agenda
play

Agenda Some attacks against the IP Brief introduction to IPSec - PowerPoint PPT Presentation

Apr 28, 2023 •346 likes •694 views

IP Security Cunsheng Ding HKUST, Kong Kong, China C. Ding - COMP4631 - L21 1 Agenda Some attacks against the IP Brief introduction to IPSec Building Block: Security Association Building Block: Security Association Database

  1. IP Security Cunsheng Ding HKUST, Kong Kong, China C. Ding - COMP4631 - L21 1

  2. Agenda • Some attacks against the IP • Brief introduction to IPSec • Building Block: Security Association • Building Block: Security Association Database • Building Blocks: IPSec Protocols - ESP and AH • Building Block: Security Policy Database • Building blocks: Key Management Protocols • The Whole Picture of IPSec C. Ding - COMP4631 - L21 2

  3. The Internet Layers telnet,ftp,http, smtp,set Application Transport/session TCP, UDP Internet IP Interface Network technology protocols smtp = simple mail transfer protocol C. Ding - COMP4631 - L21 3

  4. Where can we put security? HTTP SMTP Advantaqes and disadvantage of each? FTP HTTP FTP SMTP SSL/TLS TCP TCP AH ESP IP IP Transport approach Network approach SET PGP S/MIME S-HTTP HTTP SMTP FTP TCP TCP IP IP Application approach Presentation approach C. Ding - COMP4631 - L21 4

  5. Attacks Against IP n A number of attacks against IP are possible. n Typically, these exploit the fact that IP does not perform a robust mechanism for sender authentication. n IP Spoofing n This is where one host claims to have the IP address of another. n IP Session Hijacking n It is an attack whereby a user's session is taken over, being in the control of the attacker. n If the user was in the middle of email, the attacker is looking at the email, and then can execute any commands he wishes as the attacked user. Conclusion: Security mechanism at the network layer would help. C. Ding - COMP4631 - L21 5

  6. Brief Introduction to IPSec C. Ding - COMP4631 - L21 6

  7. Internet Engineering Task Force Standardization • 1992: IPSEC WG (IETF) – Define security architecture – Standardize IP Security Protocol and Internet Key Management Protocol • 1998: revised version of IPSec Architecture – IPsec protocols (two sub-protocols AH & ESP) – Internet Key Exchange (IKE) • 2005: Updated version (RFC4301-4306) C. Ding - COMP4631 - L21 7

  8. IPsec: Network Approach • Provides security for IP and upper layer protocols • Suit of algorithms: – Mandatory-to-implement • Assures interoperability – Easy to add new algorithms C. Ding - COMP4631 - L21 8

  9. IP Security Overview IPSec provides the following: – Data origin authentication – Connectionless data integrity – Data content confidentiality – Anti-replay protection – Limited traffic flow confidentiality C. Ding - COMP4631 - L21 9

  10. Building Blocks: Security Association C. Ding - COMP4631 - L21 10

  11. Security Association n It is a one-way relationship between a sender and a receiver. n It associates security services and keys with the traffic to be protected. n It is identified by: n Security Parameter Index (SPI) à retrieve correct SA parameters from Security Association Database (SAD) n IPSec protocol identifier (AH or ESP) n Destination address (firewall, router) C. Ding - COMP4631 - L21 11

  12. Security Association • Defines security services and mechanisms between two end points (or IPsec modules): – Hosts – Network security gateways (e.g., routers, application gateways) – Hosts and security gateways • Defines parameters, mode of operation, and initialization vector – e.g., Confidentiality using ESP with DES in CBC mode with IV initialization vector • May use either Authentication Header (AH) or Encapsulating Security Payload (ESP). C. Ding - COMP4631 - L21 12

  13. Security Association • Host A Security Association: # ipsecadm new esp -spi 1000 -src HostA \ -dst HostB -forcetunnel -enc 3des -auth sha1 \ -key 7762d8707255d974168cbb1d274f8bed4cbd3364 \ -authkey 6a20367e21c66e5a40739db293cf2ef2a4e6659f • Host B Security Association: # ipsecadm new esp -spi 1001 -src HostB \ -dst HostA -forcetunnel -enc 3des -auth sha1 \ -key 7762d8707255d974168cbb1d274f8bed4cbd3364 \ -authkey 6a20367e21c66e5a40739db293cf2ef2a4e6659f RemarK: src = source, dst = destination, keysize = 160 bits spi is a binary string at most 32 bits, used to create and delete SA, the spi values between 0 and 100 are reserved. C. Ding - COMP4631 - L21 13

  14. SA -- Lifetime • Amount of traffic protected by a key and time frame the same key is used – Manual creation: no lifetime – Dynamic creation: may have a lifetime C. Ding - COMP4631 - L21 14

  15. Building Blocks: Security Policy Database C. Ding - COMP4631 - L21 15

  16. Security Policy Database (SPD) • Defines: – What traffic to be protected – How to protect – With whom the protection is shared • For each packet entering or leaving an IPsec implementation, SPD is used to determine security mechanism to be applied • Actions: – Discard: do not let packet in or out – Bypass: do not apply or expect security services – Protect: apply/expect security services on packets C. Ding - COMP4631 - L21 16

  17. Building Blocks: IPSec Protocols C. Ding - COMP4631 - L21 17

  18. IPSec Protocols n Encapsulating Security Payload (ESP) n Proof of data origin, data integrity, anti- replay protection n Data confidentiality and limited traffic flow confidentiality n Authentication Header (AH) n Proof of data origin, data integrity, anti- replay protection n No data confidentiality n May provide non-repudiation & anti-replay (it depends on the algorithm used.) C. Ding - COMP4631 - L21 18

  19. Transport Mode: AH & ESP n Usage: protect upper layer protocols n IPSec header is inserted between the IP header and the upper-layer protocol header n Communication endpoints must be cryptographic endpoints (for end-to-end authentication), i.e., the endpoints generate/process IP header (AH, ESP). n Only data is protected. protected IP Payload IPsec C. Ding - COMP4631 - L21 19

  20. When is Transport Mode Used Both endpoints are cryptographic endpoints, i.e. they generate / process an IPSec header (AH or ESP) C. Ding - COMP4631 - L21 20

  21. Tunnel Mode: AH & ESP n Usage: protect entire IP datagram n Entire IP packet to be protected is encapsulated in another IP datagram and an IPsec header is inserted between the outer and inner IP headers protected IP IPsec IP Payload New Original IP header IP header C. Ding - COMP4631 - L21 21

  22. When Is Tunnel Mode Used Tunnel mode is used when at least one cryptographic endpoint is not a communication endpoint of the secured IP packets. Outer IP Header – Destination for the router. Inner IP Header – Ultimate Destination C. Ding - COMP4631 - L21 22

  23. Encryption and Authentication Algorithms n Encryption: n Triple DES in CBC mode (MUST) n AES in CBC mode (SHOULD+) n AES in CTR (counter) mode (SHOULD) n Authentication: n HMAC-MD5-96 (MAY) n 96 truncated bites from 120 n HMAC-SHA-1-96 (MUST) n 96 truncated bites from 160 n AES-XCBC-96 (SHOULD+) n 96 truncated bites from 128 C. Ding - COMP4631 - L21 23

  24. Building Blocks: Key management protocol IKE C. Ding - COMP4631 - L21 24

  25. Key Management n IPSec needs secret keys: n for transmitting and receiving both AH and ESP n It supports two types of key management: n Manual: A system administrator manually configures each system with its own keys and with the keys of other communicating systems. n Automated : An automated system enable the on- demand creation of keys for SAs and facilitates the use of keys in a large distributed system with an evolving configuration. C. Ding - COMP4631 - L21 25

  26. Key Management Protocol n The management protocol is called “Internet Key Exchange (IKE)”. n It has two versions. n IKE 1998, IKEv2 2005 n It is the most complicated sub-protocol of IPSec. n Details are omitted in this course, but we will present its outline here. C. Ding - COMP4631 - L21 26

  27. Key exchange protocol Key Management C. Ding - COMP4631 - L21 27

  28. Whole Picture of IPSec C. Ding - COMP4631 - L21 28

  29. IP Security Architecture IPsec module 1 IPsec module 2 SPD SPD IKE IKE IPsec IPsec SAD SAD SA SAD: Security Association Database IKE: Internet Key Exchange SPD: Security Policy Database C. Ding - COMP4631 - L21 29

  30. C. Ding - COMP4631 - L21 30

  31. IPSec Uses C. Ding - COMP4631 - L21 31

  32. Applications of IPSec n Using IPSec all distributed applications can be secured, n Remote logon, n client/server, n e-mail, n file transfer, n Web access n etc. C. Ding - COMP4631 - L21 32

  33. Benefits of Using IPSec n The benefits of IPSec include: n IPSec can be transparent to end users. n There is no need to train users on security mechanisms n IPSec can provide security for individual aplication n By configuration, IPSec is applied to only one specified application. C. Ding - COMP4631 - L21 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

R E B I R T H R E B I R T H 1 Meeting Agenda Meeting Agenda Agenda 1

R E B I R T H R E B I R T H 1 Meeting Agenda Meeting Agenda Agenda 1

Annual General Meeting of Shareholders No. 1/2015 28 January 2015 At 1.30 P.M. at Athenee Crystal Hall, 3rd Floor, Plaza Athenee Bangkok R E B I R T H R E B I R T H 1 Meeting Agenda Meeting Agenda Agenda 1 To certify

879 views • 54 slides
Negotiating Conflicts Eff Effectively ti l Agenda Agenda Agenda Agenda Introductions

Negotiating Conflicts Eff Effectively ti l Agenda Agenda Agenda Agenda Introductions

Negotiating Conflicts Eff Effectively ti l Agenda Agenda Agenda Agenda Introductions Introductions 1) Negotiation Characteristics 2) Approaches to Conflict 2) Approaches to Conflict 3) Issues, Positions, and Interests 4)

1.06k views • 60 slides
Web E Web E ngineer ngineer ing Pr ing Pr oc ess oc ess We e k 2 Agenda (Lecture) Agenda

Web E Web E ngineer ngineer ing Pr ing Pr oc ess oc ess We e k 2 Agenda (Lecture) Agenda

Web E Web E ngineer ngineer ing Pr ing Pr oc ess oc ess We e k 2 Agenda (Lecture) Agenda (Lecture) Web Engineering Process W b E i i P Agenda (Lab) Agenda (Lab) Web 2.0 architecture patterns Project proposal P j t l

1.06k views • 19 slides
Anaheim August 27, 2008 Agenda Agenda Agenda Introduction New Rule Requirements

Anaheim August 27, 2008 Agenda Agenda Agenda Introduction New Rule Requirements

Anaheim August 27, 2008 Agenda Agenda Agenda Introduction New Rule Requirements Compliance Plan Upgrade Issues Questions Introduction Introduction Introduction Danny Luong Senior Enforcement Manager Background

989 views • 29 slides
Capital markets day 27 th September 2017 Agenda Time Agenda item Led by Time Agenda item

Capital markets day 27 th September 2017 Agenda Time Agenda item Led by Time Agenda item

Capital markets day 27 th September 2017 Agenda Time Agenda item Led by Time Agenda item Led by 14:15 TEA & COFFEE BREAK 11.00 Introduction Carolyn McCall 11.05 1. Market / Network 14.30 4. Making travel easy & affordable

1.22k views • 90 slides
Community Advisory Group Meeting June 20, 2016 Agenda 1. Welcome, Introductions and Agenda

Community Advisory Group Meeting June 20, 2016 Agenda 1. Welcome, Introductions and Agenda

Community Advisory Group Meeting June 20, 2016 Agenda 1. Welcome, Introductions and Agenda Overview 2. Public Comment (items not on the agenda) 3. CAG Questions and Concerns (items not on the agenda) 4. Labor Issue Update 5. New Generation

1.22k views • 55 slides
Agenda TOSITA Agenda July 15, 2015 9:30 - 10:00: Registration 10:00 -10:10: Welcome- PECO

Agenda TOSITA Agenda July 15, 2015 9:30 - 10:00: Registration 10:00 -10:10: Welcome- PECO

Agenda TOSITA Agenda July 15, 2015 9:30 - 10:00: Registration 10:00 -10:10: Welcome- PECO Perspective Bill Patterer -PECO 10:10- 10:20: Workshop Agenda/ EP-ACT Intro/EV overview Tony Bandiero EP-ACT 10:20- 10:35: EVSEs - What are They?

291 views • 15 slides
Agenda Agenda Linda Rammler, UConn UCEDD (copy from Agenda handout) Fr. John Gallagher,

Agenda Agenda Linda Rammler, UConn UCEDD (copy from Agenda handout) Fr. John Gallagher,

2/21/18 Agenda Agenda Linda Rammler, UConn UCEDD (copy from Agenda handout) Fr. John Gallagher, O.F.M. Cap. (St. Pius X Church) Kim Ranell Newgass (Baptist Church in New Haven) Mary Lou Freitas (Bethany Covenant) Doris

508 views • 5 slides
Mississauga Halton LHIN CSS and MH&A Sector Meeting June 11, 2010 Agenda Agenda Welcome

Mississauga Halton LHIN CSS and MH&A Sector Meeting June 11, 2010 Agenda Agenda Welcome

Mississauga Halton LHIN CSS and MH&A Sector Meeting June 11, 2010 Agenda Agenda Welcome and Agenda Community Care Information Management Program Herb Spence Stakeholder Engagement, HRIS (CCIM) Eugene Cortes - Project Lead,

2.11k views • 122 slides
Welcome June 2020 Agenda I. Welcome and Introductions II. Consent Agenda a. Approval of June

Welcome June 2020 Agenda I. Welcome and Introductions II. Consent Agenda a. Approval of June

Welcome June 2020 Agenda I. Welcome and Introductions II. Consent Agenda a. Approval of June Agenda b. Approval of February minutes c. Women in Jail Research Study III. Old Business a. JRAC Membership b. COVID-19 Strategies and Sustainability

539 views • 26 slides
Todays Agenda Todays Agenda Continued Todays Agenda Continued Save the Date August

Todays Agenda Todays Agenda Continued Todays Agenda Continued Save the Date August

Todays Agenda Todays Agenda Continued Todays Agenda Continued Save the Date August 17 & 18, 2021 10th Annual Nation to Nation Consultation Host: Chickasaw Nation USDA Leadership & Tribal Leaders Oklahoma NRCS

892 views • 65 slides
E-beam and X-ray: Why? What? How? 1 Introduction & Agenda Agenda: We are investing to

E-beam and X-ray: Why? What? How? 1 Introduction & Agenda Agenda: We are investing to

E-beam and X-ray: Why? What? How? 1 Introduction & Agenda Agenda: We are investing to supply and service a growing market E-Beam and X-ray are complementary solution that are financially viable Mevex and IBA are there to help

198 views • 15 slides
Katie Dively, Research Scientist II Agenda Agenda Agenda Agenda Welcome! 7 Step

Katie Dively, Research Scientist II Agenda Agenda Agenda Agenda Welcome! 7 Step

Katie Dively, Research Scientist II Agenda Agenda Agenda Agenda Welcome! 7 Step Communication Process Your Role Next Steps Centers Purpose Centers Purpose Centers Purpose Centers Purpose We are an

744 views • 55 slides
IDN BOF Agenda Harald Alvestrand, chair Agenda - 1 0900: Agenda bash, blue sheet, scribe ! 0910:

IDN BOF Agenda Harald Alvestrand, chair Agenda - 1 0900: Agenda bash, blue sheet, scribe ! 0910:

IDN BOF Agenda Harald Alvestrand, chair Agenda - 1 0900: Agenda bash, blue sheet, scribe ! 0910: Introduction to the IDN revision - John Klensin - An orientation on the main goals of the revision - Explanation of the division of labor between

233 views • 10 slides
#EdSummit @MorenoValleyUSD @BarrCenter 1 Agenda 10:45 Agenda 10:45 - 11:30 am 11:30 am

#EdSummit @MorenoValleyUSD @BarrCenter 1 Agenda 10:45 Agenda 10:45 - 11:30 am 11:30 am

#EdSummit @MorenoValleyUSD @BarrCenter 1 Agenda 10:45 Agenda 10:45 - 11:30 am 11:30 am 10:45 - 10:50 am: Introductions 10:50 - 10:55 am: MVUSD Board President Susan Smith 10:55 - 11:00 am: MVUSD Superintendent Dr. Martinrex Kedziora

408 views • 21 slides
Agenda Item 4: PUBLIC COMMENT Individuals may speak on any topic for up to three minutes; during

Agenda Item 4: PUBLIC COMMENT Individuals may speak on any topic for up to three minutes; during

4/25/19 SA SAN F FRANCISQ SQUITO C CREEK S F C J PA . O R G J O I N T P O W E R S A U T H O R I T Y BOARD OF DIRECTORS MEETING Menlo Park City Council Chambers April 25, 2019 at 2:30 p.m. AGENDA 1. ROLL CALL 2. APPROVAL OF AGENDA 3.

158 views • 15 slides
Interaction Protocols Martin Thompson - @mjpt777 Code How significant are protocols to software

Interaction Protocols Martin Thompson - @mjpt777 Code How significant are protocols to software

Interaction Protocols Martin Thompson - @mjpt777 Code How significant are protocols to software development? protocol noun \ pr -t - k l \ Source: http://www.merriam-webster.com/ protocol noun \ pr -t - k l \ : a

1.37k views • 105 slides
Communication Systems IPSec University of Freiburg Computer Science Computer Networks and

Communication Systems IPSec University of Freiburg Computer Science Computer Networks and

Communication Systems IPSec University of Freiburg Computer Science Computer Networks and Telematics Prof. Christian Schindelhauer Organization I. Data and voice communication in IP networks II. Security issues in networking

496 views • 20 slides
CSCD58 W INTER 2018 W EEK 2 -O VERVIEW C ONT D Brian Harrington University of Toronto

CSCD58 W INTER 2018 W EEK 2 -O VERVIEW C ONT D Brian Harrington University of Toronto

Store & Forward Delay & Loss Break Standards Architecture CSCD58 W INTER 2018 W EEK 2 -O VERVIEW C ONT D Brian Harrington University of Toronto Scarborough January 16, 2018 Store & Forward Delay & Loss Break Standards

659 views • 13 slides
@conference on Information Technologies, Systems and Networks. Moldova, October 2017 Surveillance

@conference on Information Technologies, Systems and Networks. Moldova, October 2017 Surveillance

By Sola Ajiboye, Chris Chatwin, Phil Birch, Rupert Young @conference on Information Technologies, Systems and Networks. Moldova, October 2017 Surveillance Cameras in the UK Video surveillance data is available in massive volumes but they are

321 views • 15 slides
QUIC - Next generation multiplexed transport over UDP Mehdi Yosofie Friday 25 th January, 2019

QUIC - Next generation multiplexed transport over UDP Mehdi Yosofie Friday 25 th January, 2019

Chair of Network Architectures and Services Department of Informatics Technical University of Munich QUIC - Next generation multiplexed transport over UDP Mehdi Yosofie Friday 25 th January, 2019 Chair of Network Architectures and Services

495 views • 22 slides
IKEv2 with CGA Jean-Michel Combes jeanmichel.combes@orange.com Aurlien Wailly

IKEv2 with CGA Jean-Michel Combes jeanmichel.combes@orange.com Aurlien Wailly

IKEv2 with CGA Jean-Michel Combes jeanmichel.combes@orange.com Aurlien Wailly aurelien.wailly@orange.com Maryline Laurent Maryline.Laurent@it-sudparis.eu 2011-10-25 ICSNA 2011 1 Outline IPsec IKEv2 CGA IKEv2 with CGA?

744 views • 36 slides
Internet of Things System Architectures Paul Patras Image: sns-it.ca Thousands of new

Internet of Things System Architectures Paul Patras Image: sns-it.ca Thousands of new

Internet of Things System Architectures Paul Patras Image: sns-it.ca Thousands of new applications spanning numerous domains. Each comes with its own requirements; combining these leads to complex (difficult to manage) and often

609 views • 22 slides
Introduction 1989: a bug in the Internets core routing algorithm inconvenienced a few

Introduction 1989: a bug in the Internets core routing algorithm inconvenienced a few

Preliminaries Syllabus and lecture slides on web site Welcome to COS 461 assume youll keep up with the reading Computer Networks Send me an e-mail name, year, preferred email address jpeg image of yourself Larry

359 views • 7 slides

More recommend