18-04-2011, 02:34 PM
Presented by
arun saraswat
arunpresentation.ppt (Size: 1.63 MB / Downloads: 69)
The need...
In CERTs 2001 annual report it listed 52,000 security incidents
the most serious involving:
IP spoofing
intruders creating packets with false address then taking advantages of OS exploits
eavesdropping and sniffing
attackers listen for userids and passwords and then just walk into target systems
as a result the IAB included authentication and encryption in the next generation IP (IPv6)
IP Security Scenario
IP Security Overview
IPSec is not a single protocol. Instead, IPSec provides a set of security algorithms plus a general framework that allows a pair of communicating entities to use whichever algorithms provide security appropriate for the communication.
IP Security Overview
Applications of IPSec
◦ Secure branch office connectivity over the Internet
◦ Secure remote access over the Internet
◦ Establsihing extranet and intranet connectivity with partners
◦ Enhancing electronic commerce security
◦ IP Security Architecture
IPSec documents:
◦ RFC 2401: An overview of security architecture
◦ RFC 2402: Description of a packet encryption extension to IPv4 and IPv6
◦ RFC 2406: Description of a packet emcryption extension to IPv4 and IPv6
◦ RFC 2408: Specification of key managament capabilities
IPSec
general IP Security mechanisms
provides
◦ authentication
◦ confidentiality
◦ key management
applicable to use over LANs, across public & private WANs, & for the Internet
IPSec Services
• Two protocols are used to provide security:
– Authentication Header Protocol (AH)
– Encapsulation Security Payload (ESP)
• Services provided are:
– Access control
– Connectionless integrity
– Data origin authentication
– Rejection of replayed packets
• a form of partial sequence integrity
– Confidentiality (encryption)
– Limited traffic flow confidentiality
Security Associations
• a one-way relationship between sender & receiver that affords security for traffic flow
• defined by 3 parameters:
– Security Parameters Index (SPI)
• a bit string
– IP Destination Address
• only unicast allowed
• could be end user, firewall, router
– Security Protocol Identifier
• indicates if SA is AH or ESP
• has a number of other parameters
– seq no, AH & EH info, lifetime etc
• have a database of Security Associations
Transport and Tunnel Modes
Both AH and ESP have two modes
◦ transport mode is used to encrypt & optionally authenticate IP data
data protected but header left in clear
can do traffic analysis but is efficient
good for ESP host to host traffic
◦ tunnel mode encrypts entire IP packet
add new header for next hop
good for VPNs, gateway to gateway security
Encryption and Authentication Algorithms
Encryption:
◦ Three-key triple DES
◦ RC5
◦ IDEA
◦ Three-key triple IDEA
◦ CAST
◦ Blowfish
Authentication:
◦ HMAC-MD5-96
◦ HMAC-SHA-1-96
Key Management
Two types:
◦ Manual
◦ Automated
Oakley Key Determination Protocol
Internet Security Association and Key Management Protocol (ISAKMP)
Oakley
Three authentication methods:
◦ Digital signatures
◦ Public-key encryption
◦ Symmetric-key encryption
Summary
have considered:
◦ IPSec security framework
◦ AH Protocol
◦ ESP Protocol
◦ key management & Oakley/ISAKMP