SlideShare une entreprise Scribd logo

IP Sec - Basic Concepts

Télécharger en tant que PPTX, PDF
Avadhesh Agrawal
Avadhesh Agrawal

This ppt introduces the person with basic concepts of IP Sec. It touches upon, AH and ESP along with Tunnel/Transport Mode.

Technologie
1  sur  21
IPSec Basics – Level-1 Avadhesh Agrawal (avagrawal@gmail.com) V1.0/Dec-2013 1
What is IPSec? • Suite of Protocols for securing network connections • Seen as extension to IP Protocol family • Works pretty same way for IPv4 & IPv6 • Provides following basic services Service Purpose Authentication & Verification Authentication means that ensuring that data has come from authentic user only Verification means that ensuring that data is not altered during the journey Confidentiality V1.0/Dec-2013 Ensures that data is not visible to third party – during the journey 2
IPSec Terminology (1/2) • IPSec Protocols used IPSec Protocol Purpose Authentication Header (AH) Authenticates the data flowing over connection Encapsulating Security Payload (ESP) Encrypts+Authenticate the data flowing over connection • Note : These protocol are typically used independently – however can be used together (pretty uncommon) as well. • Transport vs Tunnel Mode Transport Mode Tunnel Mode Provides a secure connection between two end-points Provides a secure connection between two gateways or either of the end is a gateway i.e. host-to-gateway communication & vice versa Encapsulates IP Payload only Encapsulates complete IP packet (IP Header + Payload) Simply a secured IP connection Primarily used for VPN Both IPSec protocols (AH as well as ESP) can function in Transport Mode Both IPSec protocols (AH as well as ESP) can function in Transport Mode V1.0/Dec-2013 3
IPSec Terminology (2/2) • Transport vs Tunnel Mode (Cont …) Note : More on Transport/Tunnel mode later V1.0/Dec-2013 4
IPv4 Datagram (refresher) Field Purpose Ver Protocol Verion (4 = IPv4) Hlen Header Length (as count of 32bit words). Excludes payload size & other headers TOS Type Of Service Indicator Pkt Len Total packet length (in bytes). Including header length in bytes. ID Used for associating fragmented packets Flgs Mainly used during fragmentation Frag Offset Identifies the position of this fragment in complete unfragmented packet. TTL Time To Live – in terms of Hops Proto Type of protocol (UDP/TCP/etc) as encapsulated in payload. Addition for IPSec: 50 : IPSec : ESP 51 : IPSec : AH Header Cksum Cheksum of entire IP Header (Payload Excluded). Not a cryptographic checksum. Purpose confined to detect errors during transmission Src/dst IP address Source / Destination IP Address IP Options Optional (application specific information) V1.0/Dec-2013 5
AH – Overview(1/N) • As already discussed - through AH – authentication is done – but no - encryption – Thus, sniffer can still read the contents of message • Still serves three purposes – Helps in ensuring that sender is a authentic one. In other words, we (as an receiver) are able to validate that we have received data from a valid sender only. – Helps in detecting any alterations to data during transit – (Optionally) prevents replaying of data i.e. malicious user reading the data & then re-injecting same data at later point in time • Authentication is performed by computing cryptographic hash-based message authentication code – Nearly all fields of IP packet (Header as well payload) considered • Fields liable to change during transit are excluded – like TTL, Header Checksum – Intermediate hops cannot (as they will not have IPSec related information for this particular connection) and need not re-calculate authentication code V1.0/Dec-2013 6
AH – Header(2/N) Field Length (Bytes) Purpose Next Header 1 Protocol type of next payload. Note that, in Tunnel Mode, next payload will be IP Packet (i.e. IP Header + IP Payload (i.e. Protocol (say TCP/UDP etc) Header + Protocol Payload)s Payload Len 1 Specifies AH Header Length. Note Don’t get confused with the field name “Payload Len”. Defined in, 32-bit words – “minus 2”. Reserved 2 For future use – must be set to “0” SPI 4 Security Parameter Index. In simple words, identifies security parameters associated with a given connection. Sequence Number 4 Continuously increasing number – with every packet. Primarily to avoid replay attacks. On reaching maximum value, rather than wrapping-around – connection is re-negotiated Variable Integrity Check Value. Cryptographic hash of entire packet – however some fields are left. ICV V1.0/Dec-2013 7
AH – Transport Mode(3/N) V1.0/Dec-2013 8
AH – Transport Mode(4/N) • Key noticeable points: – Majority of fields are authenticated. Fields those can get modified during transit are skipped. – Original IP packet is modified – as new header viz AH Header, gets added between IP Header & IP Payload. – Note the shuffling/usage of protocol code in modified IP Packet. • In original IP packet, proto field of IP Header was set to “TCP” where as in modified packet, proto field is set to “AH” • Further, in modified packet, next field of AH Header is set to TCP. Helps receiver in identifying the actual protocol. • Commonly referred as mechanism to link different headers. – Lets see, how receiver node reconstructs the original IP packet as sent by sender node. • Packet is Authenticated • AH Header is removed • Value from next (i.e. TCP) is restored in proto field of IP Header. • Thus original packet is restored V1.0/Dec-2013 9
AH – Tunnel Mode(5/N) V1.0/Dec-2013 10
AH – Tunnel Mode(6/N) • Key noticeable points: – Entire IP packet (IP Header + IP Payload) is encapsulated within another IP packet. – Thus, modified packet looks like as follows: • New IP Header (say H1) followed by • AH header followed by • Original entire IP packet. Note that, original IP packet remains un-modified in Tunnel Model. – Note the shuffling/usage of protocol code • In new IP Header, proto field of IP Header is set to “AH” – indicating that – this packet is of IPSec:AH type • Further, next field of AH Header is set to IP. This is required because entire original IP packet is encapsulated. – Lets see, how receiver node reconstructs the original IP packet as sent by sender node. • Packet is Authenticated • New IP header & AH Header is removed • That’s it. – Suited for VPN kind of environment where tunnel needs to be simply created V1.0/Dec-2013 11
AH – Transport vs Tunnel Mode(7/N) • How to distinguish between Transport Mode and Tunnel mode? – Mode information not added explicitly – Answer lies in the value stored in next field of AH header • If next = IP then Tunnel Mode • If next = <proto i.e. UDP/TCP/etc> then Transport Mode • Authentication Algorithms – SHA-1 – MD5 V1.0/Dec-2013 12
ESP– Overview(1/N) • More complex that AH • Allows Authentication as well as Encryption – Authentication – Optional • Header format is different than AH – discussed later – Even has a trailer as well • Provides Tunnel as Transport Mode – as in AH • ESP Encryption algorithms commonly used – DES, DES3, AES, Blowfish – Algorithm & key used during encryption, is already negotiated during connection establishment phase (a new world in itself – discussed separately) • ESP Authentication algorithms commonly used – Same as used in AH i.e. SHA-1, MD5 V1.0/Dec-2013 13
ESP Header/Trailer (w/o Auth)(2/N) Field Length (Bytes) Purpose ESP Header ESP Trailer 4 Security Parameter Index. In simple words, identifies security parameters associated with a given connection. Sequence Number 4 Continuously increasing number – with every packet. Primarily to avoid replay attacks. On reaching maximum value, rather than wrapping-around – connection is re-negotiated Encrypted Payload V1.0/Dec-2013 SPI Variable Depending upon the mode – Transport or Tunnel, Either IP payload (Transport) or entire IP Packet (Tunnel) gets encrypted here. Note: ESP Header (i.e. SPI & Sequence No.) is NOT encrypted. Padding 0-255 Place-holder for aligning block-oriented algorithms. Pad Len 1 Length of padding bytes Next Header 1 Protocol type of next payload. Note that, in Tunnel Mode, next payload will be complete IP Packet. 14
ESP Header/Trailer(with Auth)(3/N) • Here, Authentication data has been added additionally. • Only (i) ESP Header & (ii) Encrypted Payload is authenticated • Authentication Data field in trailer – not encrypted • Presence/Absence of Authentication is known to sender. Receiver gets to know – by virtue of SPI. Field Length (Bytes) Purpose Authentication Data Variable Same as ICV in case of AH. V1.0/Dec-2013 15
ESP – Transport Mode (4/N) V1.0/Dec-2013 16
ESP– Transport Mode(5/N) • Key noticeable points: – Original IP packet is modified – as new header viz ESP Header, gets added between IP Header & IP Payload. – Additionally ESP Trailer (consisting of padding, pad_len, next) gets added – Optionally, Authentication data may also be added at the end of packet – IP payload (i.e. TCP Header + TCP payload from previous figure) along with ESP trailer is encrypted • ESP Header and Authentication Data (if present) – are excluded from encryption – In case if Authentication is needed then • ESP Header + encrypted payload + ESP Trailer - authenticated. ICV stored as Authentication Data at the end of packet • IP Header - excluded – Note the shuffling/usage of protocol code in modified IP Packet. • In original IP packet, proto field of IP Header was set to “TCP” where as in modified packet, proto field is set to “ESP” • Further, in modified packet, next field of ESP Trailer is set to TCP. Helps receiver in identifying the actual protocol. • Note that, actual protocol type is encrypted – hence hidden from packet sniffers V1.0/Dec-2013 17
ESP – Tunnel Mode (6/N) V1.0/Dec-2013 18
ESP– Tunnel Mode(7/N) • Key noticeable points: – Entire IP packet (IP Header + IP Payload) is encapsulated within another IP packet. – Thus, modified packet looks like as follows: • New IP Header (say H1) followed by • ESP header followed by • Original entire IP packet. Note that, original IP packet remains un-modified in Tunnel Model. • Then ESP Trailer followed by • Optional Authentication Data – Key difference from ESP – Transport Mode is • Original IP Header (along with IP payload) gets encrypted as well. – Note the shuffling/usage of protocol code • In new IP Header, proto field of IP Header is set to “ESP” – indicating that – this packet is of IPSec:ESP type • Further, next field of ESP Trailer is set to IP. This is required because entire original IP packet is encapsulated. V1.0/Dec-2013 19
More To Come … • Security Association • SPI • Key Management - IKE V1.0/Dec-2013 20
Resources • Pretty good tutorial for beginners – An illustrated guide to IPSec @ unixwiz.net V1.0/Dec-2013 21

Recommandé

Ipsec
IpsecIpsec
IpsecBaidyanath Dutta
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overviewdavisli
 
Ipsec
IpsecIpsec
IpsecRupesh Mishra
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols NetProtocol Xpert
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPNAbdullaziz Tagawy
 
Ip Sec
Ip SecIp Sec
Ip SecRam Dutt Shukla
 
IP security
IP securityIP security
IP securityshraddha mane
 
ip security
ip securityip security
ip securityChirag Patel
 

Recommandé

Ipsec
IpsecIpsec
IpsecBaidyanath Dutta
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overviewdavisli
 
Ipsec
IpsecIpsec
IpsecRupesh Mishra
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols NetProtocol Xpert
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPNAbdullaziz Tagawy
 
Ip Sec
Ip SecIp Sec
Ip SecRam Dutt Shukla
 
IP security
IP securityIP security
IP securityshraddha mane
 
ip security
ip securityip security
ip securityChirag Patel
 
Ip security
Ip security Ip security
Ip security Naveen Dubey
 
Ip security
Ip security Ip security
Ip security Dr.K.Sreenivas Rao
 
IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1Shobhit Sharma
 
802.1x
802.1x802.1x
802.1xakruthi k
 
Idea(international data encryption algorithm)
Idea(international data encryption algorithm)Idea(international data encryption algorithm)
Idea(international data encryption algorithm)SAurabh PRajapati
 
IPSec VPN tunnel
IPSec VPN tunnelIPSec VPN tunnel
IPSec VPN tunnelArunKumar Subbiah
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6limsh
 
Lecture 5 ip security
Lecture 5 ip securityLecture 5 ip security
Lecture 5 ip securityrajakhurram
 
Internet Key Exchange Protocol
Internet Key Exchange ProtocolInternet Key Exchange Protocol
Internet Key Exchange ProtocolPrateek Singh Bapna
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1Sankaranarayanan Subramanian
 
IPsec vpn
IPsec vpnIPsec vpn
IPsec vpnsharetech
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMACKrishna Gehlot
 
DES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentationDES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentationsarhadisoftengg
 
Network security cryptographic hash function
Network security cryptographic hash functionNetwork security cryptographic hash function
Network security cryptographic hash functionMijanur Rahman Milon
 
Real time transport protocol
Real time transport protocolReal time transport protocol
Real time transport protocolSwaroopSorte
 
Elliptic curve cryptography
Elliptic curve cryptographyElliptic curve cryptography
Elliptic curve cryptographyCysinfo Cyber Security Community
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Hash Function
Hash FunctionHash Function
Hash FunctionSiddharth Srivastava
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)Arun Shukla
 
32 Security in_Internet_IP_SEC_SSL/TLS_PGN_VPN_and_Firewalls
32 Security in_Internet_IP_SEC_SSL/TLS_PGN_VPN_and_Firewalls32 Security in_Internet_IP_SEC_SSL/TLS_PGN_VPN_and_Firewalls
32 Security in_Internet_IP_SEC_SSL/TLS_PGN_VPN_and_FirewallsAhmar Hashmi
 
Rip ospf and bgp
Rip ospf and bgpRip ospf and bgp
Rip ospf and bgpAbhishek Kesharwani
 

Contenu connexe

Tendances

IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1Shobhit Sharma
 
Idea(international data encryption algorithm)
Idea(international data encryption algorithm)Idea(international data encryption algorithm)
Idea(international data encryption algorithm)SAurabh PRajapati
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6limsh
 
Lecture 5 ip security
Lecture 5 ip securityLecture 5 ip security
Lecture 5 ip securityrajakhurram
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMACKrishna Gehlot
 
DES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentationDES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentationsarhadisoftengg
 
Network security cryptographic hash function
Network security cryptographic hash functionNetwork security cryptographic hash function
Network security cryptographic hash functionMijanur Rahman Milon
 
Real time transport protocol
Real time transport protocolReal time transport protocol
Real time transport protocolSwaroopSorte
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)Arun Shukla
 

Tendances (20)

Ip security
Ip security Ip security
Ip security
 
Ip security
Ip security Ip security
Ip security
 
IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1
 
802.1x
802.1x802.1x
802.1x
 
Idea(international data encryption algorithm)
Idea(international data encryption algorithm)Idea(international data encryption algorithm)
Idea(international data encryption algorithm)
 
IPSec VPN tunnel
IPSec VPN tunnelIPSec VPN tunnel
IPSec VPN tunnel
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6
 
Lecture 5 ip security
Lecture 5 ip securityLecture 5 ip security
Lecture 5 ip security
 
Internet Key Exchange Protocol
Internet Key Exchange ProtocolInternet Key Exchange Protocol
Internet Key Exchange Protocol
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1
 
IPsec vpn
IPsec vpnIPsec vpn
IPsec vpn
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMAC
 
DES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentationDES (Data Encryption Standard) pressentation
DES (Data Encryption Standard) pressentation
 
Network security cryptographic hash function
Network security cryptographic hash functionNetwork security cryptographic hash function
Network security cryptographic hash function
 
Real time transport protocol
Real time transport protocolReal time transport protocol
Real time transport protocol
 
Elliptic curve cryptography
Elliptic curve cryptographyElliptic curve cryptography
Elliptic curve cryptography
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
 
Hash Function
Hash FunctionHash Function
Hash Function
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
 

En vedette

32 Security in_Internet_IP_SEC_SSL/TLS_PGN_VPN_and_Firewalls
32 Security in_Internet_IP_SEC_SSL/TLS_PGN_VPN_and_Firewalls32 Security in_Internet_IP_SEC_SSL/TLS_PGN_VPN_and_Firewalls
32 Security in_Internet_IP_SEC_SSL/TLS_PGN_VPN_and_FirewallsAhmar Hashmi
 
Unicast multicast & broadcast
Unicast multicast & broadcastUnicast multicast & broadcast
Unicast multicast & broadcastNetProtocol Xpert
 
Wireless sensor network report
Wireless sensor network reportWireless sensor network report
Wireless sensor network reportGanesh Khadsan
 
Network Security
Network SecurityNetwork Security
Network SecurityMAJU
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security PresentationAllan Pratt MBA
 
Wireless Sensor Networks
Wireless Sensor NetworksWireless Sensor Networks
Wireless Sensor NetworksKarthik
 
State of the Word 2011
State of the Word 2011State of the Word 2011
State of the Word 2011photomatt
 

En vedette (14)

32 Security in_Internet_IP_SEC_SSL/TLS_PGN_VPN_and_Firewalls
32 Security in_Internet_IP_SEC_SSL/TLS_PGN_VPN_and_Firewalls32 Security in_Internet_IP_SEC_SSL/TLS_PGN_VPN_and_Firewalls
32 Security in_Internet_IP_SEC_SSL/TLS_PGN_VPN_and_Firewalls
 
Rip ospf and bgp
Rip ospf and bgpRip ospf and bgp
Rip ospf and bgp
 
Unicast multicast & broadcast
Unicast multicast & broadcastUnicast multicast & broadcast
Unicast multicast & broadcast
 
Ch13
Ch13Ch13
Ch13
 
Mobile IP
Mobile IPMobile IP
Mobile IP
 
Wireless sensor network report
Wireless sensor network reportWireless sensor network report
Wireless sensor network report
 
Link state routing protocol
Link state routing protocolLink state routing protocol
Link state routing protocol
 
Mobile ip
Mobile ipMobile ip
Mobile ip
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate Training
 
Network Security
Network SecurityNetwork Security
Network Security
 
Network Security Presentation
Network Security PresentationNetwork Security Presentation
Network Security Presentation
 
Network security
Network securityNetwork security
Network security
 
Wireless Sensor Networks
Wireless Sensor NetworksWireless Sensor Networks
Wireless Sensor Networks
 
State of the Word 2011
State of the Word 2011State of the Word 2011
State of the Word 2011
 

Similaire à IP Sec - Basic Concepts

Ip security
Ip securityIp security
Ip securityJithuK6
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network SecurityKathirvel Ayyaswamy
 
Ipv4 packet structure
Ipv4 packet structureIpv4 packet structure
Ipv4 packet structurevlsirajagopal
 
The Security layer
The Security layerThe Security layer
The Security layerSwetha S
 
Computer network (4)
Computer network (4)Computer network (4)
Computer network (4)NYversity
 
Encapsulating security payload in Cryptography and Network Security
Encapsulating security payload in Cryptography and Network SecurityEncapsulating security payload in Cryptography and Network Security
Encapsulating security payload in Cryptography and Network SecurityKoushil Mankali
 
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)n|u - The Open Security Community
 
IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1CAS
 
Chapter 6 (1).ppt
Chapter 6 (1).pptChapter 6 (1).ppt
Chapter 6 (1).pptDivyaSek
 

Similaire à IP Sec - Basic Concepts (20)

Ip security
Ip securityIp security
Ip security
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 
Ipsecurity
IpsecurityIpsecurity
Ipsecurity
 
IPsec for IMS
IPsec for IMSIPsec for IMS
IPsec for IMS
 
Ipv4 packet structure
Ipv4 packet structureIpv4 packet structure
Ipv4 packet structure
 
The Security layer
The Security layerThe Security layer
The Security layer
 
IS Unit-4 .ppt
IS Unit-4 .pptIS Unit-4 .ppt
IS Unit-4 .ppt
 
Ip sec
Ip secIp sec
Ip sec
 
IP Security
IP SecurityIP Security
IP Security
 
Computer network (4)
Computer network (4)Computer network (4)
Computer network (4)
 
Encapsulating security payload in Cryptography and Network Security
Encapsulating security payload in Cryptography and Network SecurityEncapsulating security payload in Cryptography and Network Security
Encapsulating security payload in Cryptography and Network Security
 
