SlideShare a Scribd company logo

IPSec—An Overview Explains How It Secures IP Communications

Download as PPT, PDF
aminpathan11
aminpathan11
EducationTechnology
1 of 24
IPSec—An Overview BY Amin Pathan MGM`s Polytechnic, Aurangabad 1
Outline  why IPSec?  IPSec Architecture  Internet Key Exchange (IKE)  IPSec Policy  discussion 2
IP is not Secure!  IP protocol was designed in the late 70s to early 80s – Part of DARPA Internet Project – Very small network All hosts are known!  So are the users!  Therefore, security was not an issue  3
Security Issues in IP  source spoofing  replay packets  no data integrity or confidentiality • DOS attacks • Replay attacks • Spying • and more… Fundamental Issue: Networks are not (and will never be) fully secure 4
Goals of IPSec  to verify sources of IP packets – authentication  to prevent replaying of old packets  to protect integrity and/or confidentiality of packets – data Integrity/Data Encryption 5
Outline  Why IPsec?  IPSec Architecture  Internet Key Exchange (IKE)  IPsec Policy  Discussion 6
The IPSec Security Model Secure Insecure 7
IPSec Architecture ESP AH Encapsulating Security Payload Authentication Header IPSec Security Policy IKE The Internet Key Exchange 8
IPSec Architecture  IPSec provides security in three situations: – Host-to-host, host-to-gateway and gateway-to-gateway  IPSec operates in two modes: – Transport mode (for end-to-end) – Tunnel mode (for VPN) 9
IPsec Architecture Transport Mode Router Router Tunnel Mode 10
Various Packets Original IP header TCP header Transport mode IP header IPSec header TCP header IP header IPSec header Tunnel mode data IP header data TCP header 11 data
IPSec  A collection of protocols (RFC 2401) – Authentication Header (AH)  RFC 2402 – Encapsulating Security Payload (ESP)  RFC 2406 – Internet Key Exchange (IKE)  RFC 2409 – IP Payload Compression (IPcomp)  RFC 3137 12
Authentication Header (AH)  Provides source authentication – Protects against source spoofing   Provides data integrity Protects against replay attacks – Use monotonically increasing sequence numbers – Protects against denial of service attacks  NO protection for confidentiality! 13
AH Details   Use 32-bit monotonically increasing sequence number to avoid replay attacks Use cryptographically strong hash algorithms to protect data integrity (96-bit) – Use symmetric key cryptography – HMAC-SHA-96, HMAC-MD5-96 14
Encapsulating Security Payload (ESP)  Provides all that AH offers, and  in addition provides data confidentiality – Uses symmetric key encryption 15
ESP Details  Same as AH: – Use 32-bit sequence number to counter replaying attacks – Use integrity check algorithms  Only in ESP: – Data confidentiality:  Uses symmetric key encryption algorithms to encrypt packets 16
Internet Key Exchange (IKE)  Exchange and negotiate security policies  Establish security sessions – Identified as Security Associations  Key exchange  Key management  Can be used outside IPsec as well 17
IPsec/IKE Acronyms  Security Association (SA) – Collection of attribute associated with a connection – Is asymmetric!    One SA for inbound traffic, another SA for outbound traffic Similar to ciphersuites in SSL Security Association Database (SADB) – A database of SAs 18
IPsec/IKE Acronyms  Security Parameter Index (SPI) – A unique index for each entry in the SADB – Identifies the SA associated with a packet  Security Policy Database (SPD) – Store policies used to establish SAs 19
How They Fit Together SPD SA-1 SA-2 SADB SPI SPI 20
SPD and SADB Example A’s SPD Transport Mode A C B D Tunnel Mode A’s SADB From To Asub Bsub From To Asub Bsub From To Protocol Port Policy A B Any Any AH[HMAC-MD5] From To Protocol SPI SA Record A B AH 12 HMAC-MD5 key Protocol Port Policy Tunnel Dest Any Any ESP[3DES] D Protocol SPI SA Record ESP 14 C’s SPD 3DES key C’s SADB 21
IPsec Policy   Phase 1 policies are defined in terms of protection suites Each protection suite – Must contain the following:     Encryption algorithm Hash algorithm Authentication method Diffie-Hellman Group – May optionally contain the following:   Lifetime … 22
IPSec Policy   Phase 2 policies are defined in terms of proposals Each proposal: – May contain one or more of the following     AH sub-proposals ESP sub-proposals IPComp sub-proposals Along with necessary attributes such as – Key length, life time, etc 23
Resources  IP, IPsec and related RFCs: – http://www.ietf.org/html.charters/ipsec-charter.html – IPsec: RFC 2401, IKE: RFC 2409 – www.freeswan.org  Google search 24

Recommended

Ipsecurity
IpsecurityIpsecurity
IpsecurityChinmay Patel
 
Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar ALLCAD Services Pvt Limited
 
IP Sec - Basic Concepts
IP Sec - Basic ConceptsIP Sec - Basic Concepts
IP Sec - Basic ConceptsAvadhesh Agrawal
 
IP security
IP securityIP security
IP securityshraddha mane
 
Ip security
Ip securityIp security
Ip securityJithuK6
 
Ip security
Ip security Ip security
Ip security Dr.K.Sreenivas Rao
 
Ipsec 2
Ipsec 2Ipsec 2
Ipsec 2Sourabh Badve
 
IP Security
IP SecurityIP Security
IP Securitysahilshah200
 

Recommended

Ipsecurity
IpsecurityIpsecurity
IpsecurityChinmay Patel
 
Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar ALLCAD Services Pvt Limited
 
IP Sec - Basic Concepts
IP Sec - Basic ConceptsIP Sec - Basic Concepts
IP Sec - Basic ConceptsAvadhesh Agrawal
 
IP security
IP securityIP security
IP securityshraddha mane
 
Ip security
Ip securityIp security
Ip securityJithuK6
 
Ip security
Ip security Ip security
Ip security Dr.K.Sreenivas Rao
 
Ipsec 2
Ipsec 2Ipsec 2
Ipsec 2Sourabh Badve
 
IP Security
IP SecurityIP Security
IP Securitysahilshah200
 
IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1CAS
 
IP Security and its Components
IP Security and its ComponentsIP Security and its Components
IP Security and its ComponentsMohibullah Saail
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6limsh
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols NetProtocol Xpert
 
Ipsec (network security)
Ipsec (network security)Ipsec (network security)
Ipsec (network security)AhmadRahmanian1
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overviewdavisli
 
Ip security
Ip security Ip security
Ip security Naveen Dubey
 
IPSec VPN tunnel
IPSec VPN tunnelIPSec VPN tunnel
IPSec VPN tunnelArunKumar Subbiah
 
Unit 6
Unit 6Unit 6
Unit 6KRAMANJANEYULU1
 
I psec
I psecI psec
I psecnlekh
 
Keymanagement of ipsec
Keymanagement of ipsecKeymanagement of ipsec
Keymanagement of ipsecPACHIYAPPAN PACHIYAPPAS
 
Ip Sec
Ip SecIp Sec
Ip SecRam Dutt Shukla
 
IP Security
IP SecurityIP Security
IP SecurityAmbo University
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1Sankaranarayanan Subramanian
 
Ipsec
IpsecIpsec
IpsecBaidyanath Dutta
 
Ipsec
IpsecIpsec
IpsecRupesh Mishra
 
IP Security
IP SecurityIP Security
IP SecurityKeshab Nath
 
Ip sec talk
Ip sec talkIp sec talk
Ip sec talkanoean
 
ip security
ip securityip security
ip securityChirag Patel
 
I psec
I psecI psec
I psecahmad1986jor
 
IPsec for IMS
IPsec for IMSIPsec for IMS
IPsec for IMSHossein Yavari
 
The Security layer
The Security layerThe Security layer
The Security layerSwetha S
 

More Related Content

What's hot

IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1CAS
 
IP Security and its Components
IP Security and its ComponentsIP Security and its Components
IP Security and its ComponentsMohibullah Saail
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6limsh
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols NetProtocol Xpert
 
Ipsec (network security)
Ipsec (network security)Ipsec (network security)
Ipsec (network security)AhmadRahmanian1
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overviewdavisli
 
I psec
I psecI psec
I psecnlekh
 
Ip sec talk
Ip sec talkIp sec talk
Ip sec talkanoean
 

What's hot (19)

IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1
 
IP Security and its Components
IP Security and its ComponentsIP Security and its Components
IP Security and its Components
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols
 
Ipsec (network security)
Ipsec (network security)Ipsec (network security)
Ipsec (network security)
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overview
 
Ip security
Ip security Ip security
Ip security
 
IPSec VPN tunnel
IPSec VPN tunnelIPSec VPN tunnel
IPSec VPN tunnel
 
Unit 6
Unit 6Unit 6
Unit 6
 
I psec
I psecI psec
I psec
 
Keymanagement of ipsec
Keymanagement of ipsecKeymanagement of ipsec
Keymanagement of ipsec
 
Ip Sec
Ip SecIp Sec
Ip Sec
 
IP Security
IP SecurityIP Security
IP Security
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1
 
Ipsec
IpsecIpsec
Ipsec
 
Ipsec
IpsecIpsec
Ipsec
 
IP Security
IP SecurityIP Security
IP Security
 
Ip sec talk
Ip sec talkIp sec talk
Ip sec talk
 
ip security
ip securityip security
ip security
 

Similar to IPSec—An Overview Explains How It Secures IP Communications

The Security layer
The Security layerThe Security layer
The Security layerSwetha S
 
IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1Shobhit Sharma
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network SecurityKathirvel Ayyaswamy
 
Multilayer Security Architecture for Internet Protocols
Multilayer Security Architecture for Internet ProtocolsMultilayer Security Architecture for Internet Protocols
Multilayer Security Architecture for Internet ProtocolsNasir Bhutta
 
Chapter 6 (1).ppt
Chapter 6 (1).pptChapter 6 (1).ppt
Chapter 6 (1).pptDivyaSek
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and sslMohd Arif
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network securityPriyadharshiniVS
 
IS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email SecurityIS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email SecuritySarthak Patel
 

Similar to IPSec—An Overview Explains How It Secures IP Communications (20)

I psec
I psecI psec
I psec
 
IPsec for IMS
IPsec for IMSIPsec for IMS
IPsec for IMS
 
The Security layer
The Security layerThe Security layer
The Security layer
 
IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 
I psecurity
I psecurityI psecurity
I psecurity
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
 
Multilayer Security Architecture for Internet Protocols
Multilayer Security Architecture for Internet ProtocolsMultilayer Security Architecture for Internet Protocols
Multilayer Security Architecture for Internet Protocols
 
IPSec
IPSecIPSec
IPSec
 
Chapter 6.ppt
Chapter 6.pptChapter 6.ppt
Chapter 6.ppt
 
Chapter 6 (1).ppt
Chapter 6 (1).pptChapter 6 (1).ppt
Chapter 6 (1).ppt
 
Chapter 6 (1).ppt
Chapter 6 (1).pptChapter 6 (1).ppt
Chapter 6 (1).ppt
 
Lecture14..pdf
Lecture14..pdfLecture14..pdf
Lecture14..pdf
 
IS Unit-4 .ppt
IS Unit-4 .pptIS Unit-4 .ppt
IS Unit-4 .ppt
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and ssl
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network security
 
IPSEC
IPSECIPSEC
IPSEC
 
ESP.ppt
ESP.pptESP.ppt
ESP.ppt
 
05 06 ike
05 06 ike05 06 ike
05 06 ike
 
IS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email SecurityIS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email Security
 

More from aminpathan11

4 g technology by amin
4 g technology by amin4 g technology by amin
4 g technology by aminaminpathan11
 
Cloud computing by amin
Cloud computing by aminCloud computing by amin
Cloud computing by aminaminpathan11
 
Access control by amin
Access control by aminAccess control by amin
Access control by aminaminpathan11
 
Tracing an email by Amin Pathan
Tracing an email by Amin PathanTracing an email by Amin Pathan
Tracing an email by Amin Pathanaminpathan11
 
Human resource management by Amin
Human resource management by AminHuman resource management by Amin
Human resource management by Aminaminpathan11
 
System security by Amin Pathan
System security by Amin PathanSystem security by Amin Pathan
System security by Amin Pathanaminpathan11
 
VPN by Amin Pathan
VPN by Amin PathanVPN by Amin Pathan
VPN by Amin Pathanaminpathan11
 
Active directory and application
Active directory and applicationActive directory and application
Active directory and applicationaminpathan11
 
Forms of ownerships in Management
Forms of ownerships in ManagementForms of ownerships in Management
Forms of ownerships in Managementaminpathan11
 

More from aminpathan11 (15)

E wallet by amin
E wallet by aminE wallet by amin
E wallet by amin
 
4 g technology by amin
4 g technology by amin4 g technology by amin
4 g technology by amin
 
Cloud computing by amin
Cloud computing by aminCloud computing by amin
Cloud computing by amin
 
Hololens
HololensHololens
Hololens
 
Biometric by amin
Biometric by aminBiometric by amin
Biometric by amin
 
Access control by amin
Access control by aminAccess control by amin
Access control by amin
 
Tracing an email by Amin Pathan
Tracing an email by Amin PathanTracing an email by Amin Pathan
Tracing an email by Amin Pathan
 
Human resource management by Amin
Human resource management by AminHuman resource management by Amin
Human resource management by Amin
 
System security by Amin Pathan
System security by Amin PathanSystem security by Amin Pathan
System security by Amin Pathan
 
VPN by Amin Pathan
VPN by Amin PathanVPN by Amin Pathan
VPN by Amin Pathan
 
ISDN
ISDNISDN
ISDN
 
Active directory and application
Active directory and applicationActive directory and application
Active directory and application
 
PSTN
PSTNPSTN
PSTN
 
Management
ManagementManagement
Management
 
Forms of ownerships in Management
Forms of ownerships in ManagementForms of ownerships in Management
Forms of ownerships in Management
 

Recently uploaded

Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
The byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxThe byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxShobhayan Kirtania
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...Pooja Nehwal
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 

Recently uploaded (20)

Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
The byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxThe byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptx
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
Russian Call Girls in Andheri Airport Mumbai WhatsApp 9167673311 💞 Full Nigh...
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 

IPSec—An Overview Explains How It Secures IP Communications

  • 1. IPSec—An Overview BY Amin Pathan MGM`s Polytechnic, Aurangabad 1
  • 2. Outline  why IPSec?  IPSec Architecture  Internet Key Exchange (IKE)  IPSec Policy  discussion 2
  • 3. IP is not Secure!  IP protocol was designed in the late 70s to early 80s – Part of DARPA Internet Project – Very small network All hosts are known!  So are the users!  Therefore, security was not an issue  3
  • 4. Security Issues in IP  source spoofing  replay packets  no data integrity or confidentiality • DOS attacks • Replay attacks • Spying • and more… Fundamental Issue: Networks are not (and will never be) fully secure 4
  • 5. Goals of IPSec  to verify sources of IP packets – authentication  to prevent replaying of old packets  to protect integrity and/or confidentiality of packets – data Integrity/Data Encryption 5
  • 6. Outline  Why IPsec?  IPSec Architecture  Internet Key Exchange (IKE)  IPsec Policy  Discussion 6
  • 7. The IPSec Security Model Secure Insecure 7
  • 8. IPSec Architecture ESP AH Encapsulating Security Payload Authentication Header IPSec Security Policy IKE The Internet Key Exchange 8
  • 9. IPSec Architecture  IPSec provides security in three situations: – Host-to-host, host-to-gateway and gateway-to-gateway  IPSec operates in two modes: – Transport mode (for end-to-end) – Tunnel mode (for VPN) 9
  • 11. Various Packets Original IP header TCP header Transport mode IP header IPSec header TCP header IP header IPSec header Tunnel mode data IP header data TCP header 11 data
  • 12. IPSec  A collection of protocols (RFC 2401) – Authentication Header (AH)  RFC 2402 – Encapsulating Security Payload (ESP)  RFC 2406 – Internet Key Exchange (IKE)  RFC 2409 – IP Payload Compression (IPcomp)  RFC 3137 12
  • 13. Authentication Header (AH)  Provides source authentication – Protects against source spoofing   Provides data integrity Protects against replay attacks – Use monotonically increasing sequence numbers – Protects against denial of service attacks  NO protection for confidentiality! 13
  • 14. AH Details   Use 32-bit monotonically increasing sequence number to avoid replay attacks Use cryptographically strong hash algorithms to protect data integrity (96-bit) – Use symmetric key cryptography – HMAC-SHA-96, HMAC-MD5-96 14
  • 15. Encapsulating Security Payload (ESP)  Provides all that AH offers, and  in addition provides data confidentiality – Uses symmetric key encryption 15
  • 16. ESP Details  Same as AH: – Use 32-bit sequence number to counter replaying attacks – Use integrity check algorithms  Only in ESP: – Data confidentiality:  Uses symmetric key encryption algorithms to encrypt packets 16
  • 17. Internet Key Exchange (IKE)  Exchange and negotiate security policies  Establish security sessions – Identified as Security Associations  Key exchange  Key management  Can be used outside IPsec as well 17
  • 18. IPsec/IKE Acronyms  Security Association (SA) – Collection of attribute associated with a connection – Is asymmetric!    One SA for inbound traffic, another SA for outbound traffic Similar to ciphersuites in SSL Security Association Database (SADB) – A database of SAs 18
  • 19. IPsec/IKE Acronyms  Security Parameter Index (SPI) – A unique index for each entry in the SADB – Identifies the SA associated with a packet  Security Policy Database (SPD) – Store policies used to establish SAs 19
  • 20. How They Fit Together SPD SA-1 SA-2 SADB SPI SPI 20
  • 21. SPD and SADB Example A’s SPD Transport Mode A C B D Tunnel Mode A’s SADB From To Asub Bsub From To Asub Bsub From To Protocol Port Policy A B Any Any AH[HMAC-MD5] From To Protocol SPI SA Record A B AH 12 HMAC-MD5 key Protocol Port Policy Tunnel Dest Any Any ESP[3DES] D Protocol SPI SA Record ESP 14 C’s SPD 3DES key C’s SADB 21
  • 22. IPsec Policy   Phase 1 policies are defined in terms of protection suites Each protection suite – Must contain the following:     Encryption algorithm Hash algorithm Authentication method Diffie-Hellman Group – May optionally contain the following:   Lifetime … 22
  • 23. IPSec Policy   Phase 2 policies are defined in terms of proposals Each proposal: – May contain one or more of the following     AH sub-proposals ESP sub-proposals IPComp sub-proposals Along with necessary attributes such as – Key length, life time, etc 23
  • 24. Resources  IP, IPsec and related RFCs: – http://www.ietf.org/html.charters/ipsec-charter.html – IPsec: RFC 2401, IKE: RFC 2409 – www.freeswan.org  Google search 24