IP Security II. Overview

Similar documents
CIS 6930/4930 Computer and Network Security. Topic 8.2 Internet Key Management

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CSC/ECE 574 Computer and Network Security. Outline. Key Management. Key Management. Internet Key Management. Why do we need Internet key management

Outline. CSC/ECE 574 Computer and Network Security. Key Management. Security Principles. Security Principles (Cont d) Internet Key Management

Outline. Key Management. Security Principles. Security Principles (Cont d) Escrow Foilage Protection

Outline. Key Management. CSCI 454/554 Computer and Network Security. Key Management

CSCI 454/554 Computer and Network Security. Topic 8.2 Internet Key Management

CSCE 715: Network Systems Security

CSC Network Security

INFS 766 Internet Security Protocols. Lectures 7 and 8 IPSEC. Prof. Ravi Sandhu IPSEC ROADMAP

IP Security IK2218/EP2120

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

CSC Network Security

Table of Contents 1 IKE 1-1

IP Security Discussion Raise with IPv6. Security Architecture for IP (IPsec) Which Layer for Security? Agenda. L97 - IPsec.

VPN Ports and LAN-to-LAN Tunnels

Virtual Tunnel Interface

Virtual Private Network

Configuration of an IPSec VPN Server on RV130 and RV130W

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

AIT 682: Network and Systems Security

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

Chapter 11 The IPSec Security Architecture for the Internet Protocol

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

Virtual Private Networks

Network Security 2. Module 4 Configure Site-to-Site VPN Using Pre-Shared Keys

VPN Overview. VPN Types

Configuring LAN-to-LAN IPsec VPNs

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

The IPSec Security Architecture for the Internet Protocol

Internet security and privacy

BiGuard C01 BiGuard VPN Client Quick Installation Guide (BiGuard series VPN enabled devices) Secure access to Company Network

Network Security: IPsec. Tuomas Aura

Configuration Summary

Advanced IKEv2 Protocol Jay Young, CCIE - Technical Leader, Services. Session: BRKSEC-3001

show crypto group summary, page 1 show crypto ikev2-ikesa security-associations summary spi, page 2

Securizarea Calculatoarelor și a Rețelelor 29. Monitorizarea și depanarea VPN-urilor IPSec Site-to-Site

The EN-4000 in Virtual Private Networks

VPNs and VPN Technologies

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems

Chapter 5: Network Layer Security

Configuring Security for VPNs with IPsec

How to Configure a Site-To-Site IPsec VPN to the Amazon AWS VPN Gateway

Configuring IPSec tunnels on Vocality units

IPsec and Secure VPNs

LAN-to-LAN IPsec VPNs

Network Security CSN11111

Configuring VPNs in the EN-1000

Internet Engineering Task Force Mark Baugher(Cisco) Expires: April, 2003 October, 2002

VPNC Scenario for IPsec Interoperability

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

Securizarea Calculatoarelor și a Rețelelor 28. Implementarea VPN-urilor IPSec Site-to-Site

Google Cloud VPN Interop Guide

Cryptography and Network Security. Sixth Edition by William Stallings

Sample excerpt. Virtual Private Networks. Contents

Cisco Live /11/2016

CS 494/594 Computer and Network Security

Advanced IPSec Algorithms and Protocols

IKE and Load Balancing

Chapter 6/8. IP Security

Internet. SonicWALL IP Cisco IOS IP IP Network Mask

Real-time protocol. Chapter 16: Real-Time Communication Security

L13. Reviews. Rocky K. C. Chang, April 10, 2015

IPSec Site-to-Site VPN (SVTI)

BCRAN. Section 9. Cable and DSL Technologies

Configuring Internet Key Exchange Security Protocol

Site-to-Site VPN. VPN Basics

Introduction to IPsec. Charlie Kaufman

Configuring IPsec and ISAKMP

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

ECC Based IKE Protocol Design for Internet Applications

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

Security for VPNs with IPsec Configuration Guide, Cisco IOS XE Release 3S

CLEARPASS CONFIGURING IPsec TUNNELS

CIS 6930/4930 Computer and Network Security. Final exam review

IPSec Transform Set Configuration Mode Commands

8. Network Layer Contents

Abstract. Avaya Solution & Interoperability Test Lab

Quick Note. Configure an IPSec VPN tunnel between a Digi TransPort LR router and a Digi Connect gateway. Digi Technical Support 20 September 2016

Lecture 9: Network Level Security IPSec

Firepower Threat Defense Site-to-site VPNs

A crypto map is applied to an interface. The concept of a crypto map was introduced in classic crypto but

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

VPN Auto Provisioning

YANG Data Model for Internet Protocol Security (IPSec) dra:- tran- ipecme- yang- ipsec- 00 K. Tran, Ericsson

Virtual Tunnel Interface

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

Security Association Creation

IPSec Network Applications

Configuring an IPSec Tunnel Between a Cisco VPN 3000 Concentrator and a Checkpoint NG Firewall

Securing Networks with Cisco Routers and Switches

How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Transcription:

IP Security II Dr. Arjan Durresi Louisiana State University Baton Rouge, LA 70810 Durresi@csc.lsu.Edu These slides are available at: http://www.csc.lsu.edu/~durresi/csc4601-04/ Louisiana State University 17- IP Security II - 1 Overview Key Management Concept Manual Exchange Internet Key Exchange IPSec Strengths & Weaknesses Implementation of IPSec Louisiana State University 17- IP Security II - 2

Key Management AH and ESP require encryption and authentication keys Process to negotiate and establish IPSec SA s between two entities Handles key generation & distribution Typically need 2 pairs of keys 2 per direction for AH & ESP Louisiana State University 17- IP Security II - 3 Key Management Manual key management sysadmin manually configures every system Automated key management automated system for on demand creation of keys for SA s in large systems has Oakley & ISAKMP elements Louisiana State University 17- IP Security II - 4

Concepts PFS: Perfect Forward Secrecy Obtaining one key does not give access to all data, only data protected by that one key Keys not derived from predecessors Nonces: locally generated pseudorandom numbers Louisiana State University 17- IP Security II - 5 Manual Key Management Mandatory Useful when IPSec developers are debugging Keys exchanged offline (phone, email, etc.) Set up SPI and negotiate parameters Louisiana State University 17- IP Security II - 6

Internet Key Exchange - IKE Used when an outbound packet does not have an SA Tow phases: Establish an IKE SA Use that SA to negotiate IPSec SAs IKE SA used to define encryption & authentication of IKE traffic Multiple IPSec SAs can be established with one IKE SA IKE SA bidirectional Louisiana State University 17- IP Security II - 7 IKE Phase I Create IKE SA Negotiate protection suite Use Diffie-Hellman to establish shared secret Authenticate the shared secret, IKE SA Preshared keys (secret) Digital signatures Public-keys Louisiana State University 17- IP Security II - 8

Phase I Mode Exchanges Main Mode flexible, 6 messages Checks cookies before DH work Aggressive mode faster, 3 messages Open to clogging DoS, doesn t check cookie before DH work Phase II - Quick Mode Louisiana State University 17- IP Security II - 9 Requirements Concepts - Cookies Depend on specific parties Only the issuing entity can generate acceptable cookies implies issuer using local secret Cookie generation and verification must be fast Hash over IP Src/Dest; UDP Src/Dest; local secret Louisiana State University 17- IP Security II - 10

I Initiator Responder Crypto Offered, Cookie C I R Crypto Chosen, C R Negotiate IKE Crypto parameters Nonce N I, Y I NR, YR Exchange items to generate secret Generate SKEYID, DH: K K{ID I, Hash I } Send hash digest so peer can authenticate sender Louisiana State University 17- IP Security II - 11 K{ID R, Hash R } Example: Main Mode Preshared I Initiator Responder Crypto Offered, g a mod p I R Negotiate IKE Crypto parameters Proof I Crypto Chosen,g b mod p, proof R Example: Aggresive Mode Louisiana State University 17- IP Security II - 12

Main Mode Preshared PRF, Pseudo-Random Function, for example DES CBC SKEYID root secret =PRF(preshared-key,N I N R ) SKEYID_d for IPSec SA =PRF(SKEYID,K C I C R 0) K is the secret generated by DH SKEYID_a for IKE message data auth & integrity = PRF(SKEYID,SKEYID_d K C I C R 1) SKEYID_e use to encrypt IKE messages = PRF(SKEYID,SKEYID_a K C I C R 2) Louisiana State University 17- IP Security II - 13 Main Mode Preshared: : Hashes To authenticate each other, each entity generates a hash digest that only the peer could know Hash-I=PRF(SKEYID,Y I Y R C I C R Crypto Offer ID I ) Hash-R=PRF(SKEYID,Y R Y I C I C R Crypto Offer ID R ) Louisiana State University 17- IP Security II - 14

Default: no PFS IKE Phase II Keys Keys for IPSec SA derived from IKE shared secret With PFS: use nonces Louisiana State University 17- IP Security II - 15 Phase II What traffic does SA cover? Initiator specifies which entries (selectors) in SPD are for this IPSec SA, sends off to responder Keys and SA attributes communicated with the Phase I - IKE SA Passes encrypted & authenticated Louisiana State University 17- IP Security II - 16

Example: Quick Mode Initiator Responder I HASH1, IPSec SA, Nonce I, [New K] R Negotiate IPSec SA Parameters, [PFS] HASH2, SA, Nonce R, [New K] HASH3 Replay? Liveness proof for Responder Louisiana State University 17- IP Security II - 17 IPSec Key exchange and encryption are separate New encryption algorithms can be added Complex a lot of flexibility & options Best VPN standard we ve got Louisiana State University 17- IP Security II - 18

The ANX: Realworld IPSec Automotive Networking exchange Private network for Big 3 Auto Manufactures and their suppliers Uses IPSec to secure communication Certification for ANX turned standards into reality See http://www.anx.com http://www.infosecuritymag.com/apr99/anx%20s IDEBAR.htm http://www.internetwk.com/indepth/indepth101899.htm Louisiana State University 17- IP Security II - 19 Summary Key Management Concept Manual Exchange Internet Key Exchange IPSec Strengths & Weaknesses Implementation of IPSec Louisiana State University 17- IP Security II - 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback