IPSec. Dr.Talal Alkharobi. IPsec (IP security)

Similar documents
Stream Control Transmission Protocol - Wikipedia, the free encyclopedia

IPSec. Overview. Overview. Levente Buttyán

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

CSCE 715: Network Systems Security

Protocol Architecture (2) Suguru Yamaguchi Nara Institute of Science and Technology Department of Information Science

The IPsec protocols. Overview

INDEX. Symbols. 3DES over4 mechanism to4 mechanism...101

VPN Overview. VPN Types

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Internet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho

PROGRAMMING Kyriacou E. Frederick University Cyprus. Network communication examples

Virtual Private Network

Configuring Security for VPNs with IPsec

Lecture 13 Page 1. Lecture 13 Page 3

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

8. Network Layer Contents

IPSec Transform Set Configuration Mode Commands

Virtual Private Networks

CS 356 Internet Security Protocols. Fall 2013

IKE and Load Balancing

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

ITCH Multicast for Genium INET (Nordics) Commodities feed

VPN Ports and LAN-to-LAN Tunnels

Security for VPNs with IPsec Configuration Guide, Cisco IOS Release 15M&T

Virtual Private Networks

Internet security and privacy

Virtual Private Networks (VPN)

Hands-On TCP/IP Networking

Index. Numerics 3DES (triple data encryption standard), 21

CSE509: (Intro to) Systems Security

IPsec NAT Transparency

IP Security IK2218/EP2120

IPSec Transform Set Configuration Mode Commands

Security for VPNs with IPsec Configuration Guide Cisco IOS Release 12.4T

Secure channel, VPN and IPsec. stole some slides from Merike Kaeo

CSC 6575: Internet Security Fall 2017

Virtual Private Network. Network User Guide. Issue 05 Date

IPSec Site-to-Site VPN (SVTI)

Lesson 5 TCP/IP suite, TCP and UDP Protocols. Chapter-4 L05: "Internet of Things ", Raj Kamal, Publs.: McGraw-Hill Education

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

IP Security. Have a range of application specific security mechanisms

INFS 766 Internet Security Protocols. Lectures 7 and 8 IPSEC. Prof. Ravi Sandhu IPSEC ROADMAP

Data Sheet. NCP Secure Entry Mac Client. Next Generation Network Access Technology

VPN, IPsec and TLS. stole slides from Merike Kaeo apricot2017 1

IPsec: IP security in opensource systems

Security for VPNs with IPsec Configuration Guide, Cisco IOS XE Release 3S

Cisco Exam Questions & Answers

Sample excerpt. Virtual Private Networks. Contents

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

The EN-4000 in Virtual Private Networks

IPsec NAT Transparency

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

OpenIKED, AsiaBSDCon 2013 Reyk Flöter

Transport Level Security

IPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43

IBM i Version 7.2. Security Virtual Private Networking IBM

E&CE 358: Tutorial 1. Instructor: Sherman (Xuemin) Shen TA: Miao Wang

Lecture 12 Page 1. Lecture 12 Page 3

Table of Contents 1 IKE 1-1

Internet. 1) Internet basic technology (overview) 3) Quality of Service (QoS) aspects

NCP Secure Enterprise macos Client Release Notes

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

A Border Gateway Protocol 3 (BGP-3) DNS Extensions to Support IP version 6. Path MTU Discovery for IP version 6

Firewalls, Tunnels, and Network Intrusion Detection

NCP Secure Entry macos Client Release Notes

Chapter 11 The IPSec Security Architecture for the Internet Protocol

TCP/IP Networking. Training Details. About Training. About Training. What You'll Learn. Training Time : 9 Hours. Capacity : 12

BCRAN. Section 9. Cable and DSL Technologies

IP Security Part 1 04/02/06. Hofstra University Network Security Course, CSC290A

OFTP2 kurs Odette File r Transfer ansfer Pr otocol

Configuration of an IPSec VPN Server on RV130 and RV130W

Performance Evaluation of Software Routers with VPN Features

VPN World. MENOG 16 Istanbul-Turkey. By Ziad Zubidah Network Security Specialist

Security for VPNs with IPsec Configuration Guide, Cisco IOS Release 15S

iii PPTP... 7 L2TP/IPsec... 7 Pre-shared keys (L2TP/IPsec)... 8 X.509 certificates (L2TP/IPsec)... 8 IPsec Architecture... 11

show crypto group summary, page 1 show crypto ikev2-ikesa security-associations summary spi, page 2

This version of the des Secure Enterprise MAC Client can be used on Mac OS X 10.7 Lion platform.

Network Encryption 3 4/20/17

Cryptography and Network Security. Sixth Edition by William Stallings

Chapter 5: Network Layer Security

Solved MCQ of Computer networking. Set-1

Review of Important Networking Concepts

Virtual Tunnel Interface

INTERNET PROTOCOL SECURITY (IPSEC) GUIDE.

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

ITCH Multicast for Genium INET (Nordics) AMD Derivatives feed

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

AIR-WLC K9 Datasheet. Overview. Check its price: Click Here. Quick Specs

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Cryptography and Network Security

The IPSec Security Architecture for the Internet Protocol

COSC4377. Chapter 8 roadmap

Transcription:

IPSec IPsec (IP security) 2 A suite of protocols for securing Internet Protocol (IP) communications by authenticating and/or encrypting each IP packet in a data stream. IPsec also includes protocols for cryptographic key establishment. IPsec is implemented by a set of cryptographic protocols for (1) securing packet flows and (2) internet key exchange. 1

IPSec 3 IPsec protocols operate at the network layer, layer 3 of the OSI model. Other Internet security protocols in widespread use, such as SSL and TLS, operate from the transport layer up (OSI layers 4-7). This makes IPsec more flexible, as it can be used for protecting both TCP- and UDP-based protocols, but increases its complexity and processing overhead, as it cannot rely on TCP (OSI layer 4) to manage reliability and fragmentation. Security facilities in the TCP/IP protocol stack 4 2

Design intent 5 Since the Internet Protocol does not inherently provide any security capabilities, IPsec was introduced to provide security services such as: Encrypting traffic Integrity validation Authenticating the peers Anti-replay (protection against replay of the secure session) IPsec Operations 6 There are two modes of IPsec operation: Transport mode Tunnel mode The security implications are quite different between the two operational modes. IPsec can be used to create Virtual Private Networks (VPN) in either mode 3

IPsec Operations Transport mode 7 End-to-end security of packet traffic in which the end-point computers do the security processing Only the payload (message) of the IP packet is encrypted. The routing is intact since the IP header is neither modified nor encrypted When the Authentication Header is used, the IP addresses cannot be translated, as this will invalidate the hash value. The transport and application layers are always secured by hash so they cannot be modified in any way (translating the port numbers) Transport mode is used for host-to-host communications IPsec Operations Tunnel mode 8 Portal-to-portal communications security in which security of packet traffic is provided to several machines (even to whole LANs) by a single node. In tunnel mode, the entire IP packet is encrypted. It must then be encapsulated into a new IP packet for routing to work. Tunnel mode is used for network-to-network communications (secure tunnels between routers) or host-to-network and host-tohost communications over the Internet. 4

Current status as a standard 9 IPsec is a mandatory part of IPv6, and is optional for use with IPv4. While the standard is designed to be indifferent to IP versions, current widespread deployment and experience concerns IPv4 implementations. IPsec protocols were originally defined by RFCs 1825 1829, published in 1995. In 1998, these documents were obsoleted by RFCs 2401 2412. RFC 2401 2412 are not compatible with RFC 1825 1829, although they are conceptually identical. Current status as a standard 10 In December 2005, third-generation documents, RFCs 4301 4309, were produced. RFCs 4301 4309 are largely a superset of 2401 2412, but provide a second Internet Key Exchange standard. 5

Authentication Header (AH) 11 Authentication Header (AH) protocol is designed to authenticate the source host and to ensure the integrity of the payload carried by the IP packet. The protocol calculates a message digest, using a hashing function and a symmetric key, and inserts the digest in the authentication header. The AH protocol provides source authentication and data integrity,but not privacy. Authentication Header (AH) 12 6

Authentication header 13 When an IP datagram carries an authentication header, the original value in the protocol field of the IP header is replaced by the value 51. A field inside the authentication header (next header field) defines the original value of the protocol field (the type of payload being carried by the IP datagram). Authentication header 14 Steps for authentication header: AH is added to the payload with the authentication data field set to zero. Padding may be added to make the total length even for a particular hashing algorithm Hashing is based on total packet. For message digest, only those fields of IP header that don t change during transmission are considered. Authentication data are included in the authentication header IP header is added after changing the value of protocol field to 51. 7

Authentication header 15 Payload length: Length of AH in 4-byte multiples. SPI: plays the role of VCI Sequence number: for anti replay Encapsulation Security Payload (ESP) 16 Encapsulation Security Payload (ESP) provides source authentication, privacy and integrity. Value of IP protocol field is 50. Field inside the ESP trailer (next header field) holds the original value of the protocol field of IP header. 8

Encapsulation Security Payload (ESP) 17 Encapsulation Security Payload (ESP) 18 Steps ESP trailer is added to the payload Payload and trailer or encrypted ESP header is added ESP header, payload and ESP trailer are used to create authenticated data. Authenticated data are added at the end of ESP trailer. IP header is added after changing the protocol value to 50. 9

VPN 19 Privacy within intra-organization but still connected to global Internet. Intra-organization data are routed through the private internet; inter-organization data are routed through the global Internet. VPN 20 10

VPN 21 Private and hybrid networks are costlier. Best solution is to use global Internet for both private and public communications. VPN creates a network that is private but virtual. It is private but it guarantees privacy inside the organization. It is virtual because it does not use real private WANs; the network is physically public but virtually private. VPN uses IPSec in tunnel mode to provide authentication, integrity and privacy. VPN 22 11

VPN 23 Each IP datagram destined for private use in the organization is encapsulated in another datagram. To use IPSec in the tunneling mode, the VPNs need to use two sets of addressing. The public network (Internet) is responsible for carrying the packet from R1 to R2. Outsiders cannot decipher the contents of the packet or the source and destination addresses. Deciphering takes place at R2, which finds the destination address of the packet and delivers it. VPN 24 12

urity Architecture 25 The IP security architecture uses the concept of a security association (SA) as the basis for building security functions SA is simply the bundle of algorithms and parameters (such as keys) that is being used to encrypt a particular flow. The actual choice of algorithm is left up to the users. A security parameter index (SPI) is provided along with the destination address to allow the security association for a packet to be looked up. For multicast therefore, a security association is provided for the group, and is duplicated across all authorised receivers of the group. urity Architecture 26 There may be more than one security association for a group, using different SPIs, so allowing multiple levels and sets of security within a group. Indeed, each sender can have multiple security associations, allowing authentication, since a receiver can only know that someone knowing the keys sent the data. Note that the standard doesn't describe how the association is chosen and duplicated across the group; it is assumed that a responsible party will make the choice. 13

urity Architecture 27 Two headers have been designed to provide security for both IPv4 and IPv6: The IP Authentication Header provides integrity and authentication and non-repudiation, if the appropriate choice of cryptographic algorithms is made. The IP Encapsulating Payload provides confidentiality, along with authentication and integrity. IPSec Implementation 28 IPsec support is usually implemented in the kernel with key management and ISAKMP/IKE negotiation carried out from userspace. Existing IPsec implementations tend to include both of these functionalities. However, as there is a standard interface for key management, it is possible to control one kernel IPsec stack using key management tools from a different implementation. Because of this, there is confusion as to the origins of the IPsec implementation that is in the Linux kernel. 14

IPSec Implementation 29 The FreeS/WAN project made the first complete and open source implementation of IPsec for Linux. It consists of a kernel IPsec stack (KLIPS), as well as a key management daemon (pluto) and many shell scripts. The FreeS/WAN project was disbanded in March 2004. Openswan and strongswan are continuations of FreeS/WAN. The KAME project also implemented complete IPsec support for NetBSD, FreeBSD. Its key management daemon is called racoon. IPSec Implementation 30 OpenBSD made its own ISAKMP/IKE daemon, simply named isakmpd (that was also ported to other systems, including Linux). However, none of these kernel IPsec stacks were integrated into the Linux kernel. Alexey Kuznetsov and David S. Miller wrote a kernel IPsec implementation from scratch for the Linux kernel around the end of 2002. This stack was subsequently released as part of Linux 2.6, and is referred variously as "native" or "NETKEY". Therefore, contrary to popular belief, the Linux IPsec stack did not originate from the KAME project. 15

IPSec Implementation 31 As it supports the standard PF_KEY protocol (RFC 2367) and the native XFRM interface for key management, the Linux IPsec stack can be used in conjunction with either pluto from Openswan/strongSwan, isakmpd from OpenBSD project, racoon from the KAME project or without any ISAKMP/IKE daemon (using manual keying). The new architrectures of network processors, including multicore processors with integrated encryption engines, change the way the IPsec stacks are designed. A dedicated Fast Path is used in order to offload the processing of the IPsec processing (SA, SP lookups, encryption, etc.). IPSec Implementation 32 These Fast Path stacks must be co-integrated on dedicated cores with Linux or RTOS running on other cores. These OS are the control plane that runs ISAKMP/IKE of the Fast Path IPsec stack. 16

33 IPsec and ISAKMP/IKE protocols 6WINDGate, Network processor MPU Fast Path IPsec stack NRL IPsec, one of the original sources of IPsec code OpenBSD, with its own code derived from NRL IPsec the KAME stack, that is included in Mac OS X, NetBSD and FreeBSD "IPsec" in Cisco IOS Software "IPsec" in Microsoft Windows, including Windows XP, Windows 2000, and Windows 2003 SafeNet QuickSec toolkits 34 IPsec and ISAKMP/IKE protocols IPsec in Solaris IBM AIX operating system IBM z/os IPsec and IKE in HP-UX (HP-UX IPSec) "IPsec and IKE" in VxWorks 17

35 Overview of IPsec-related RFCs RFC 2367: PF_KEY Interface RFC 2401: Security Architecture for the Internet Protocol RFC 2402: Authentication Header RFC 2403: The Use of HMAC-MD5-96 within ESP and AH RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH RFC 2405: The ESP DES-CBC Cipher Algorithm With Explicit IV RFC 2406: Encapsulating Security Payload RFC 2407: IPsec Domain of Interpretation for ISAKMP (IPsec DoI) 36 Overview of IPsec-related RFCs RFC 2407: IPsec Domain of Interpretation for ISAKMP (IPsec DoI) RFC 2408: Internet Security Association and Key Management Protocol (ISAKMP) RFC 2409: Internet Key Exchange (IKE) RFC 2410: The NULL Encryption Algorithm and Its Use With IPsec RFC 2411: urity Document Roadmap RFC 2412: The OAKLEY Key Determination Protocol RFC 2451: The ESP CBC-Mode Cipher Algorithms RFC 2857: The Use of HMAC-RIPEMD-160-96 within ESP and AH 18

37 Overview of IPsec-related RFCs RFC 3526: More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) RFC 3706: A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers RFC 3715: IPsec-Network Address Translation (NAT) Compatibility Requirements RFC 3947: Negotiation of NAT-Traversal in the IKE RFC 3948: UDP Encapsulation of IPsec ESP Packets RFC 4106: The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP) Overview of IPsec-related RFCs 38 RFC 4301: Security Architecture for the Internet Protocol RFC 4302: IP Authentication Header RFC 4303: IP Encapsulating Security Payload (ESP) RFC 4304: Extended Sequence Number (ESN) Addendum to IPsec Domain of Interpretation (DOI) for Internet Security Association and Key Management Protocol (ISAKMP) RFC 4306: Internet Key Exchange (IKEv2) Protocol RFC 4307: Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2) RFC 4308: Cryptographic Suites for IPsec 19

39 Overview of IPsec-related RFCs RFC 4309: Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP) RFC 4478 : Repeated Authentication in Internet Key Exchange (IKEv2) Protocol RFC 4543: The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH RFC 4555: IKEv2 Mobility and Multihoming Protocol (MOBIKE) RFC 4621: Design of the IKEv2 Mobility and Multihoming (MOBIKE) Protocol RFC 4806: Online Certificate Status Protocol (OCSP) Extensions to IKEv2 40 Overview of IPsec-related RFCs RFC 4809: Requirements for an IPsec Certificate Management Profile RFC 4835: Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH) 20

The five-layer TCP/IP model 41 5. Application layer: DHCP DNS FTP Gopher HTTP IMAP4 IRC NNTP XMPP MIME POP3 SIP SMTP SNMP SSH TELNET RPC RTP RTCP TLS/SSL SDP SOAP 4. Transport layer: TCP UDP DCCP SCTP RSVP GTP 3. Internet layer: IP (IPv4 IPv5 IPv6) IGMP ICMP BGP RIP OSPF ISIS IPsec ARP RARP 2. Data link layer: 802.11 ATM DTM Ethernet FDDI Frame Relay GPRS EVDO HSPA HDLC PPP L2TP PPTP 1. Physical layer : Ethernet physical layer ISDN Modems PLC SONET/SDH G.709 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback