IP Security. Cunsheng Ding HKUST, Kong Kong, China

Similar documents
The IPsec protocols. Overview

CSCE 715: Network Systems Security

IPSec. Overview. Overview. Levente Buttyán

IP Security. Have a range of application specific security mechanisms

Cryptography and Network Security. Sixth Edition by William Stallings

CSC 6575: Internet Security Fall 2017

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

Lecture 13 Page 1. Lecture 13 Page 3

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

CSE509: (Intro to) Systems Security

Lecture 12 Page 1. Lecture 12 Page 3

IPSec Transform Set Configuration Mode Commands

Chapter 6/8. IP Security

IP Security IK2218/EP2120

Virtual Private Networks (VPN)

IPSec Transform Set Configuration Mode Commands

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

IP Security Part 1 04/02/06. Hofstra University Network Security Course, CSC290A

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Virtual Private Network

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

Chapter 5: Network Layer Security

Cryptography and Network Security

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Lecture 9: Network Level Security IPSec

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

Chapter 11 The IPSec Security Architecture for the Internet Protocol

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

Network Encryption 3 4/20/17

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Network Security IN2101

INTERNET PROTOCOL SECURITY (IPSEC) GUIDE.

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

8. Network Layer Contents

The IPSec Security Architecture for the Internet Protocol

Chapter 10: Cipher Techniques

Virtual Private Networks

IPSec implementation for SCTP

IP Security Discussion Raise with IPv6. Security Architecture for IP (IPsec) Which Layer for Security? Agenda. L97 - IPsec.

Network Working Group Request for Comments: Nokia Research Center F. Dupont GET/ENST Bretagne June 2004

Network Security: IPsec. Tuomas Aura

Network Security (NetSec) IN2101 WS 16/17

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

Application Layer. Presentation Layer. Session Layer. Transport Layer. Network Layer. Data Link Layer. Physical Layer

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1516/ Chapter 16: 1

INFS 766 Internet Security Protocols. Lectures 7 and 8 IPSEC. Prof. Ravi Sandhu IPSEC ROADMAP

CSC 4900 Computer Networks: Security Protocols (2)

COSC4377. Chapter 8 roadmap

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

Configuring Security for VPNs with IPsec

Sample excerpt. Virtual Private Networks. Contents

Time Synchronization Security using IPsec and MACsec

AIT 682: Network and Systems Security

Configuration of an IPSec VPN Server on RV130 and RV130W

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)

IBM i Version 7.2. Security Virtual Private Networking IBM

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Configuring IPSec tunnels on Vocality units

Internet security and privacy

Firewalls, Tunnels, and Network Intrusion Detection

The EN-4000 in Virtual Private Networks

IPSec Site-to-Site VPN (SVTI)

IKE and Load Balancing

Protocol Architecture (2) Suguru Yamaguchi Nara Institute of Science and Technology Department of Information Science

Network Security: IPsec. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

Security and Lawful Intercept In VoIP Networks. Manohar Mahavadi Centillium Communications Inc. Fremont, California

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

KENIC-AFRINIC IPv6 Workshop 17th 20th June 2008

Virtual Private Networks

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

IPsec NAT Transparency

Configuring Internet Key Exchange Security Protocol

Voice over IPSec. Emilia Rosti Dip. Informatica e Comunicazione Univ. Degli Studi di Milano

Secure channel, VPN and IPsec. stole some slides from Merike Kaeo

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

PROGRAMMING Kyriacou E. Frederick University Cyprus. Network communication examples

Outline. 0 Topic 4.1: Securing Real-Time Communications 0 Topic 4.2: Transport Layer Security 0 Topic 4.3: IPsec and IKE

Network Security and Cryptography. December Sample Exam Marking Scheme

Lab 9: VPNs IPSec Remote Access VPN

IPSec Network Applications

VPN Overview. VPN Types

How to Configure an IPsec VPN to an AWS VPN Gateway with BGP

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Use of IPSec in Mobile IP

AN EXTENSION OF MULTI LAYER IPSEC FOR SUPPORTING DYNAMIC QOS AND SECURITY REQUIREMENTS

Security for VPNs with IPsec Configuration Guide, Cisco IOS XE Release 3S

VPN, IPsec and TLS. stole slides from Merike Kaeo apricot2017 1

CS 356 Internet Security Protocols. Fall 2013

CSE543 Computer and Network Security Module: Network Security

Table of Contents 1 IKE 1-1

COMPUTER SECURITY. Computer Security Secure Communication Channels (2)

INDEX. Symbols. 3DES over4 mechanism to4 mechanism...101

Transcription:

IP Security Cunsheng Ding HKUST, Kong Kong, China

Agenda Some attacks against the IP Brief introduction to IPSec Building Block: Security Association Building Block: Security Association Database Building Blocks: IPSec Protocols - ESP and AH Building Block: Security Policy Database Building blocks: Key Management Protocols The Whole Picture of IPSec C. Ding - CSIT571 - L20

The Internet Layers Application Transport/session Internet Interface telnet,ftp,http, smtp,set TCP, UDP IP Network technology protocols smtp = simple mail transfer protocol C. Ding - CSIT571 - L20

Attacks Against IP n A number of attacks against IP are possible. n Typically, these exploit the fact that IP does not perform a robust mechanism for sender authentication. n IP Spoofing n This is where one host claims to have the IP address of another. n IP Session Hijacking n It is an attack whereby a user's session is taken over, being in the control of the attacker. n If the user was in the middle of email, the attacker is looking at the email, and then can execute any commands he wishes as the attacked user. Conclusion: Security mechanism at the network layer would help. C. Ding - CSIT571 - L20

Where can we put security? HTTP AH FTP TCP IP SMTP ESP Network approach S-HTTP TCP IP S/MIME Application approach HTTP FTP SSL/TLS TCP IP SMTP Transport approach SET HTTP FTP TCP IP PGP SMTP Presentation approach Advantaqes and disadvantage of each? C. Ding - CSIT571 - L20

Brief Introduction to IPSec C. Ding - CSIT571 - L20

Internet Engineering Task Force Standardization IPSEC WG (IETF) Define security architecture Standardize IP Security Protocol and Internet Key Management Protocol 1998: revised version of IPSec Architecture IPsec protocols (two sub-protocols AH & ESP) Internet Key Exchange (IKE) 2005: Updated version (RFC4301-4306) C. Ding - CSIT571 - L20

IPsec: Network Approach Provides security for IP and upper layer protocols Suit of algorithms: Mandatory-to-implement Assures interoperability Easy to add new algorithms C. Ding - CSIT571 - L20

IP Security Overview IPSec provides the following: Data origin authentication Connectionless data integrity Data content confidentiality Anti-replay protection Limited traffic flow confidentiality C. Ding - CSIT571 - L20

Building Blocks: Security Association

Security Association n It is a one-way relationship between a sender and a receiver. n It associates security services and keys with the traffic to be protected. n It is identified by: n Security Parameter Index (SPI) à retrieve correct SA parameters from Security Association Database (SAD) n IPSec protocol identifier (AH or ESP) n Destination address (firewall, router)

Security Association Defines security services and mechanisms between two end points (or IPsec modules): Hosts Network security gateways (e.g., routers, application gateways) Hosts and security gateways Defines parameters, mode of operation, and initialization vector e.g., Confidentiality using ESP with DES in CBC mode with IV initialization vector May use either Authentication Header (AH) or Encapsulating Security Payload (ESP).

Security Association Host A Security Association: # ipsecadm new esp -spi 1000 -src HostA \ -dst HostB -forcetunnel -enc 3des -auth sha1 \ -key 7762d8707255d974168cbb1d274f8bed4cbd3364 \ -authkey 6a20367e21c66e5a40739db293cf2ef2a4e6659f Host B Security Association: # ipsecadm new esp -spi 1001 -src HostB \ -dst HostA -forcetunnel -enc 3des -auth sha1 \ -key 7762d8707255d974168cbb1d274f8bed4cbd3364 \ -authkey 6a20367e21c66e5a40739db293cf2ef2a4e6659f RemarK: src = source, dst = destination, keysize = 160 bits spi is a binary string at most 32 bits, used to create and delete SA, the spi values between 0 and 100 are reserved.

SA -- Lifetime Amount of traffic protected by a key and time frame the same key is used Manual creation: no lifetime Dynamic creation: may have a lifetime

Building Blocks: Security Policy Database

Security Policy Database (SPD) Defines: What traffic to be protected (e.g., email messages only) How to protect (e.g., use ESP or AH) With whom the protection is shared (e.g., with John) For each packet entering or leaving an IPsec implementation, SPD is used to determine security mechanism to be applied Actions: Discard: do not let packet in or out Bypass: do not apply or expect security services Protect: apply/expect security services on packets

SPD and SAD Examples n Visit the course webpage for examples of a SPD and a SAD n Visit the course webpage for the relationships between a SPD and a SAD

Building Blocks: IPSec Protocols

IPSec Protocols n Encapsulating Security Payload (ESP) n Proof of data origin, data integrity, antireplay protection n Data confidentiality and limited traffic flow confidentiality n Authentication Header (AH) n Proof of data origin, data integrity, antireplay protection n No data confidentiality n May provide non-repudiation & anti-replay (it depends on the algorithm used.)

Transport Mode: AH & ESP n Usage: protect upper layer protocols n IPSec header is inserted between the IP header and the upper-layer protocol header n Communication endpoints must be cryptographic endpoints (for end-to-end authentication), i.e., the endpoints generate/process IP header (AH, ESP). n Only data is protected. protected IP IPsec Payload

When is Transport Mode Used Both endpoints are cryptographic endpoints, i.e. they generate / process an IPSec header (AH or ESP)

Tunnel Mode: AH & ESP n Usage: protect entire IP datagram n Entire IP packet to be protected is encapsulated in another IP datagram and an IPsec header is inserted between the outer and inner IP headers protected IP IPsec IP Payload New IP header Original IP header

When Is Tunnel Mode Used Tunnel mode is used when at least one cryptographic endpoint is not a communication endpoint of the secured IP packets. Outer IP Header Destination for the router. Inner IP Header Ultimate Destination

Encryption and Authentication Algorithms n Encryption: n Triple DES in CBC mode (MUST) n AES in CBC mode (SHOULD+) n AES in CTR (counter) mode (SHOULD) n Authentication: n HMAC-MD5-96 (MAY) n 96 truncated bites from 120 n HMAC-SHA-1-96 (MUST) n 96 truncated bites from 160 n AES-XCBC-96 (SHOULD+) n 96 truncated bites from 128

Building Blocks: Key management protocol IKE

Key Management n IPSec needs secret keys: n for transmitting and receiving both AH and ESP n It supports two types of key management: n Manual: A system administrator manually configures each system with its own keys and with the keys of other communicating systems. n Automated: An automated system enable the ondemand creation of keys for SAs and facilitates the use of keys in a large distributed system with an evolving configuration.

Key Management Protocol n The management protocol is called Internet Key Exchange (IKE). n It has two versions. n n IKE 1998, IKEv2 2005 It is the most complicated sub-protocol of IPSec. n Details are omitted in this course, but we will present its outline here.

Key exchange protocol Key Management

Whole Picture of IPSec

IP Security Architecture IPsec module 1 IPsec module 2 SPD SPD IKE IKE SAD IPsec IPsec SAD SA SAD: Security Association Database SPD: Security Policy Database IKE: Internet Key Exchange

IPSec Uses

Applications of IPSec n Using IPSec all distributed applications can be secured, n Remote logon, n client/server, n e-mail, n file transfer, n Web access n etc.

Benefits of Using IPSec n The benefits of IPSec include: n IPSec can be transparent to end users. n There is no need to train users on security mechanisms n IPSec can provide security for individual aplication n By configuration, IPSec is applied to only one specified application.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback