unit 8 ip security
DESCRIPTION
Tunnel mode , transport mode , ESP , AH , ip securityTRANSCRIPT
• Capability that can be added to IPv4 Or IPv6using additional headers.
• Authentication : HMAC Authentication code
Tunnel mode : Entire original IP Packet
Transport mode: All of packet except IP Header
• Confidentiality : Encapsulating security payload
• Key management
• Secure branch office connectivity over the internet
• Secure remote access over internet
• Establishing extranet and intranet connectivity with partners
• Enhancing electronic commerce security
IPSec can encrypt and authenticate alltraffic at IP level.
Distributed applications (like remotelogin, client-server interaction, e-mail,file transfers, web accesss etc.) can besecured.
IPSec protocols operate in networking devices thatconnect a LAN to Internet.(like router or firewalls)
Encrypt and compress all traffic leaving a LAN anddecrypt and decompress traffic incoming to a LAN.
-IPSec operations are transparent to workstations andservers.
-Secure transmission also possible with individual users.
”User workstation must implement IPSec protocols”
• Provides security to all traffic that crossing theperimeter :
Traffic within company will not be disturbed due to securityrelated processing.
• Transparent to applications :
No need to change s/w on user or server system when IPSecis on firewall or router.
If IPSec is implemented in End system also , upper layer s/wwill not affected.
• Provides individual user security also :
Useful for setting up virtual sub network within organizationfor sensitive application.
1 Architecture : Covers general concepts , security requirements ,definitions and mechanism.
2. Encapsulating Security Payload (ESP): Covers the issues ofpacket encryption.
3. Authentication header (AH): Cover issues of packetauthentication
4. Encryption Algorithms: how various encryption algos. are usedfor ESP.
5. Authentication Algorithms: How various authenticationalgorithms are used for AH and authentication option of ESP.
6. Key Management: Documents that describe key management.
7. Domain of Interpretation (DOI): Contains values needed for adomain.
• IPSec uses two protocols to provide security:
1. Authentication Header (AH): anauthentication protocol.
2. Encapsulating Security Payload (ESP): acombined encryption and authenticationprotocol.
• Access Control
• Connectionless integrity
• Data origin authentication
• Rejection of replayed packets
• Confidentiality (encryption)
• Limited traffic flow confidentiallity
• A one-way relationship between a sender and a receiver.
• For a two-way secure exchange, two security associationsare required.
Identified by three parameters:
Security Parameter Index (SPI): A bit string assigned to thisSA.
//Used by receiver to select the SA.//
• IP Destination Address: the address of the destinationendpoint of SA.
//may be an end user system, a firewall or a router//• Security Protocol Identifier: indicates if the association is an AH or ESP security association.
• Transport Mode :
If host run AH or ESP over IPv4 ,
payload is the data that normally follow the IP Header.
If host run AH or ESP over IPv6 ,
payload is the data that normally follow both the IP Header and extension headers.
Transport mode is used for communication over end to end communication between two hosts like client-server architecture.
ESP will encrypt payload and optionally authenticate payload but not IP Header.
AH in transport mode authenticate the IP payload and selected portion of header
• Tunnel Mode :
• Entire packet plus security field is treated as the new “Outer” IPpacket with a new outer IP Header
• Entire inner or original packet travels through a “tunnel” fromone point of an IP n/w to another.
• No routers along the way are able to examine the inner IPHeader. Because original packet is encapsulated with differentsource and destination address.
• Tunnel mode is used when one or both ends of SA are securitygateway like firewall and routers.
• ESP will encrypts inner IP packet including inner IP Header.
• AH in tunnel mode authenticates entire inner IP packet andselected portion of outer header
RA+RAHOST A RA
RBHOST B
A + B+ DATA
A + B+ DATA
A + B+ DATAESP WILL ENCRYPT THIS
Transport Mode SA
Tunnel Mode SA
AH Authenticates IP payload and selected portions of IP header and IPv6 extension headers
Authenticates entire inner IP packet plus selected portions of outer IP header
ESP Encrypts IP payload and any IPv6 extesion header
Encrypts inner IP packet
ESP with authentication
Encrypts IP payload and any IPv6 extesion header. Authenticates IP payload but no IP header
Encrypts inner IP packet. Authenticates inner IP packet.
• Provides support for:
1. Data integrity of a packet.
>Modification to packets while in transit are not possible.
2. Authentication of a packet.
>End system can verify the sender.
>Prevents address spoofing attacks.
3. Also guards against replay attacks.
• Transport vs. Tunnel Mode:
Transport mode:
>Authentication provided directly between two end systems (client and server workstations)
>Two end systems share a protected secret key for authentication.
Tunnel mode:
>Authentication done between two gateways (like firewalls).>Two end systems authenticate themselves to gateways (Firewall).>End systems do not support authentication.
• Transport Mode AH:
• In IPv4:
>Authentication Header is inserted after theoriginal IP header.
>Authentication covers entire packet exceptmutable fields in the IP header.
• In IPv6:>Authentication Header is inserted after theextension header.>Authentication covers entire packet except mutablefields in the IP header.
• Tunnel Mode:
>Entire IP packet is authenticated.
>AH is inserted between original IP headerand new outer IP header.
>The outer IP address contains the IPaddresses of security gateways.
>Inner IP address caries the addresses of endsystems.
>Entire inner IP packet is protected.
• Provides support for data integrity and authentication (MAC code) of IP packets.
• Guards against replay attacks.
Consists of the following fields:
• Next header (8): Identifies the type of headerimmediately following this.
• Payload length (8): Length of the AH in 32-bit wordsminus 2.
• Reserved (16): Reserved for future use.• Security Parameter Index (32): Identifies a security
association.• Sequence number (32): A monotonically increasing
counter value.• Authentication data (variable): Contains integrity
check value (ICV) or MAC for this packet.
Provides confidentiality services.
//confidentiality of the packet.//
Provides limited authentication service.
//Authenticates the payload but not the header.//
Also provides limited traffic confidentiality.
ESP Format:
• Security Parameter Index (32): Identifies a securityassociation.
• Sequence number (32): A monotonically
increasing counter value.
//Used for replay detection.//
• Payload data (Variable): packet data (in transportmode) or IP packet (in tunnel mode).
Padding (0-255):
Characters are padded in the packet to bring to somemultiples of required number of bytes.
Padding also provides “traffic flow confidentiality” byconcealing the actual length of the payload.
• Pad length (8): The number of byte padded in this packet.Next Header (8): Identifies the type of data contained in the
payload data field.An extension header in IPv6.An upper-level protocol (TCP) in IPv4.Authentication data (variable): Contains the integrity check value of the packet.ICV computed over the ESP packet minus the Authentication Data fields.Must be a multiple of 32 bit words.
• Encryption
Payload data, Padding, Padding length, and Next Header fields are encrypted.
-DES
Three-key triple DES
RC5
IDEA
Three-key triple IDEA
CAST
Blowfish
• Authentication
>ESP supports the use of a MAC with default length of 96 bits.
It supports:
HMAC-MD5-96
HMAC-SHA-1-96
• Transport mode:
>Encryption is provided directly between two hosts.
>Packet header is not encrypted.
>Protection extends to the payload of an IP packet.
2. Tunnel Mode:
>Entire packet is treated as a payload of a new IP packet.
>A new IP header is attached.
>The new IP packet is tunneled from one gateway to another.
>Hosts avoid implementing security capabilities.
• Used to encrypt and authenticate (optional) data in an IP packet.
• In IPv4:
>ESP header is inserted after the IP header.
>ESP trailer (Padding, Padding length, Next Header) is placed at the end of the packet.
>If authentication is used, authentication data is put after the ESP trailer.
• In IPv6:
>ESP header is inserted after the IP header andextension headers.
>ESP trailer (Padding, Padding length, NextHeader) is placed at the end of the packet.
>If authentication is used, authentication data isput after the ESP trailer.
>Encryption covers: entire cipher text.
>Authentication Covers: cipher text + ESP header.
• Entire IP packet is encrypted.
• A new IP header is used to help routing.
• In IPv4:
>ESP header is inserted after the new IP header.
>ESP trailer (Padding, Padding length, Next Header) isplaced at the end of the packet.
>If authentication is used, authentication data is putafter the ESP trailer.
• In IPv6:
>ESP header is inserted before the original IP header.
>ESP trailer (Padding, Padding length, Next Header) isplaced at the end of the packet.
>If authentication is used, authentication data is putafter the ESP trailer.
>Encryption covers: entire cipher text.
>Authentication Covers: cipher text + ESP header.
• IPSec documentation lists four basic combinations:
• Case 1:
• All security is provided between end systems.
• End systems share appropriate secret keys.
• Case 2:
• Security is implemented only betweengateways (routers, firewalls).
• End hosts do not implement IPSec.
• A single tunnel SA is established between thegateways.
• Could support AH, ESP, and ESP withauthentication.
• Case 3:
• End-to-end security is added to Case 2.
• Besides a tunnel SA, the end hosts may have one or more SAs.
• Gateway-to-gateway tunnel provides authentication or confidentiality to traffic between end systems.
• End systems can implement additional security using end-to-end SAs.
• Case 4:
• A tunnel mode exists between a host and a firewall.
• Can be used by remote host to reach the firewall and gain access to a server or workstation behind the firewall.
