ipsec
play

IPsec Slide 1 Protocol security - where? Application layer: (+): - PDF document

Oct 30, 2022 •222 likes •420 views

IPsec 1 IPsec Slide 1 Protocol security - where? Application layer: (+): easy access to user credentials, extend without waiting for OS vendor, understand data; (-): design again and again; e.g., PGP, ssh, Kerberos Transport layer: (+):

  1. IPsec 1 IPsec Slide 1 Protocol security - where? Application layer: (+): easy access to user credentials, extend without waiting for OS vendor, understand data; (-): design again and again; e.g., PGP, ssh, Kerberos Transport layer: (+): security mostly seamlessly, but difficult to get credentials; e.g., TLS Network layer: (+): reduced key management, fewer application changes, fewer implementations, VPNs; (-) non-repudiation, multi-user machines, partial security in “middle boxes” Data link layer: (+): speed; (-): hop-by-hop only Slide 2 December 5, 2000

  2. IPsec 2 Documents Document Roadmap RFC 2411 Architecture RFC 2401 IP Authentication Header (AH) RFC 2402 IP Authentication Using Keyed MD5 RFC 1828 IP Encapsulating Security Payload (ESP) RFC 2406 The Oakley Key Determination Protocol RFC 2412 Internet Sec. Assoc. and Key Mmgt. P. (ISAKMP) RFC 2408 The Internet Key Exchange (IKE) RFC 2409 HMAC: Keyed-Hashing for Message AuthenticationA RFC 2104 Slide 3 IPSec services � IPv4 and IPv6 unicast � access control � connectionless integrity � data origin authentication � protection against replays (partial sequence integrity) � confidentiality (encryption) � limited traffic flow confidentiality. � todo: NAT, multicast Slide 4 December 5, 2000

  3. IPsec 3 Architecture Authentication header (AH): access control, integrity, data origin authentication, replay protection Encapsulating Security Payload (ESP): access control, confidentiality, traffic flow confidentiality. Key management protocols: IKE = OAKLEY + ISAKMP, ... � for any upper-layer protocol � no effect on rest of Internet � algorithm-independent, but default algorithms Slide 5 Architecture � between host and/or security gateways � security gateway = router, firewall, ... � security policy database (SPD) ➠ IPsec, discarded, or bypass � negotiate compression (why?) � tunnel mode or transport mode � granularity: single host-host tunnel vs. one per TCP connection Slide 6 December 5, 2000

  4. IPsec 4 Implementation � native IP implementation � bump in the stack (BITS): beneath IP layer � bump in the wire (BITW) Slide 7 Security Assocation (SA) � simplex � AH or ESP � identified by – Security Parameter Index (SPI), – IP destination address, – security protocol (AH or ESP) identifier. � transport mode: two hosts – AH or ESP after IPv4 options, before UDP/TCP – IPv6: after base header and extensions, before/after destination options – mostly for higher-layer protocols (but: AH also some IP header parts) � tunnel mode: one or two security gateways Slide 8 December 5, 2000

  5. IPsec 5 � outer header ➠ tunnel endpoint � security header between outer and inner � traffic hiding; ESP payload padding Slide 9 Nested Security Associations AH and ESP ➠ two SAs (“SA bundle”): � transport adjacency: AH, then ESP � both tunnel endpoints the same � one endpoint the same � neither the same Slide 10 December 5, 2000

  6. IPsec 6 Security Policy Database � map to Security Assocation Database (per packet or per SPD entry) � discard, bypass or apply to inbound or outbound � ordered list of filters (stateless firewall) � example: “use ESP in transport mode using 3DES-CBC with explicit IV, nested inside of AH in tunnel mode using HMAC-SHA-1.” � selectors: – destination IP address: address, range, address + mask, wildcard – source IP address – name (for BITS/BITW hosts): user id, X.500 DN, system name, opaque, ... – data sensitivity label – transport layer protocol Slide 11 – source/destination ports � per socket setup or per packet (BITS, BITW, gateway) Slide 12 December 5, 2000

  7. IPsec 7 Security Association Database (SAD) � inbound: outer destination address � IPsec protocol (AH or ESP) � SPI (32-bit value) Slide 13 Examples of Implementations � end-to-end security (H1* == H2*) � VPN (H1 – SG1* == SG2* – H2) � e2e + VPN (H1* – SG1* == SG2* – H2*) � remote access (H1* == SG2* – H2*) Slide 14 December 5, 2000

  8. IPsec 8 Locating a Security Gateway � where’s the gateway? authentication? � currently done manually � alternatives: SLP, multicast, DHCP, ... Slide 15 Authentication header (AH) protocol 51: 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next Header | Payload Len | RESERVED | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Security Parameters Index (SPI) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number Field | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | + Authentication Data (variable, typ. 96 b) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Slide 16 December 5, 2000

  9. IPsec 9 Authentication Header: Transport Mode IPv4: --------------------------------- |orig IP hdr | | | | |(any options)| AH | TCP | Data | --------------------------------- |<------- authenticated ------->| except for mutable fields IPv6: ------------------------------------------------------------ | |hop-by-hop, dest*, | | dest | | | |orig IP hdr |routing, fragment. | AH | opt* | TCP | Data | ------------------------------------------------------------ |<---- authenticated except for mutable fields ----------->| Slide 17 Authentication Header: Tunnel Mode IPv4: ------------------------------------------------ | new IP hdr* | | orig IP hdr* | | | |(any options)| AH | (any options) |TCP | Data | ------------------------------------------------ |<- authenticated except for mutable fields -->| | in the new IP hdr | IPv6: -------------------------------------------------------------- | | ext hdrs*| | | ext hdrs*| | | |new IP hdr*|if present| AH |orig IP hdr*|if present|TCP|Data| -------------------------------------------------------------- |<-- authenticated except for mutable fields in new IP hdr ->| Slide 18 December 5, 2000

  10. IPsec 10 Authentication � replay prevention: if seq. no. cycles, new SA; sliding window ➠ reject lower than left window edge � immutable or predictable IP header fields: version, IH length, total length, identification, protocol, source, destination (source route ➠ predictable) � set mutable fields to zero: TOS, flags, fragment, TTL, header checksum � AH header, with zero ICV � upper-layer data Slide 19 Encapsulating Security Payload (ESP) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ---- | Security Parameters Index (SPI) | ˆAuth. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Cov- | Sequence Number | |erage +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ---- | Payload Data* (variable) | | ˆ ˜ ˜ | | | | |Conf. + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Cov- | | Padding (0-255 bytes) | |erage* +-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | Pad Length | Next Header | v v +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ------ | Authentication Data (variable) | ˜ ˜ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Slide 20 December 5, 2000

  11. IPsec 11 ESP for IPv4 ------------------------------------------------- |orig IP hdr | ESP | | | ESP | ESP| |(any options)| Hdr | TCP | Data | Trailer |Auth| ------------------------------------------------- |<----- encrypted ---->| |<------ authenticated ----->| Slide 21 ESP � DES in CBC mode [MD97] � HMAC with MD5 (RFC 2104) � HMAC with SHA-1 � NULL Authentication algorithm � NULL Encryption algorithm Slide 22 December 5, 2000

  12. IPsec 12 Keyed Authentication (RFC 2104) � keyed MAC (message authentication codes) � works with any iterated hash � prf(key, msg) = H (( K � opad ) j H (( K � ipad ) j text )) � note: double hash, avoids continuation problem of H ( K — m ) � replace fixed IV of iterated hash by random (key) IV � outer pad (opad) = 0x5c, ipad = 0x36 (Hamming distance!) to B = 64 bytes � may truncate hash – no less secure Slide 23 Internet Key Exchange (IKE) � IKE = ISAKMP + Oakley � “negotiate and provide authenticated keying material for security associations in a protected manner” � VPN, remote (“roaming”) user � perfect forward secrecy (PFS): compromise of key ➠ only single data item ( ➠ D-H) � DOI = domain of interpretation ➠ roughly, “name space” for algorithms (RFC 2407) � ISAKMP phases, Oakley modes: Phase 1: ISAKMP peers establish bidirectional secure channel using main mode or aggressive mode � ! ISAKMP SA Slide 24 December 5, 2000

  13. IPsec 13 Phase 2: negotiation of security services for IPsec (maybe for several SAs) using quick mode � can have multiple Phase 2 exchanges, e.g., to change keys Slide 25 ISAKMP Initiator cookie Responder cookie Next Major Minor Exchange Flags type payload version version Message ID Message Length Next generic Reserved Payload length header header Slide 26 December 5, 2000

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC

Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC

Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC can be used with VPNs Identify areas where extensions to IPSEC could be useful Bryan Gleeson, Page-1 VPN Reference Model CE CE PE

352 views • 9 slides
IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE

IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE

IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE PE CPE/CLE Host PE CPE to CPE IPSEC can be used for : PE to PE PE to CPE Bryan Gleeson, Page-1 CPE to CPE IPSEC tunnels

680 views • 8 slides
Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt

Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt

Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt draft-jml-ipsec-ikev2-security-context-00.txt Presented by: Joy Latten Document authors: Serge Hallyn, Trent Jaeger, Joy Latten, and George Wilson Problem Description Mandatory

295 views • 6 slides
Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab

Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab

Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab Version 2.5.47 basiert auf dem USAGI Projekt. Hierbei handelt es sich um eine alternative Implementierung des IPsec Stacks zum FreeS/WAN Projekt.

610 views • 8 slides
THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec

THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec

THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec based VPN solution Make encryption the default mode of communication Certifjcations (FIPS, Common Criteria, USGv6, etc.)

917 views • 25 slides
Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control

Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control

Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control Connectionless integrity Data origin authentication Rejection of replayed packets a form of partial sequence integrity Confidentiality

818 views • 37 slides
Firewalls, IPsec and Linux by Harald Welte &lt;laforge@netfilter.org&gt; Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte &lt;laforge@netfilter.org&gt; Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte &lt;laforge@netfilter.org&gt; Firewalls, IPsec and Linux Contents Introduction Highly Scalable Linux Network Stack Netfilter Hooks Packet selection based on IP Tables The Connection Tracking

444 views • 9 slides
OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by

OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by

OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by Paul Wouters, RHEL Security THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec based VPN solution

736 views • 32 slides
Requirements for IPsec Negotiation in the SIP Framework

Requirements for IPsec Negotiation in the SIP Framework

Requirements for IPsec Negotiation in the SIP Framework draft-saito-mmusic-ipsec-negotiation-req-00.txt August 1, 2005 Makoto Saito (ma.saito@ntt.com) Shingo Fujimoto (shingo_fujimoto@jp.fujitsu.com) 1 Motivation To secure communication

83 views • 6 slides
Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF

Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF

Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF standard for Network Layer security Popular for creating trusted link (VPN), either firewall-firewall, or machine to firewall Done at

868 views • 51 slides
IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised

IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised

IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised by Cunsheng Ding IP Security Architecture IPSec module 1 IPSec module 2 SPD SPD IKE IKE AH/ESP AH/ESP SAD SAD SA IKE: Internet Key

702 views • 26 slides
iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of

iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of

iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of Network Architectures and Services Department of Informatics Technical University of Munich Lab 8 18ss 1 / 29 Outline Overview IPsec databases

563 views • 29 slides
IP IPSec ( ) 13 Network

IP IPSec ( ) 13 Network

IP IPSec ( ) 13 Network Security, Principles and Practice,2nd Ed. : http://www.fata.ir

567 views • 23 slides
IPsec encapsulation over TCP Sabrina Dubroca sd@queasysnail.net Red Hat netdev 0x13, 2019-03-22

IPsec encapsulation over TCP Sabrina Dubroca sd@queasysnail.net Red Hat netdev 0x13, 2019-03-22

IPsec encapsulation over TCP Sabrina Dubroca sd@queasysnail.net Red Hat netdev 0x13, 2019-03-22 1 / 22 Introduction 2 / 22 ESP and IKE Components of the IPsec protocol suite ESP Encapsulating Security Payload AH Authentication Header IKE

478 views • 22 slides
Why IPsec and BGP dont play well together in real networks Brian Weis Overview Of

Why IPsec and BGP dont play well together in real networks Brian Weis Overview Of

Why IPsec and BGP dont play well together in real networks Brian Weis Overview Of course IKE/IPsec can be configured on routers to provide transport security for BGP and other similar control plane protocols. And certainly

480 views • 16 slides
for Constrained Environments dra%-raza-6lo-ipsec-02 {shahid.raza, simon.duquennoy}@sics.se

for Constrained Environments dra%-raza-6lo-ipsec-02 {shahid.raza, simon.duquennoy}@sics.se

Compression of IPsec AH and ESP Headers for Constrained Environments dra%-raza-6lo-ipsec-02 {shahid.raza, simon.duquennoy}@sics.se goran.selandaer@ericsson.com 1 Status of the Document First submi&lt;ed as a posi=on paper to the Smart

209 views • 18 slides
RFC 4301 Populate From Packet (PFP) in Linux Sowmini Varadhan (sowmini.varadhan@oracle.com)

RFC 4301 Populate From Packet (PFP) in Linux Sowmini Varadhan (sowmini.varadhan@oracle.com)

RFC 4301 Populate From Packet (PFP) in Linux Sowmini Varadhan (sowmini.varadhan@oracle.com) Linux IPsec workshop, March 2018, Dresden Germany Agenda Problem description: what is this and why do we need it? Follows up on discussion

410 views • 20 slides
New Developments in Trenchless Technologies Wide range of technologies suitable for different

New Developments in Trenchless Technologies Wide range of technologies suitable for different

New Developments in Trenchless Technologies Wide range of technologies suitable for different installation lengths, diameters, materials, or specific requirements (like accuracy) Direct Pipe &amp; Intersect drills Variants on

626 views • 9 slides
Networked Embedded Software: Introduction Luca Mottola Politecnico di Milano, Italy and SICS

Networked Embedded Software: Introduction Luca Mottola Politecnico di Milano, Italy and SICS

Networked Embedded Software: Introduction Luca Mottola Politecnico di Milano, Italy and SICS Swedish ICT ( home.deib.polimi.it/mottola ) Who am I? Whats the course about? Networked Embedded Software Software that powers networked embedded

530 views • 35 slides
Mobile Routing Goal is to allow a host to be disconnected from one network and connected to

Mobile Routing Goal is to allow a host to be disconnected from one network and connected to

Mobile Routing Goal is to allow a host to be disconnected from one network and connected to another With normal IP addresses, host would either become unreachable, or it would need to get a new IP address somehow (DHCP, manual

226 views • 10 slides
Network Mobility Thierry Ernst Keio University ernst@sfc.wide.ad.jp 1 Thierry Ernst -

Network Mobility Thierry Ernst Keio University ernst@sfc.wide.ad.jp 1 Thierry Ernst -

Network Mobility Thierry Ernst Keio University ernst@sfc.wide.ad.jp 1 Thierry Ernst - Nautilus6.org - September 2004 IP-layer Mobility: Host Mobility and Network Mobility Address Requirements for IPv6 nodes: Must be topologically correct

678 views • 41 slides
Weaving 101 2 Agenda Access onto Sites Entrances &amp; Doors Spaces Covered/ Work

Weaving 101 2 Agenda Access onto Sites Entrances &amp; Doors Spaces Covered/ Work

8/7/2018 Underwater Basket Weaving 101 2 Agenda Access onto Sites Entrances &amp; Doors Spaces Covered/ Work Areas Vertical Access Toilet Rooms Signs 3 1 8/7/2018 ADA Standards 4 ADA Standards (2010) Apply to:

713 views • 29 slides
Network Security Securing communications (SSL/TLS and IPSec) Marcus Bendtsen, Andrei Gurtov

Network Security Securing communications (SSL/TLS and IPSec) Marcus Bendtsen, Andrei Gurtov

Network Security Securing communications (SSL/TLS and IPSec) Marcus Bendtsen, Andrei Gurtov Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Network communication Who are you talking to?

636 views • 35 slides
OVERVIEW OFM Facilities Planning Team Kelli Dowling, Enterprise Application Trainer OFM OFFICE

OVERVIEW OFM Facilities Planning Team Kelli Dowling, Enterprise Application Trainer OFM OFFICE

FEBRUARY &amp; MARCH 2020 FPMT: INTRO TO FPMT OVERVIEW OFM Facilities Planning Team Kelli Dowling, Enterprise Application Trainer OFM OFFICE OF FINANCIAL MANAGEMENT WELCOME! Introduction of Team Please Silence Your Cell Phones Sign In

603 views • 43 slides

More recommend