Voice over IPSec. Emilia Rosti Dip. Informatica e Comunicazione Univ. Degli Studi di Milano
|
|
- Piers Golden
- 6 years ago
- Views:
Transcription
1 Voice over IPSec Emilia Rosti Dip. Informatica e Comunicazione Univ. Degli Studi di Milano
2 Outline IP refresher IPSec VoIP and QoS - basics VoIPSec Experiments Results 2
3 IP refresher - network layers 3
4 IP refresher - TCP/IP communication END SYSTEM X END SYSTEM Y ROUTER A ROUTER B 4
5 IPv4 header 5
6 IPv4 fields Version: 4b, value is 0100 = 4 Internet Header Length (IHL): 4b, length of header in 32bit words; min. value = 5 Type of Service: 8b Total Length: 16b, total IP packet length in B Identification: 16b, sequence number Flags: 3b, more, and don t fragment Fragment offset: 13b, where it belongs in 64bit units 6
7 IPv4 fields Time to Live (TTL): 8b, number of seconds for packet to live Checksum Source/ Destination Addresses: 32b Options 7
8 IPv6 header 8
9 IPv6 fields Version: 4b, value is 0110 = 6 Traffic class: 8b, priority of this packet for routers Flow Label: 20b, label packets for special processing by routers Payload Length: 16b Next Header: 8b, TCP or UDP or an IPv6 extension Hop limit: 8b Source/Destination Address: 128b, 16B = 4W addresses 9
10 Network security: where? application specific security mechanisms eg. S/MIME, PGP, Kerberos, SSL/HTTPS can be tuned to payload requirements must rework for every application transport (TCP) level mechanisms end-to-end apps can control when to use them apps must be modified (unless proxied) 10
11 Network security: where? network (IP) level covers all traffic, end-to-end transparent to applications little application control unnatural, since IP packets are stateless but channel is stateful link level covers all traffic on that link e.g. RF only one hop 11
12 Network security security concerns across all protocol layers would like security implemented by the network for all applications secure channel origin authentication integrity confidentiality 12
13 IPSec IP Security Overview IP Security Architecture Authentication Header Encapsulating Security Payload Security Associations Key Management 13
14 IPSec general IP Security mechanisms providing authentication confidentiality key management applicable to use over LANs, across public & private WANs, & for the Internet specified by Internet Engineering Task Force (IETF) develops protocol standards for the Internet 14
15 IPSec - specs RFC 2401 security architecture overview RFC 2402 packet authentication extension RFC 2406 packet encryption RFC 2408 key management many others, grouped by category 15
16 IPSec - overview IPSec provides a set of security algorithms and a general framework that allow a pair of communicating entities to use whichever algorithms provide security appropriate for their communication not bound to any specific crypto-algorithm applications secure branch office connectivity over the Internet secure remote access over the Internet establishing extranet and intranet connectivity with partners enhancing electronic commerce security Virtual Private Networks 16
17 IPSec - overview two protocols 1. Authentication Header (AH) authentication protocol 2. Encapsulating Security Protocol (ESP) combined encryption/authentication protocol mandatory in IPv6, optional in IPv4 two deployment modes 1. transport for IPSec-aware hosts as endpoints 2. tunnel for IPSec-unaware hosts, established by intermediate gateways or host OS 17
18 IPSec - scenario 18
19 IPSec - advantages in a firewall/router provides strong security to all traffic crossing the perimeter resistant to bypass below transport layer, hence transparent to applications can be transparent to end users can provide security for individual users if desired 19
20 IPSec - advantages vital role in routing architecture router advertisement is valid neighbor advertisement is valid verify redirect message comes from the same router the initial packet was sent from validate routing update messages routing protocols such as OSPF run on top of IPSec 20
21 IPSec - services access control connectionless integrity data origin authentication rejection of replayed packets a form of partial sequence integrity confidentiality (encryption) 21
22 IPSec - AH data integrity & authentication of IP packets (most of header and payload) end system/router can authenticate user/app prevents address spoofing attacks by tracking sequence numbers guards against replay attacks sliding window mechanism based on use of a MAC HMAC-MD5-96 or HMAC-SHA-196 parties must share a secret key 22
23 IPSec - AH AH Format 23
24 IPSec - AH Before AH 24
25 IPSec - AH With AH, in Transport Mode 25
26 IPSec - AH With AH, in Tunnel Mode 26
27 IPSec - end to end vs end to intermediate authentication 27
28 IPSec - Encapsulating Security Payload Provides confidentiality and (optionally) authentication of payload only ESP Format 28
29 IPSec - ESP encryption and ESP transport mode authentication 29
30 IPSec - ESP encryption and ESP tunnel mode authentication 30
31 IPSec - crypto algorithms Authentication HMAC-MD5-96 HMAC-SHA-196 Encryption Three-key triple DES RC5 IDEA Three-key triple IDEA CAST Blowfish 31
32 IPSec - security associations a one-way relationship between sender & receiver that affords security for traffic flow inbound SAs and outbound SAs set up manually or by IKE IPSec Key Exchange hosts have a DB of Security Associations uniquely defined by 3 parameters Security Parameters Index (SPI) carried in AH and ESP headers IP Destination Address Security Protocol Identifier has other parameters sequence number, AH & EH info, lifetime etc. 32
33 IPSec - SA parameters sequence number counter sequence counter overflow flag anti-replay window AH info authentication algorithm, keys, key lifetimes ESP info encryption and authentication algorithm, keys, key lifetimes lifetime of the SA IPSec protocol mode path MTU 33
34 IPSec - Security Policy Database SPD entries define a subset of the IP traffic and the SA that should be applied to it anything from all traffic shall use this key to individual combinations of source and destination addresses and ports even user-based keying supported binding a user to an IP address is very problematic 34
35 IPSec - oubound traffic lookup policy for this datagram drop, pass through, or process create a new SA if none exists apply keys from SA for MAC and enciphering add explicit IV for each datagram because they can be lost and arrive out-of-order pass assembled datagram down to link layer or to next instance of IPSec processing we ignore fragmentation, PMTU discovery, 35
36 IPSec - inbound traffic lookup policy for this datagram drop, pass through, or process SA should already exist we are the responder apply keys from SA for MAC-check and deciphering using datagram s IV too raise security error if needed; otherwise pass assembled datagram up to rest of normal IP processing or to next instance of IPSec processing 36
37 IPSec - security associations 37
38 IPSec - security associations 38
39 IPSec - security associations 39
40 IPSec - security associations 40
41 IPSec - IKE specific adaptation of more general protocols (Oakley and ISAKMP) two levels of SA negotiated an initial context (bidirectional, with heavy-duty authentication and negotiation) then several client SAs, negotiated quickly using initial SA as secure channel; one for each direction and each AH and ESP initial SA also used for error traffic and similar management traffic 41
42 authentication of parties IPSec - IKE security digital signature, proof of knowledge of private key, or shared key establishment of a fresh shared secret shared secret used to derive keys for channel confidentiality and authentication Perfect Forward Secrecy, at cost of using up shared material (partial) anti-clogging, against denial-of-service attacks secure negotiation of algorithms asymmetric (e.g. RSA, elliptic curve), symmetric (e.g. 3DES, Blowfish, AES), and hash (e.g. MD5, SHA-1) 42
43 IPSec - IKE phase 1 exchange to establish a secure key management channel Main mode variant: slower, more cautious, hides details of credentials used and allows forward secrecy (independence of short-term keys) Aggressive mode : less negotiation, fewer round trips, more information disclosed phase 2: quick mode established SAs for IPSec itself, using the phase 1 channel 43
44 IPSec - key management Manual Automated Oakley Key Determination Protocol Internet Security Association and Key Management Protocol (ISAKMP) 44
45 IPSec - Oakley Three authentication methods Digital signatures Public-key encryption Symmetric-key encryption 45
46 IPSec - ISAKAMP 46
47 VoIP - basics recommendations for voice, video, data traffic over IP LANs H.323 call control (on TCP) H225, Q.931, H245, data (on TCP) T.120 audio & video (on UDP) G.7xx, H.26X, RTP A/V control (on UDP) RTPC, RAS 47
48 VoIP - basics CODEC: analog signal digitization 8KHz with 8 bits per sample -> 64Kbps compression 32Kbps creation of voice datagram Add header (RTPC, UDP, IP, ) TCP-UDP/IP packet generation TCP to set up and tear down calls, negotiates parameters RTP to transmit over UDP no quality guarantee packet transmission 48
49 VoIP - basics packet reception process header re-sequence and buffer delay CODEC: digital to analog signal reconstruction 49
50 VoIP - basics network delay packet loss - compensation variable inter-packet timing - jitter voice compression transducers echo cancellation voice activity detection 50
51 VoIP - basics acceptable total delay on wire: 150ms 200 ms on satellite: up to 300 ms digitization: up to 30 ms queueing: up to 30ms buffering: up to 70 ms 51
52 VoIP - basics N. of telephone calls and average delay in ms as a function of bandwidth in Kbps and payload size (10, 20, 40 bytes) B/w #calls delay #calls delay #calls delay > <100 2 < <100 5 <100 9 ~ < < < < < < ~100 52
53 QoS - basics TCP/IP is a best effort protocol suite no inherent guaranteed service delay / bandwidth ad hoc protocols for QoS bit in the IP header RFC 2211 Spec of the Controlled-Load Network Element Service RFC 2212 Spec of guaranteed quality of service 53
54 QoS - basics providing guarantees on service quality firm bounds on end-to-end datagram queueing delay by means of endpoint specification of traffic characteristics admission control policies packet classification packet queueing/scheduling policies traffic shaping resource reservation header compression not always possible in the presence of IPSec 54
55 QoS - basics QoS protocols RSVP - RFC 2205 resource reservation Diff-Serv differentiated services 55
56 VoIPSec voice transmission over IPSecured networks combine VoIP protocol with IPSec possible? issues additional delays encryption packet size increase ESP and header 56
57 VoIPSec QoS configuration diff-serv environment with TOS/DSCP manage congestion and packet discard necessary to copy the DSCP field in the external IP header for proper handling of packets LLQ (Low Latency Queueing) queue management protocol to handle RTP packets properly LFI (Link Fragmentation and Interleaving) packet fragmentation, interleaves fragments with voice packets 57
58 VoIPSec - experimental setting 58
59 VoIPSec - experimental setting Phone1 IPSec tunnels Phone2 R1 R2 R3 TG 59
60 VoIPSec - experimental setting ESP in tunnel mode Ethernet 100MBps links the dial peers set the TOS bit for the signaling and the media flows (IOS ver. 12.2) LLQ protocol set with a reserved bandwidth of 64Kbps on both serial and Ethernet link serial link is a PPP multilink with LFI enabled and with maximum latency set to 10ms RTP addresses are forced to match the access lists 60
61 VoIPSec - packet format 61
62 VoIPSec - figures of merit For various protocols packet size packet delay crypto-engine throughput packet interarrival time 62
63 VoIPSec - phone calls Packet Hdr Pkt len. Ratio Size Perf. Type [Byte] [Byte] Hd/Pk incr. Reduc. #call crtp % 0% 0% 7 IP % 78% 44% 4 IPsec DES % 271% 63% 2 IPsec 3DES+SHA % 298% 66% 2 Size increase w.r.t. crtp pkt.len. Perf. Reduction w.r.t. crtp #calls 128Kbps link, 50 pps, 40B payload 63
64 VoIPSec - packet size Increase [%] 100% 75% 50% 25% Packet size increase DES & 3DES & NULL + SHA 3DES + SHA 0% Original size [Bytes] 64
65 VoIPSec - packet delay transmission delay increases proportionally with the packet size and is constant for every router (whether peers or not) internal router delays (e.g., due to checksums calculation) are considered in the generic IPsec delay we injected multiple traffic streams in our test network, starting at random times in order to create a realistic scenario individual flows may be distinguished based on the IP source address 65
66 VoIPSec - packet delay measured/modeled traffic delay is reported as a function of the traffic intensity in pps on a 128 Kbps link with 90 bytes long packets in case of encrypted traffic (leftmost set of curves), traffic delay grows much earlier (i.e., for smaller traffic rates) than in case of clear traffic it is not possible to estimate a priori the time spent by a packet before it accesses to the crypto-engine model more precise with clear traffic 66
67 VoIPSec - packet delay 128Kbps link, 90B payload 67
68 VoIPSec - crypto-engine Tput packet encryption and new headers construction (ESP + IP tunnel) various crypto-algorithms and packet sizes, 100Mbps link increasing traffic flow until crypto-engine saturation crypto-engine is a serious bottleneck in the transmission of real-time traffic in IPSec impossible to control packet access to the cryptoengine 68
69 VoIPSec - crypto-engine Tput Throughput [pps] Plain DES 3DES NULL + SHA 3DES + SHA 0 Traffic rate [pps] 69
70 VoIPSec - packet interarrival time experiments with real voice traffic 3DES encrypted phone call on empty link on busy link 1200 byte packets extra traffic 70
71 VoIPSec - packet interarrival time (empty link) 0.03 Relative delay [sec] Packets 71
72 VoIPSec - packet interarrival time (busy link) 0.03 Relative delay [sec] Packets 72
73 VoIPSec - QoS analysis three traffic streams T1: phone call (with the TOS bit set) with 70 bytes long packets at a rate of 50 pps T2: phone call without priority and equal parameters T3: extra stream of jumbo datagrams with 1500 bytes long packets at a rate of 1pps to simulate ordinary traffic all traffic streams are 3DES encrypted 73
74 VoIPSec - QoS analysis traffic delay measured as the difference in the arrival time of consecutive packets calls performed without QoS control (T2) suffer a great variability in the measured interarrival times, which accounts for the largest standard deviation more stable stream is the one comprised of jumbodatagrams (T3) phone call with priority (T1) experiences some variability less than T2 74
75 VoIPSec - QoS analysis packet interarrival time 75
76 VoIPSec - cipsec packet size critical for performance new compression scheme based on crtp second order difference is zero in parts of IP- UPD-RTP headers session context and shared information IP src and dst, UPD ports, RTP SSRC fields full IP, UDP, RTP headers of last packet last value of 4-bit sequence number 76
77 VoIPSec - cipsec headers reduce to session Context ID - 16 bit link sequence - 8 bit sequence bit checksum bit retransmission bit UDP checksum - 32 bit- optional RTP sequence - 32 bit - optional 77
78 VoIPSec - cipsec bdw analysis bandwidth used in case of plain VoIP, VoIPsec and cipsec packets for various error rates 78
79 VoIPSec - cipsec advantages with voice traffic less expensive to compute than crtp effective bandwidth reduction up to 50% with IPSec average 2% packet length increase wrt IP reduction of transmission delay expected reduction similar to bandwidth usage optimization better usage of the CPU and of the crypto-engine faster encryption phase 2%-6.5% depending on the algorithm 79
80 VoIPSec - the meat can VoIPSec replace VoIP seamlessly? quantitative experimental analysis bottleneck in the crypto-engine NOT in the computation new header compression scheme for VoIPSec 80
81 References R. Barbieri, D. Bruschi, E. Rosti, ``Voice over IPSec: analysis and solutions, Proc. Annual Computer Security Application Conference,
CSCE 715: Network Systems Security
CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina Security in Network Layer Implementing security in application layer provides flexibility in security
More informationCryptography and Network Security Chapter 16. Fourth Edition by William Stallings
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Chapter 16 IP Security If a secret piece of news is divulged by a spy before the time is ripe, he must be put to death,
More informationIP Security. Have a range of application specific security mechanisms
IP Security IP Security Have a range of application specific security mechanisms eg. S/MIME, PGP, Kerberos, SSL/HTTPS However there are security concerns that cut across protocol layers Would like security
More informationIPSec. Slides by Vitaly Shmatikov UT Austin. slide 1
IPSec Slides by Vitaly Shmatikov UT Austin slide 1 TCP/IP Example slide 2 IP Security Issues Eavesdropping Modification of packets in transit Identity spoofing (forged source IP addresses) Denial of service
More informationCSC 6575: Internet Security Fall 2017
CSC 6575: Internet Security Fall 2017 Network Security Devices IP Security Mohammad Ashiqur Rahman Department of Computer Science College of Engineering Tennessee Tech University 2 IPSec Agenda Architecture
More informationIPSec. Overview. Overview. Levente Buttyán
IPSec - brief overview - security associations (SAs) - Authentication Header (AH) protocol - Encapsulated Security Payload () protocol - combining SAs (examples) Overview Overview IPSec is an Internet
More informationChapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University
Chapter 6 IP Security Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University +91 9426669020 bhargavigoswami@gmail.com Topic List 1. IP Security Overview 2. IP Security Architecture 3.
More informationCryptography and Network Security
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown Chapter 15 Electronic Mail Security Despite the refusal of VADM Poindexter and LtCol North to appear,
More informationCryptography and Network Security. Sixth Edition by William Stallings
Cryptography and Network Security Sixth Edition by William Stallings Chapter 20 IP Security If a secret piece of news is divulged by a spy before the time is ripe, he must be put to death, together with
More informationChapter 6/8. IP Security
Chapter 6/8 IP Security Prof. Bhargavi H Goswami Department of MCA, Sunshine Group of Institutes, Rajkot, Gujarat, India. Mob: +918140099018. Email: bhargavigoswami@gmail.com Topic List 1. IP Security
More informationIP Security IK2218/EP2120
IP Security IK2218/EP2120 Markus Hidell, mahidell@kth.se KTH School of ICT Based partly on material by Vitaly Shmatikov, Univ. of Texas Acknowledgements The presentation builds upon material from - Previous
More informationVirtual Private Network
VPN and IPsec Virtual Private Network Creates a secure tunnel over a public network Client to firewall Router to router Firewall to firewall Uses the Internet as the public backbone to access a secure
More informationIP Security Part 1 04/02/06. Hofstra University Network Security Course, CSC290A
Network Security IP Security Part 1 1 IP Security Overview 1994 RFC1636, Security in the Internet Architecture Identified key needs: Secure network infrastructure from unauthorized monitoring Control network
More informationET4254 Communications and Networking 1
Topic 9 Internet Protocols Aims:- basic protocol functions internetworking principles connectionless internetworking IP IPv6 IPSec 1 Protocol Functions have a small set of functions that form basis of
More informationThe Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,
1 The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME, PGP), client/server (Kerberos), Web access (Secure Sockets
More informationLecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005
Firewalls Lecture 33 Security April 15, 2005 Idea: separate local network from the Internet Trusted hosts and networks Intranet Firewall DMZ Router Demilitarized Zone: publicly accessible servers and networks
More informationSEN366 (SEN374) (Introduction to) Computer Networks
SEN366 (SEN374) (Introduction to) Computer Networks Prof. Dr. Hasan Hüseyin BALIK (12 th Week) The Internet Protocol 12.Outline Principles of Internetworking Internet Protocol Operation Internet Protocol
More informationIPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security
IPsec (AH, ESP), IKE Guevara Noubir noubir@ccs.neu.edu Securing Networks Control/Management (configuration) Applications Layer telnet/ftp: ssh, http: https, mail: PGP (SSL/TLS) Transport Layer (TCP) (IPSec,
More informationThe IPsec protocols. Overview
The IPsec protocols -- components and services -- modes of operation -- Security Associations -- Authenticated Header (AH) -- Encapsulated Security Payload () (c) Levente Buttyán (buttyan@crysys.hu) Overview
More informationETSF05/ETSF10 Internet Protocols Network Layer Protocols
ETSF05/ETSF10 Internet Protocols Network Layer Protocols 2016 Jens Andersson Agenda Internetworking IPv4/IPv6 Framentation/Reassembly ICMPv4/ICMPv6 IPv4 to IPv6 transition VPN/Ipsec NAT (Network Address
More informationVPN Overview. VPN Types
VPN Types A virtual private network (VPN) connection establishes a secure tunnel between endpoints over a public network such as the Internet. This chapter applies to Site-to-site VPNs on Firepower Threat
More informationChapter 11 The IPSec Security Architecture for the Internet Protocol
Chapter 11 The IPSec Security Architecture for the Internet Protocol IPSec Architecture Security Associations AH / ESP IKE [NetSec], WS 2008/2009 11.1 The TCP/IP Protocol Suite Application Protocol Internet
More informationCONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements
CONTENTS Preface Acknowledgements xiii xvii Chapter 1 TCP/IP Overview 1 1.1 Some History 2 1.2 TCP/IP Protocol Architecture 4 1.2.1 Data-link Layer 4 1.2.2 Network Layer 5 1.2.2.1 Internet Protocol 5 IPv4
More informationINTERNET PROTOCOL SECURITY (IPSEC) GUIDE.
INTERNET PROTOCOL SECURITY (IPSEC) GUIDE www.insidesecure.com INTRODUCING IPSEC NETWORK LAYER PACKET SECURITY With the explosive growth of the Internet, more and more enterprises are looking towards building
More informationCIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec
CIS 6930/4930 Computer and Network Security Topic 8.1 IPsec 1 IPsec Objectives Why do we need IPsec? IP V4 has no authentication IP spoofing Payload could be changed without detection. IP V4 has no confidentiality
More informationIP Security. Cunsheng Ding HKUST, Kong Kong, China
IP Security Cunsheng Ding HKUST, Kong Kong, China Agenda Some attacks against the IP Brief introduction to IPSec Building Block: Security Association Building Block: Security Association Database Building
More informationNetworking interview questions
Networking interview questions What is LAN? LAN is a computer network that spans a relatively small area. Most LANs are confined to a single building or group of buildings. However, one LAN can be connected
More informationJunos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services
Junos Security Chapter 8: IPsec VPNs 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net Worldwide Education Services Chapter Objectives After successfully completing this chapter, you will
More informationThe IPSec Security Architecture for the Internet Protocol
Chapter 11 The IPSec Security Architecture for the Internet Protocol [NetSec], WS 2005/2006 11.1 Overview Brief introduction to the Internet Protocol (IP) suite Security problems of IP and objectives of
More informationSample excerpt. Virtual Private Networks. Contents
Contents Overview...................................................... 7-3.................................................... 7-5 Overview of...................................... 7-5 IPsec Headers...........................................
More informationRSVP Support for RTP Header Compression, Phase 1
RSVP Support for RTP Header Compression, Phase 1 The Resource Reservation Protocol (RSVP) Support for Real-Time Transport Protocol (RTP) Header Compression, Phase 1 feature provides a method for decreasing
More informationBCRAN. Section 9. Cable and DSL Technologies
BCRAN Section 9 Cable and DSL Technologies Cable and DSL technologies have changed the remote access world dramatically. Without them, remote and Internet access would be limited to the 56 kbps typical
More informationIKE and Load Balancing
Configure IKE, page 1 Configure IPsec, page 9 Load Balancing, page 22 Configure IKE IKE, also called ISAKMP, is the negotiation protocol that lets two hosts agree on how to build an IPsec security association.
More information8. Network Layer Contents
Contents 1 / 43 * Earlier Work * IETF IP sec Working Group * IP Security Protocol * Security Associations * Authentication Header * Encapsulation Security Payload * Internet Key Management Protocol * Modular
More informationReal-Time Protocol (RTP)
Real-Time Protocol (RTP) Provides standard packet format for real-time application Typically runs over UDP Specifies header fields below Payload Type: 7 bits, providing 128 possible different types of
More informationCSE509: (Intro to) Systems Security
CSE509: (Intro to) Systems Security Fall 2012 Invited Lecture by Vyas Sekar IPSec 2005-12 parts by Matt Bishop, used with permission Security in Real Life: Motivation Site SF Company X $$$ Site NY Site
More informationOn Distributed Communications, Rand Report RM-3420-PR, Paul Baran, August 1964
The requirements for a future all-digital-data distributed network which provides common user service for a wide range of users having different requirements is considered. The use of a standard format
More informationLecture 13 Page 1. Lecture 13 Page 3
IPsec Network Security: IPsec CS 239 Computer Software March 2, 2005 Until recently, the IP protocol had no standards for how to apply security Encryption and authentication layered on top Or provided
More informationVPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009
VPN and IPsec Network Administration Using Linux Virtual Private Network and IPSec 04/2009 What is VPN? VPN is an emulation of a private Wide Area Network (WAN) using shared or public IP facilities. A
More informationChapter 5: Network Layer Security
Managing and Securing Computer Networks Guy Leduc Mainly based on Network Security - PRIVATE Communication in a PUBLIC World C. Kaufman, R. Pearlman, M. Speciner Pearson Education, 2002. (chapters 17 and
More informationIPv6 Protocol. Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer Cisco Systems, Inc.
IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer fmajstor@cisco.com Cisco Systems, Inc. 1 Agenda IPv6 Primer IPv6 Protocol Security Dual stack approach
More informationVirtual Private Networks
EN-2000 Reference Manual Document 8 Virtual Private Networks O ne of the principal features of routers is their support of virtual private networks (VPNs). This document discusses transmission security,
More informationCSC 4900 Computer Networks: Security Protocols (2)
CSC 4900 Computer Networks: Security Protocols (2) Professor Henry Carter Fall 2017 Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message Integrity 8.4 End point Authentication
More informationUnit 5: Internet Protocols skong@itt-tech.edutech.edu Internet Protocols She occupied herself with studying a map on the opposite wall because she knew she would have to change trains at some point. Tottenham
More informationProtocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.
P2 Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE 802.11i, IEEE 802.1X P2.2 IP Security IPsec transport mode (host-to-host), ESP and
More informationLecture 16: Network Layer Overview, Internet Protocol
Lecture 16: Network Layer Overview, Internet Protocol COMP 332, Spring 2018 Victoria Manfredi Acknowledgements: materials adapted from Computer Networking: A Top Down Approach 7 th edition: 1996-2016,
More informationINFS 766 Internet Security Protocols. Lectures 7 and 8 IPSEC. Prof. Ravi Sandhu IPSEC ROADMAP
INFS 766 Internet Security Protocols Lectures 7 and 8 IPSEC Prof. Ravi Sandhu IPSEC ROADMAP Security Association IP AH (Authentication Header) Protocol IP ESP (Encapsulating Security Protocol) Authentication
More informationLecture 9: Network Level Security IPSec
Lecture 9: Network Level Security IPSec CS 336/536: Computer Network Security Fall 2015 Nitesh Saxena Adopted from previous lecture by Keith Ross, and Tony Barnard HW3 being graded Course Admin HW4 will
More informationIPsec NAT Transparency
The feature introduces support for IP Security (IPsec) traffic to travel through Network Address Translation (NAT) or Port Address Translation (PAT) points in the network by addressing many known incompatibilities
More informationCHAPTER 18 INTERNET PROTOCOLS ANSWERS TO QUESTIONS
CHAPTER 18 INTERNET PROTOCOLS ANSWERS TO QUESTIONS 18.1 (1) The communications network may only accept blocks of data up to a certain size. (2) Error control may be more efficient with a smaller PDU size.
More informationIP Security Discussion Raise with IPv6. Security Architecture for IP (IPsec) Which Layer for Security? Agenda. L97 - IPsec.
IP Security Discussion Raise with IPv6 Security Architecture for IP (IPsec) Security Association (SA), AH-Protocol, -Protocol Operation-Modes, Internet Key Exchange Protocol (IKE) End-to-end security will
More informationNetwork Security - ISA 656 IPsec IPsec Key Management (IKE)
Network Security - ISA 656 IPsec IPsec (IKE) Angelos Stavrou September 28, 2008 What is IPsec, and Why? What is IPsec, and Why? History IPsec Structure Packet Layout Header (AH) AH Layout Encapsulating
More informationOn Distributed Communications, Rand Report RM-3420-PR, Paul Baran, August
The requirements for a future all-digital-data distributed network which provides common user service for a wide range of users having different requirements is considered. The use of a standard format
More informationVirtual Private Networks (VPN)
CYBR 230 Jeff Shafer University of the Pacific Virtual Private Networks (VPN) 2 Schedule This Week Mon September 4 Labor Day No class! Wed September 6 VPN Project 1 Work Fri September 8 IPv6? Project 1
More informationLecture 12 Page 1. Lecture 12 Page 3
IPsec Network Security: IPsec CS 239 Computer Software February 26, 2003 Until recently, the IP protocol had no standards for how to apply security Encryption and authentication layered on top Or provided
More informationMobile Communications Chapter 9: Network Protocols/Mobile IP
Mobile Communications Chapter 9: Network Protocols/Mobile IP Motivation Data transfer Encapsulation Security IPv6 Problems DHCP Ad-hoc s Routing protocols 9.0.1 Motivation for Mobile IP Routing based on
More informationComputer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1
Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1415/ Chapter 16: 1 Chapter 16: Communications Security Chapter 16: 2 Agenda Threat model Secure tunnels Protocol design principles IPsec
More informationInternet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho
Internet Security - IPSec, SSL/TLS, SRTP - 29th. Oct. 2007 Lee, Choongho chlee@mmlab.snu.ac.kr Contents Introduction IPSec SSL / TLS SRTP Conclusion 2/27 Introduction (1/2) Security Goals Confidentiality
More informationETSF10 Internet Protocols Transport Layer Protocols
ETSF10 Internet Protocols Transport Layer Protocols 2012, Part 2, Lecture 2.2 Kaan Bür, Jens Andersson Transport Layer Protocols Special Topic: Quality of Service (QoS) [ed.4 ch.24.1+5-6] [ed.5 ch.30.1-2]
More informationVPN Ports and LAN-to-LAN Tunnels
CHAPTER 6 A VPN port is a virtual port which handles tunneled traffic. Tunnels are virtual point-to-point connections through a public network such as the Internet. All packets sent through a VPN tunnel
More informationCS 356 Internet Security Protocols. Fall 2013
CS 356 Internet Security Protocols Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5
More informationIPsec NAT Transparency
sec NAT Transparency First Published: November 25, 2002 Last Updated: March 1, 2011 The sec NAT Transparency feature introduces support for Security (sec) traffic to travel through Network Address Translation
More informationIntroduction to IPv6. IPv6 addresses
Introduction to IPv6 (Chapter 4 in Huitema) IPv6,Mobility-1 IPv6 addresses 128 bits long Written as eight 16-bit integers separated with colons E.g. 1080:0000:0000:0000:0000:0008:200C:417A = 1080::8:800:200C:417A
More informationHUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN HUAWEI TECHNOLOGIES CO., LTD. Issue 1.1. Date
HUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN Issue 1.1 Date 2014-03-14 HUAWEI TECHNOLOGIES CO., LTD. 2014. All rights reserved. No part of this document may be reproduced or
More informationTable of Contents 1 IKE 1-1
Table of Contents 1 IKE 1-1 IKE Overview 1-1 Security Mechanism of IKE 1-1 Operation of IKE 1-1 Functions of IKE in IPsec 1-2 Relationship Between IKE and IPsec 1-3 Protocols 1-3 Configuring IKE 1-3 Configuration
More informationIPSec implementation for SCTP
SCTP and Proposed Modifications to Aditya Kelkar Alok Sontakke Srivatsa R. Dept. of CSE. IIT Bombay October 31, 2004 SCTP and Proposed Modifications to 1 2 3 SCTP and 4 Proposed Modifications to 5 SCTP
More informationInternet security and privacy
Internet security and privacy IPsec 1 Layer 3 App. TCP/UDP IP L2 L1 2 Operating system layers App. TCP/UDP IP L2 L1 User process Kernel process Interface specific Socket API Device driver 3 IPsec Create
More informationPosition of IP and other network-layer protocols in TCP/IP protocol suite
Position of IP and other network-layer protocols in TCP/IP protocol suite IPv4 is an unreliable datagram protocol a best-effort delivery service. The term best-effort means that IPv4 packets can be corrupted,
More informationIPv6 Protocols and Networks Hadassah College Spring 2018 Wireless Dr. Martin Land
IPv6 1 IPv4 & IPv6 Header Comparison IPv4 Header IPv6 Header Ver IHL Type of Service Total Length Ver Traffic Class Flow Label Identification Flags Fragment Offset Payload Length Next Header Hop Limit
More informationCIS 6930/4930 Computer and Network Security. Topic 8.2 Internet Key Management
CIS 6930/4930 Computer and Network Security Topic 8.2 Internet Key Management 1 Key Management Why do we need Internet key management AH and ESP require encryption and authentication keys Process to negotiate
More informationInternet Services & Protocols. Quality of Service Architecture
Department of Computer Science Institute for System Architecture, Chair for Computer Networks Internet Services & Protocols Quality of Service Architecture Dr.-Ing. Stephan Groß Room: INF 3099 E-Mail:
More informationNetwork Security: IPsec. Tuomas Aura
Network Security: IPsec Tuomas Aura 3 IPsec architecture and protocols Internet protocol security (IPsec) Network-layer security protocol Protects IP packets between two hosts or gateways Transparent to
More informationInt ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28
Int ernet w orking Internet Security Literature: Forouzan: TCP/IP Protocol Suite : Ch 28 Internet Security Internet security is difficult Internet protocols were not originally designed for security The
More informationModule 28 Mobile IP: Discovery, Registration and Tunneling
Module 28 Mobile IP: Discovery, and Tunneling Learning Objectives Introduction to different phases of Mobile IP Understanding how a mobile node search the agents using Discovery process Understand how
More informationCOSC4377. Chapter 8 roadmap
Lecture 28 Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing e mail 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7
More informationDa t e: August 2 0 th a t 9: :00 SOLUTIONS
Interne t working, Examina tion 2G1 3 0 5 Da t e: August 2 0 th 2 0 0 3 a t 9: 0 0 1 3:00 SOLUTIONS 1. General (5p) a) Place each of the following protocols in the correct TCP/IP layer (Application, Transport,
More informationLehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec
Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München ilab Lab 8 SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one specific port SSL
More informationService Managed Gateway TM. Configuring IPSec VPN
Service Managed Gateway TM Configuring IPSec VPN Issue 1.2 Date 12 November 2010 1: Introduction 1 Introduction... 3 1.1 What is a VPN?... 3 1.2 The benefits of an Internet-based VPN... 3 1.3 Tunnelling
More informationII. Principles of Computer Communications Network and Transport Layer
II. Principles of Computer Communications Network and Transport Layer A. Internet Protocol (IP) IPv4 Header An IP datagram consists of a header part and a text part. The header has a 20-byte fixed part
More informationinternet technologies and standards
Institute of Telecommunications Warsaw University of Technology 2017 internet technologies and standards Piotr Gajowniczek Andrzej Bąk Michał Jarociński Network Layer The majority of slides presented in
More informationA common issue that affects the QoS of packetized audio is jitter. Voice data requires a constant packet interarrival rate at receivers to convert
A common issue that affects the QoS of packetized audio is jitter. Voice data requires a constant packet interarrival rate at receivers to convert data into a proper analog signal for playback. The variations
More informationChapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS
Chapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS Topology Note: ISR G1 devices use FastEthernet interfaces instead of GigabitEthernet interfaces. 2017 Cisco and/or its affiliates. All rights
More informationConfiguring Internet Key Exchange Security Protocol
Configuring Internet Key Exchange Security Protocol This chapter describes how to configure the Internet Key Exchange (IKE) protocol. IKE is a key management protocol standard that is used in conjunction
More informationIPv6: An Introduction
Outline IPv6: An Introduction Dheeraj Sanghi Department of Computer Science and Engineering Indian Institute of Technology Kanpur dheeraj@iitk.ac.in http://www.cse.iitk.ac.in/users/dheeraj Problems with
More informationInternet. 1) Internet basic technology (overview) 3) Quality of Service (QoS) aspects
Internet 1) Internet basic technology (overview) 2) Mobility aspects 3) Quality of Service (QoS) aspects Relevant information: these slides (overview) course textbook (Part H) www.ietf.org (details) IP
More informationInternet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.
Internet Layers Application Application Transport Transport Network Network Network Network Link Link Link Link Ethernet Fiber Optics Physical Layer Wi-Fi ARP requests and responses IP: 192.168.1.1 MAC:
More informationIntroduction to computer networking
edge core Introduction to computer networking Comp Sci 3600 Security Outline edge core 1 2 edge 3 core 4 5 6 The edge core Outline edge core 1 2 edge 3 core 4 5 6 edge core Billions of connected computing
More informationConfiguring Security for VPNs with IPsec
This module describes how to configure basic IPsec VPNs. IPsec is a framework of open standards developed by the IETF. It provides security for the transmission of sensitive information over unprotected
More informationData & Computer Communication
Basic Networking Concepts A network is a system of computers and other devices (such as printers and modems) that are connected in such a way that they can exchange data. A bridge is a device that connects
More informationMohammad Hossein Manshaei 1393
Mohammad Hossein Manshaei manshaei@gmail.com 1393 Voice and Video over IP Slides derived from those available on the Web site of the book Computer Networking, by Kurose and Ross, PEARSON 2 Multimedia networking:
More informationComputer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1516/ Chapter 16: 1
Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1516/ Chapter 16: 1 Chapter 16: Communications Security Chapter 16: 2 Agenda Threat model Secure tunnels Protocol design principles IPsec
More informationIBM i Version 7.2. Security Virtual Private Networking IBM
IBM i Version 7.2 Security Virtual Private Networking IBM IBM i Version 7.2 Security Virtual Private Networking IBM Note Before using this information and the product it supports, read the information
More informationIPv6. IPv4 & IPv6 Header Comparison. Types of IPv6 Addresses. IPv6 Address Scope. IPv6 Header. IPv4 Header. Link-Local
1 v4 & v6 Header Comparison v6 Ver Time to Live v4 Header IHL Type of Service Identification Protocol Flags Source Address Destination Address Total Length Fragment Offset Header Checksum Ver Traffic Class
More informationHow to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP
How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP If you are using the Amazon Virtual Private Cloud, you can transparently extend your local network to the cloud by connecting both networks
More informationApplication Note 11. Main mode IPSec between a Windows 2000 / XP (responder) and a Digi Transport Router (initiator)
Application Note 11 Main mode IPSec between a Windows 2000 / XP (responder) and a Digi Transport Router (initiator) November 2015 Contents 1 Introduction... 5 1.1 Outline... 5 2 Assumptions... 6 2.1 Corrections...
More informationIP - The Internet Protocol. Based on the slides of Dr. Jorg Liebeherr, University of Virginia
IP - The Internet Protocol Based on the slides of Dr. Jorg Liebeherr, University of Virginia Orientation IP (Internet Protocol) is a Network Layer Protocol. IP: The waist of the hourglass IP is the waist
More informationNetwork Encryption 3 4/20/17
The Network Layer Network Encryption 3 CSC362, Information Security most of the security mechanisms we have surveyed were developed for application- specific needs electronic mail: PGP, S/MIME client/server
More informationHow to Configure IPSec Tunneling in Windows 2000
Home Self Support Assisted Support Custom Support Worldwide Support How to Configure IPSec Tunneling in Windows 2000 The information in this article applies to: Article ID: Q252735 Last Reviewed: February
More informationLecture 3. The Network Layer (cont d) Network Layer 1-1
Lecture 3 The Network Layer (cont d) Network Layer 1-1 Agenda The Network Layer (cont d) What is inside a router? Internet Protocol (IP) IPv4 fragmentation and addressing IP Address Classes and Subnets
More informationIPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP
About Tunneling, IPsec, and ISAKMP, on page 1 Licensing for IPsec VPNs, on page 3 Guidelines for IPsec VPNs, on page 4 Configure ISAKMP, on page 5 Configure IPsec, on page 18 Managing IPsec VPNs, on page
More information