IPSec implementation for SCTP

Similar documents
CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

CSC 6575: Internet Security Fall 2017

IPSec. Overview. Overview. Levente Buttyán

Cryptography and Network Security. Sixth Edition by William Stallings

IP Security. Have a range of application specific security mechanisms

CSCE 715: Network Systems Security

The IPsec protocols. Overview

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

IP Security. Cunsheng Ding HKUST, Kong Kong, China

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

CSE509: (Intro to) Systems Security

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

Transport Layer. The transport layer is responsible for the delivery of a message from one process to another. RSManiaol

Chapter 11 The IPSec Security Architecture for the Internet Protocol

Chapter 6/8. IP Security

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

TSIN02 - Internetworking

ET4254 Communications and Networking 1

Firewalls, Tunnels, and Network Intrusion Detection

The IPSec Security Architecture for the Internet Protocol

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

8. Network Layer Contents

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

IP Security IK2218/EP2120

TSIN02 - Internetworking

Chapter 5: Network Layer Security

Virtual Private Networks

TSIN02 - Internetworking

Stream Control Transmission Protocol (SCTP)

Lecture 12 Page 1. Lecture 12 Page 3

Network Encryption 3 4/20/17

An SCTP-Protocol Data Unit with several chunks

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Lecture 13 Page 1. Lecture 13 Page 3

COSC4377. Chapter 8 roadmap

INTERNET PROTOCOL SECURITY (IPSEC) GUIDE.

Outline. History Introduction Packets Association/ Termination Data Transmission concepts Multihoming Streams

Network Security: IPsec. Tuomas Aura

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

CSC 4900 Computer Networks: Security Protocols (2)

Lecture 9: Network Level Security IPSec

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

IP Security Part 1 04/02/06. Hofstra University Network Security Course, CSC290A

IPsec Working Group. draft-ietf-ipsec-rfc2402bis-05.txt September 2003 Expires March IP Authentication Header draft-ietf-ipsec-rfc2402bis-05.

TCP/IP Protocol Suite 1

INFS 766 Internet Security Protocols. Lectures 7 and 8 IPSEC. Prof. Ravi Sandhu IPSEC ROADMAP

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

Network Working Group. Obsoletes: 2402 December 2005 Category: Standards Track

Computer Network Programming

IPV6 SIMPLE SECURITY CAPABILITIES.

RFC 3173 IP Payload Compression Protocol September 2001

Internet security and privacy

MULTIHOMING AND MULTISTREAM PROTOCOL IN COMPUTER NETWORKS

RTP. Prof. C. Noronha RTP. Real-Time Transport Protocol RFC 1889

Sample excerpt. Virtual Private Networks. Contents

CIT 480: Securing Computer Systems

IPsec NAT Transparency

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

Cryptography and Network Security

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

RFC 430x IPsec Support

Virtual Private Network

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

Voice over IPSec. Emilia Rosti Dip. Informatica e Comunicazione Univ. Degli Studi di Milano

Application Layer. Presentation Layer. Session Layer. Transport Layer. Network Layer. Data Link Layer. Physical Layer

Network Security: IPsec. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Chapter 10: Cipher Techniques

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

The EN-4000 in Virtual Private Networks

IPSec Transform Set Configuration Mode Commands

IPsec Working Group. Expires January 2003 July IP Authentication Header draft-ietf-ipsec-rfc2402bis-01.txt. Status of This Memo

VPN Ports and LAN-to-LAN Tunnels

CHAPTER 18 INTERNET PROTOCOLS ANSWERS TO QUESTIONS

Information Security & Privacy

Network Working Group Request for Comments: November 1998

Virtual Private Networks (VPN)

Network Working Group Request for Comments: Nokia Research Center F. Dupont GET/ENST Bretagne June 2004

AIT 682: Network and Systems Security

Packetization Layer Path Maximum Transmission Unit Discovery (PLPMTU) For IPsec Tunnels

Experimental Tests on SCTP over IPSec

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1516/ Chapter 16: 1

Internet Protocol and Transmission Control Protocol

Chapter 2 Advanced TCP/IP

EE 610 Part 2: Encapsulation and network utilities

Position of IP and other network-layer protocols in TCP/IP protocol suite

Introduction to Networked Multimedia An Introduction to RTP p. 3 A Brief History of Audio/Video Networking p. 4 Early Packet Voice and Video

Configuring Security for VPNs with IPsec

How to Configure an IPsec VPN to an AWS VPN Gateway with BGP

HIP Host Identity Protocol. October 2007 Patrik Salmela Ericsson

Chapter 24. Transport-Layer Protocols

CSCD 330 Network Programming

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

Sharing IPsec with Tunnel Protection

IPSec Transform Set Configuration Mode Commands

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

Transcription:

SCTP and Proposed Modifications to Aditya Kelkar Alok Sontakke Srivatsa R. Dept. of CSE. IIT Bombay October 31, 2004

SCTP and Proposed Modifications to 1 2 3 SCTP and 4 Proposed Modifications to 5

SCTP and Proposed Modifications to Features and Comparison of SCTP[4] with TCP Connection Oriented, Unicast Protocol

SCTP and Proposed Modifications to Features and Comparison of SCTP[4] with TCP Connection Oriented, Unicast Protocol SCTP is Message Oriented

SCTP and Proposed Modifications to Features and Comparison of SCTP[4] with TCP Connection Oriented, Unicast Protocol SCTP is Message Oriented SCTP Multi-Streaming Feature

SCTP and Proposed Modifications to Features and Comparison of SCTP[4] with TCP Connection Oriented, Unicast Protocol SCTP is Message Oriented SCTP Multi-Streaming Feature SCTP Multi-Homing Feature

SCTP and Proposed Modifications to SCTP Message Format Header Source and destination port numbers 32-bit verification tag 32-bit checksum

SCTP and Proposed Modifications to SCTP Message Format Header Source and destination port numbers 32-bit verification tag 32-bit checksum Data/Control Chunk Chunk type Flag field Length Value

SCTP and Proposed Modifications to Benefits of SCTP Acknowledged reliable non-duplicated transfer of user data Application-level segmentation to conform to the maximum transmission unit (MTU) size Sequenced delivery of user datagrams within multiple streams Optional multiplexing of user datagrams into SCTP datagrams Enhanced reliability through support of multihoming at either or both ends of the association Congestion avoidance and resistance to flooding and masquerade attacks

SCTP and Proposed Modifications to Applications of SCTP Telephony Signaling - Loosely correlated messages (different calls) can be delivered without having to maintain overall sequence integrity.

SCTP and Proposed Modifications to Applications of SCTP Telephony Signaling - Loosely correlated messages (different calls) can be delivered without having to maintain overall sequence integrity. Transfer of Multimedia documents - SCTP allows transport of these components to be partially ordered rather than strictly ordered, and may result in improved user perception of transport.

SCTP and Proposed Modifications to [2] is a security mechanism in the TCP/IP protocol suite. operates between layers 2/3. Security services can be applied to layers 3-7. Provides following security services Confidentiality - Sender can encrypt packets, decrypted by only designated receiver. Integrity - Packets are not altered in transit. Data origin authentication - Receiver can authenticate the sender. Anti replay service - Receiver can detect replayed packets and reject them. Key management - Secure exchange of keys.

SCTP and Proposed Modifications to Architecture architecture includes standards for Encapsulating Security Payload (ESP). Authentication Header (AH). These two protocols operate in two modes. Tunnel mode - Applied to the whole packet. Transport mode - Applied to payload and selected portions of IP header.

SCTP and Proposed Modifications to Authentication Header Authentication Header contains the checksum of fields with a pre-shared key. Reciever verifies the integrity by recomputing the checksum and comparing it with the checksum in the packet.

SCTP and Proposed Modifications to Encapsulating Security Payload Sender encrypts the packet/payload with a pre-shared key. Only receiver can decrypt the packet and recover the plaintext.

SCTP and Proposed Modifications to Security Policies (SPs) Specifies security serivces and how they are to be applied to IP traffic. Policies are selected by matching selectors. Source/Destination IP address. Source/Destination ports. Transport layer protocol. User ID. Data sensitivity level. Bypass, Apply, Drop? Process by applying bundles of transformation.

SCTP and Proposed Modifications to Security Association (SA) One-way connection between communicating parties. Parameterized by Destination Address, protocol and a unique 32-bit integer - SPI. Established when parties start communicating. Each bi-directional connection must create atleast two SAs. Security Association Database (SAD) stores all the parameters associated with an SA. Sequence Number. Sequence counter overflow. Anti reply window. Authentication Algorithm and Keys (for AH). Encryption Algorithm and keys (for ESP). Authentication Algorithm and keys for ESP. Lifetime of the SA.

SCTP and Proposed Modifications to Combining security associations Security associations can be combined into bundles in two ways. Transport adjecency.

SCTP and Proposed Modifications to Combining security associations Iterated tunneling

SCTP and Proposed Modifications to Application - Secure Branch office connectivity can be used for secure connection between main office and branch office.

SCTP and Proposed Modifications to SCTP over [1] Why current implementation needs to be modified? Using SCTP endpoints in selectors - source and destination port numbers

SCTP and Proposed Modifications to SCTP over [1] Why current implementation needs to be modified? Using SCTP endpoints in selectors - source and destination port numbers Single SA should specify all source-destination address pairs

SCTP and Proposed Modifications to SCTP over [1] Why current implementation needs to be modified? Using SCTP endpoints in selectors - source and destination port numbers Single SA should specify all source-destination address pairs SPD entries should specify multiple source-destination IP addresses

SCTP and Proposed Modifications to SCTP over [1] Why current implementation needs to be modified? Using SCTP endpoints in selectors - source and destination port numbers Single SA should specify all source-destination address pairs SPD entries should specify multiple source-destination IP addresses IKE

SCTP and Proposed Modifications to SCTP over [1] Why current implementation needs to be modified? Using SCTP endpoints in selectors - source and destination port numbers Single SA should specify all source-destination address pairs SPD entries should specify multiple source-destination IP addresses IKE Address updates of SCTP sessions must be authenticated

SCTP and Proposed Modifications to Data structures for SAD and SPD Security Policy

SCTP and Proposed Modifications to Data structures for SAD and SPD Security Policy Security Association

SCTP and Proposed Modifications to Current organization of these structures

SCTP and Proposed Modifications to Packet Processing Input IP packet to be sent Refers to SPD for type of processing Follows SA bundle to apply series of transformations. Each transformation adds an IPsec header.

SCTP and Proposed Modifications to Packet Processing Input IP packet to be sent Refers to SPD for type of processing Follows SA bundle to apply series of transformations. Each transformation adds an IPsec header. Output Find the SA in SAD Apply reverse transformation Continue till Transport/IP header is encountered Check from SPD that all reverse transformations have been applied.

SCTP and Proposed Modifications to Proposed Changes What? Incorporate multiple source/destination addresses into data structures.

SCTP and Proposed Modifications to Proposed Changes What? Incorporate multiple source/destination addresses into data structures. Where? One SA and SP for each address pair. Modify the address structure itself to include multiple addresses. Modify SA and SP.

SCTP and Proposed Modifications to Proposed Changes What? Incorporate multiple source/destination addresses into data structures. Where? One SA and SP for each address pair. Modify the address structure itself to include multiple addresses. Modify SA and SP. Why? Changing address structure causes unwanted changes since is used not just in SAD and SPD. Multiple SA s consumes more memory, affects search time, negotiation time.

SCTP and Proposed Modifications to How proposed changes will affect the management of the data structures Functions creating the structures. Inserting SA s into hash queues requires multiple insertions in required hash queues. Matching selectors should incorporate multiple addresses.

SCTP and Proposed Modifications to Conclusion How to extend support for SCTP. Methods by which multiple addresses can be negotiated in have been proposed. Comparison of these methods.

SCTP and Proposed Modifications to Future Work Extraction of SCTP port numbers to use in selectors for SPD. Extend key negotiation in IKE[3] to negotiate single SA for multiple addresses.

SCTP and Proposed Modifications to References beamericonarticle S. Bellovin et. al. Rfc-3554: On the use of stream control transmission protocol (sctp) with ipsec, 2003. beamericonarticle S. Kent et. al. Rfc-2401: Security architecture for the internet protocol, 1998. beamericonarticle D. Harkins. Rfc-2409: The internet key exchange (ike), 1998. beamericonarticle R. Stewart. Rfc-2960: Stream control transmission protocol, 2000.

SCTP and Proposed Modifications to Thank you!!! Thank you!!!

SCTP and Proposed Modifications to Table with 5 colours and multicolumn Course Date Time Algorithms 23/11/2004 2:30 FSVP 14/11/2004 10:30 Artificial Intelligence 19/11/2004 2:30 Seminar Hooray! no endsem!! Communication Skills Hooray! endsem over!!

SCTP and Proposed Modifications to Graph with gnuplot Equation: e sin( (x+y))

SCTP and Proposed Modifications to Simple picture using PGF

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback