IPSec and Privacy with IPv6 - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

IPSec and Privacy with IPv6

Description:

Status of IPSEC implementation on Linux & FreeSWAN project ... file containing source and documentation for Linux systems with 2.2.XX and 2.4.XX kernels ... – PowerPoint PPT presentation

Number of Views:82
Avg rating:3.0/5.0
Slides: 31
Provided by: foss
Category:
Tags: ipsec | ipv6 | privacy

less

Transcript and Presenter's Notes

Title: IPSec and Privacy with IPv6


1
IPSec and Privacy with IPv6
  • Jayachandra K, Consultant, Systems Networking,
    Hewlett Packard
  • Gopi Garge, Vice President, IPv6 Forum India
  • Tusar Gupta, Systems Specialist, Network
    Solutions

2
Agenda
  • Security privacy Application/services
    perspective
  • IPSEC with IPv4
  • Security Privacy in IPv6
  • Status of IPSEC implementation on Linux
    FreeSWAN project
  • Impact on Business Applications and services,
    network security infrastructure, network
    management and billing
  • Conclusion

3
Application/services needs..
  • Establish the source IP
  • Spoofing
  • Session replays
  • Data Privacy at the network layer
  • Privacy available for application data
  • Session privacy not available

4
Application/services needs..
  • Data Integrity
  • Only on network layer headers
  • Corrupt data goes up to the transport layer
  • User authentication available
  • Host authentication not available

5
Real World Applications
  • Client-Server Apps (one to many)
  • Web based applications
  • E-business applications
  • E-commerce and M-commerce applications
  • Peer - Peer Apps (many to many)
  • VoIP
  • Video conferencing
  • Network games (Gambling?)

6
Application/services needs..
  • Security Needs
  • Source authentication (user and host based)
  • Session privacy
  • Data confidentiality
  • Data integrity

7
Security in IPv4
  • None, as part of basic protocol
  • IPsec -
  • No integration!

8
Security in IPv4
  • Pre - IPSec (and after too?!)
  • Application layer loaded with security
    responsibility
  • Data confidentiality using
  • SSL, SSH..
  • PGP, S/MIME
  • No Session Privacy
  • No host based authentication

9
Security in IPv4
  • Post - IPSec
  • Largely tunneled traffic
  • VPNs
  • Not popular due to
  • lack of integration into the system
  • applications cannot demand IPSec service

10
Security Privacy in IPv6
  • IPSec mandated!
  • Integrated into the protocol
  • Applications can use IPSec services based on need
  • Session privacy
  • Host based authentication

11
Security Privacy in IPv6
  • Two traffic security protocols
  • 1. Authentication header (AH)

12
Security Privacy in IPv6
Authentication of information using Keyed MD-5 or
any one way hashing algorithm
13
Security Privacy in IPv6
  • Two traffic security protocols
  • 2. Encapsulation security payload (ESP)
  • ESP with Authentication

14
Security Privacy in IPv6
15
Security Privacy in IPv6
16
Security Privacy in IPv6
  • Key repositories
  • DNS
  • LDAP
  • Proprietary databases

17
Security Privacy in IPv6
  • Pros
  • All applications secure
  • Several options/ways to implement security
    privacy requirements
  • Cons
  • Costly(but worth?!)
  • Higher bandwidth requirement
  • Extra processing
  • Export restrictions.

18
IPv6 implementation status
  • Linux kernels 2.2 and above
  • Supported on all variants of BSD
  • Supported by all major commercial OS such as
    HP-UX, AIX, Solaris, Windows 2000/XP etc.
  • Supported by all major network equipment vendors
    such as Cisco, Juniper, 6Wind, Hitachi, Nokia,
    Ericsson etc.
  • Embedded systems vendors like Interpeak support
    IPv6 in their TCP/IP stack.

19
FreeS/WAN Project
  • Linux FreeS/WAN is an implementation
  • of IPSEC IKE for Linux
  • http//www.freeswan.org

20
Objectives of FreeSWAN project
  • implement the IPsec protocols for Linux
  • extend IPsec to do opportunistic encryption
  • help make IPsec widespread by providing an
    implementation with no restrictions
  • provide a high-quality IPsec implementation for
    Linux

21
Opportunistic Encryption
  • any two systems can secure their communications
    without a pre-arranged connection
  • both systems pick up the authentication
    information they need from the DNS
  • reduces the administrative overhead for IPsec
    enormously
  • secure connections can be the default

22
Things not yet implemented
  • Key management methods
  • authenticate key negotiations via local PKI
    server
  • authenticate key negotiations via secure DNS
  • unauthenticated key management, using
    Diffie-Hellman key agreement protocol
  • Encryption methods
  • Triple DES only supported
  • Authentication methods
  • No optional additional implemented

23
Current releases and distributions
  • Current Release
  • Linux FreeS/WAN 1.99 OE-enabled IPsec released on
    04/11/02
  • 1.99 is a bug fix release
  • Installs on Red Hat 8.0 and 7.x.
  • Linux Distributions
  • Best Linux (Finland) Mandrake (France) Conectiva
    (Brazil) Polish(ed) Linux Distribution (Poland)
    Debian ver 3.0 SuSE Linux (Germany) Redhat
    (Kernel serious 2.2 and 2.4))
  • Firewall Distributions
  • Astaro Security Linux, Linuxwall
  • Devil Linux, Smoothwall ,
  • Gibraltar, Wolverine (Coyote Linux), Linux
    Router Project,
  • Xiloo

24
Compatibility Status Interoperability problems
  • FreeS/WAN does not implement single DES
  • FreeS/WAN does not implement Diffie-Hellman group
    1 (768-bit)
  • FreeS/WAN does not implement aggressive mode for
    IKE negotiations
  • Perfect forward secrecy Yes, by default
  • Optional message/bit in IKE protocol
  • FreeSWAN implementation is compatible with most
    other implementations.
  • FreeS/WAN 1.91 with IPv6 support, version 0.2
  • http//www.ipv6.iabg.de/download/ipsec6_upd.tgz

25
Installation
  • latest stable release is 1.99 - 04/11/2002
  • RPM
  • ftp//ftp.xs4all.nl/pub/crypto/freeswan/binaries/R
    edHat-RPMs
  • Source
  • Tar file containing source and documentation for
    Linux systems with 2.2.XX and 2.4.XX kernels
  • ftp//ftp.xs4all.nl/pub/crypto/freeswan/freeswan-\
  • Patches
  • http//www.freeswan.ca/download.php

26
Configuration
  • Configure Files
  • ipsec.conf - configuration and control
    information for the FreeS/WAN IPsec subsystem
  • ipsec.secrets - holds a table of secrets, used by
    the FreeS/WAN IKE daemon
  • Insert KEY and TXT records in DNS
  • ipsec showhostkey --txt 1.2.3.4
  • RSA 2048 bits node.domain.com Mon Nov 25 135322
    2002 4.3.2.1.in-addr.arpa. IN KEY 0x4200 4 1
    AQOF8tZ2...buFuFn/
  • RSA 2048 bits node.domain.com Mon Nov 25 140922
    2002 IN TXT "X-IPsec-Server(10)1.2.3.4
    " " AQOF8tZ2...buFuFn/"
  • leftid node.domain.com
  • service ipsec start

27
Impact on applications
  • Less security overhead on applications
  • Flexibility to enable/disable Network level
    security
  • Several options/ways to meet security
    requirements.
  • Secure Network management data
  • Billing applications to be modified
  • Largest impact is on business applications!!!

28
Impact on applications
  • VPN/Firewall scenario

29
Conclusion
30
Thank you!
  • Contact Jai_at_india.hp.com
  • Gopi_at_exocore.com
  • Tusar_at_india.hp.com
Write a Comment
User Comments (0)
About PowerShow.com