IPsec

1
IPsec

• Shu Zhang

2
IPsec

• Definition (Webopedia)
• Short for IP Security, a set of protocols
  developed by the IETF to support secure exchange
  of packets at the IP layer. IPsec has been
  deployed widely to implement Virtual Private
  Networks (VPNs)

3
Virtual Private Network (VPN)

• More and more across-country or worldwide
  companies due to global market
• there is a problem for all of them
• how to maintain fast, secure and reliable
  communications wherever their offices are
• Leased lines
• very expensive

4
Virtual Private Network (VPN)

• VPN using public wires, usually Internet to
  connect companys private network, remote sites
  and users together, instead of using a dedicate,
  real-world connection.

5
Virtual Private Network (VPN)

• Features of VPN
• Security
• Reliability
• Scalability
• Network management
• Policy management

6
VPN Security

• Several Methods
• Firewall
• Encryption
• IPsec
• AAA server

7
Goal of IPsec

• Provides security services at IP layer
• Access control
• Integrity
• Data origin Authentication
• Rejection of replayed packets
• Confidentiality

8
IPsec Architecture

• Components
• Security Protocols
• Security Associations
• Key Management
• Algorithms for authentication and encryption

9
Security Protocols

• Authentication Header (AH)
• Data Origin Authentication
• Anti-replay service
• Data Integrity
• Encapsulating Security Payload (ESP)
• Confidentiality
• Data Origin Authentication
• Anti-replay service
• Connectionless Integrity

10
AH

• AH provides authentication for as much of the IP
  header as possible, as well as for upper level
  protocol data
• Tow modes transport mode/tunnel mode

11
AH Location
12
AH Algorithms

• Keyed Message Authentication Codes (MAC) based on
  Symmetric Key Encryption( DES)
• One-way hash function (MD5/SHA-1)

13
ESP

• Provides Data Confidentiality to IP payload using
  Encryption
• It can provides Data Integrity and connectionless
  Integrity, but the coverage is different from AH
• Two transport Mode/Tunnel Mode

14
ESP Format
15
ESP Algorithms

• Encryption Algorithms
• Symmetric Encryption Algorithms
• Authentication Algorithms
• The same as AH

16
Security Associations (SA)

• A management Component used to enforce a security
  policy in the IPsec environment
• A simplex connection that affords security
  services to the traffic it carries
• The set of security services depends on
• Protocol selected
• SA mode
• Endpoints of the SA

17
SAs Mode

• Transport Mode
• Between 2 hosts
• Transport Mode AH
• The protection is to selected portions of IP
  header and higher layer protocol header
• Transport Mode ESP
• The protection is only for the higher layer

18
SAs Mode

• Tunnel Mode
• Applied to an IP tunnel
• Tunnel Mode AH
• Portions of outer IP header, as well as all of
  inner IP packet
• Tunnel Mode ESP
• Only to the tunneled packet

19
DataBases in IPsec

• Two databases are maintained in each IPsec
  implementation
• Security Policy Database (SPD)
• Security Association Database (SAD)

20
SPD

• Contains an ordered list of policy entries keyed
  by selectors
• Destination/Source IP Address
• Transport Layer protocol
• Destination/Source Port
• Each entry includes
• SA specification
• IPsec protocol
• Modes
• algorithms

21
SPD

• An administrative interface must be provided to
  user or system administrator
• Must be consulted during the all the traffic
  processing, including non-IPsec traffic

22
SAD

• Each entry defines the parameters associated with
  one SA
• Sequence Number Counter
• Anti_replay window
• AH Authentication algorithm, keys
• ESP Encryption algorithm, keys
• ESP Authentication algorithm, keys
• Lifetime of SA
• IPsec Protocol Mode

23
IPsec Processing

• Differentiate inbound/outbound traffic
• For outbound
• Entries are pointed to by entries in SPD
• If not, create a new SA
• For inbound
• A triple is used to uniquely identify a SA
• ltDestination IP address, IPsec Protocol,
  Security Parameters Indexgt

24
Security Parameter Index

• 32-bit value
• Selected by destination system when a new SA is
  established

25
SA Management Protocol

• Internet Security Association and Key Management
  Protocol (ISAKMP) is the framework for SA
  management
• It defines
• Procedure and Packet format to establish,
  negotiate, modify and delete SAs
• Payloads for exchanging key generation and
  authentication data

26
ISAKMP

• ISAKMP has 3 main functions
• Security Associations and Management
• Negotiation
• authentication mechanism
• cryptographic algorithm
• algorithm mode
• key length
• nitialization Vector (IV)
• Establishment

27
ISAKMP

• Authentication
• Authenticate the entity at the other end of
  Communication
• Strong Authentication must be provided
• Digital signature
• Public Key Encryption
• obtain shared secrets and session keys
• Key Establishment Key generation/Key transport
• Key Exchange Authentication

28
ISAKMP Negotiation

• Offer 2-phase negotiation
• Phase 1 establish an ISAKMP SA to protect
  further negotiation
• Phase 2 establish real protocol SAs
• Higher start-up cost
• Benefit
• Multiple Protocol SAs can be established
• Allow to use simpler second phase exchanges
• ISAKMP SA reduces ISAKMP management activities

29
ISAKMP Protection

• Denial-of-service
• A anti-clogging token (ACT)
• Man-in-the-middle attack
• Authentication and Encryption

30
Algorithms

• Not bounded to any specific cryptographic
  algorithm, key generation technique, or security
  mechanism
• Supports the dynamic communications environment
• Provides a forward migration path to better
  mechanisms and algorithms