– Security Policies define the way the SAs are applied at
the packet level– SAs can be bundled to exchange SA information
• Key Exchange Framework and Mechanism:– Uses Internet Key Exchange (IKE)
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
5
Implementation choicesImplementation choices
• End-to-end? Network Infrastructure?
– Fully integrate with IP?– Implement in software?– Implement in hardware?
• And apply it in tunnel or transport mode– (See later)
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
6
IP Security OverviewIP Security Overview
• Applications of IPSec– Secure branch office connectivity over
the Internet– Secure remote access over the Internet– Establsihing extranet and intranet
connectivity with partners– Enhancing electronic commerce
security
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
7
IP Security ScenarioIP Security Scenario
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
8
IP Security OverviewIP Security Overview
• Benefits of IPSec– Transparent to applications (below transport
layer (TCP, UDP)– Provide security for individual users
• IPSec can assure that:– A router or neighbor advertisement comes
from an authorized router– A redirect message comes from the router
to which the initial packet was sent– A routing update is not forged
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
9
IP Security ArchitectureIP Security Architecture
• IPSec documents:– RFC 2401: An overview of security
architecture– RFC 2402: Description of a packet
authentication extension to IPv4 and IPv6
– RFC 2406: Description of a packet encryption extension to IPv4 and IPv6
– RFC 2408: Specification of key management capabilities
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
10
IPSec Document OverviewIPSec Document Overview
DOI = Domain of Interpretation
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
11
IPSec ServicesIPSec Services
• Access Control• Connectionless integrity• Data origin authentication• Rejection of replayed packets• Confidentiality (encryption)• Limited traffic flow confidentiallity
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
12
Security Associations (SA)Security Associations (SA)
• A one way relationship between a sender and a receiver.
• Identified by three parameters:– Security Parameter Index (SPI)– IP Destination address– Security Protocol Identifier
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
13
Authentication HeaderAuthentication Header
• Provides support for data integrity and authentication (MAC code) of IP packets.
• Guards against replay attacks.
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
14
Transport Mode (AH Authentication)Transport Mode (AH Authentication)
Before AH
After AH
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
15
Tunnel Mode (AH Authentication)Tunnel Mode (AH Authentication)
Before AH
After AH
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
16
End-to-end versus End-to-Intermediate End-to-end versus End-to-Intermediate AuthenticationAuthentication
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
17
Encapsulating Security PayloadEncapsulating Security Payload
• ESP provides confidentiality services
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
18
Encryption and Authentication Encryption and Authentication AlgorithmsAlgorithms
• Encryption:– Three-key triple DES– RC5– IDEA– Three-key triple IDEA– CAST– Blowfish
• Authentication:– HMAC-MD5-96– HMAC-SHA-1-96
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
19
ESP Encryption and AuthenticationESP Encryption and Authentication
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
20
ESP Encryption and AuthenticationESP Encryption and Authentication
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
21
Key ManagementKey Management
• Two types:– Manual– Automated
• Oakley Key Determination Protocol• Internet Security Association and Key
Management Protocol (ISAKMP)
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
22
OakleyOakley
• Three authentication methods:– Digital signatures– Public-key encryption– Symmetric-key encryption
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
23
ISAKMPISAKMP
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW
24
TCP/IP ExampleTCP/IP Example
Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College, UNSW