Ipsec 2
Ipsec 2Ipsec 2
Ipsec 2
 
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
 
IP SEC.ptx
IP SEC.ptxIP SEC.ptx
IP SEC.ptx
 
IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1
 
Ipsec rbe guide
Ipsec rbe guideIpsec rbe guide
Ipsec rbe guide
 
Lecture14..pdf
Lecture14..pdfLecture14..pdf
Lecture14..pdf
 
Chapter 6.ppt
Chapter 6.pptChapter 6.ppt
Chapter 6.ppt
 
Chapter 6 (1).ppt
Chapter 6 (1).pptChapter 6 (1).ppt
Chapter 6 (1).ppt
 
Chapter 6 (1).ppt
Chapter 6 (1).pptChapter 6 (1).ppt
Chapter 6 (1).ppt
 

Dernier

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

Dernier (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

IP Sec - Basic Concepts

  • 1. IPSec Basics – Level-1 Avadhesh Agrawal (avagrawal@gmail.com) V1.0/Dec-2013 1
  • 2. What is IPSec? • Suite of Protocols for securing network connections • Seen as extension to IP Protocol family • Works pretty same way for IPv4 & IPv6 • Provides following basic services Service Purpose Authentication & Verification Authentication means that ensuring that data has come from authentic user only Verification means that ensuring that data is not altered during the journey Confidentiality V1.0/Dec-2013 Ensures that data is not visible to third party – during the journey 2
  • 3. IPSec Terminology (1/2) • IPSec Protocols used IPSec Protocol Purpose Authentication Header (AH) Authenticates the data flowing over connection Encapsulating Security Payload (ESP) Encrypts+Authenticate the data flowing over connection • Note : These protocol are typically used independently – however can be used together (pretty uncommon) as well. • Transport vs Tunnel Mode Transport Mode Tunnel Mode Provides a secure connection between two end-points Provides a secure connection between two gateways or either of the end is a gateway i.e. host-to-gateway communication & vice versa Encapsulates IP Payload only Encapsulates complete IP packet (IP Header + Payload) Simply a secured IP connection Primarily used for VPN Both IPSec protocols (AH as well as ESP) can function in Transport Mode Both IPSec protocols (AH as well as ESP) can function in Transport Mode V1.0/Dec-2013 3
  • 4. IPSec Terminology (2/2) • Transport vs Tunnel Mode (Cont …) Note : More on Transport/Tunnel mode later V1.0/Dec-2013 4
  • 5. IPv4 Datagram (refresher) Field Purpose Ver Protocol Verion (4 = IPv4) Hlen Header Length (as count of 32bit words). Excludes payload size & other headers TOS Type Of Service Indicator Pkt Len Total packet length (in bytes). Including header length in bytes. ID Used for associating fragmented packets Flgs Mainly used during fragmentation Frag Offset Identifies the position of this fragment in complete unfragmented packet. TTL Time To Live – in terms of Hops Proto Type of protocol (UDP/TCP/etc) as encapsulated in payload. Addition for IPSec: 50 : IPSec : ESP 51 : IPSec : AH Header Cksum Cheksum of entire IP Header (Payload Excluded). Not a cryptographic checksum. Purpose confined to detect errors during transmission Src/dst IP address Source / Destination IP Address IP Options Optional (application specific information) V1.0/Dec-2013 5
  • 6. AH – Overview(1/N) • As already discussed - through AH – authentication is done – but no - encryption – Thus, sniffer can still read the contents of message • Still serves three purposes – Helps in ensuring that sender is a authentic one. In other words, we (as an receiver) are able to validate that we have received data from a valid sender only. – Helps in detecting any alterations to data during transit – (Optionally) prevents replaying of data i.e. malicious user reading the data & then re-injecting same data at later point in time • Authentication is performed by computing cryptographic hash-based message authentication code – Nearly all fields of IP packet (Header as well payload) considered • Fields liable to change during transit are excluded – like TTL, Header Checksum – Intermediate hops cannot (as they will not have IPSec related information for this particular connection) and need not re-calculate authentication code V1.0/Dec-2013 6
  • 7. AH – Header(2/N) Field Length (Bytes) Purpose Next Header 1 Protocol type of next payload. Note that, in Tunnel Mode, next payload will be IP Packet (i.e. IP Header + IP Payload (i.e. Protocol (say TCP/UDP etc) Header + Protocol Payload)s Payload Len 1 Specifies AH Header Length. Note Don’t get confused with the field name “Payload Len”. Defined in, 32-bit words – “minus 2”. Reserved 2 For future use – must be set to “0” SPI 4 Security Parameter Index. In simple words, identifies security parameters associated with a given connection. Sequence Number 4 Continuously increasing number – with every packet. Primarily to avoid replay attacks. On reaching maximum value, rather than wrapping-around – connection is re-negotiated Variable Integrity Check Value. Cryptographic hash of entire packet – however some fields are left. ICV V1.0/Dec-2013 7
  • 8. AH – Transport Mode(3/N) V1.0/Dec-2013 8
  • 9. AH – Transport Mode(4/N) • Key noticeable points: – Majority of fields are authenticated. Fields those can get modified during transit are skipped. – Original IP packet is modified – as new header viz AH Header, gets added between IP Header & IP Payload. – Note the shuffling/usage of protocol code in modified IP Packet. • In original IP packet, proto field of IP Header was set to “TCP” where as in modified packet, proto field is set to “AH” • Further, in modified packet, next field of AH Header is set to TCP. Helps receiver in identifying the actual protocol. • Commonly referred as mechanism to link different headers. – Lets see, how receiver node reconstructs the original IP packet as sent by sender node. • Packet is Authenticated • AH Header is removed • Value from next (i.e. TCP) is restored in proto field of IP Header. • Thus original packet is restored V1.0/Dec-2013 9
  • 11. AH – Tunnel Mode(6/N) • Key noticeable points: – Entire IP packet (IP Header + IP Payload) is encapsulated within another IP packet. – Thus, modified packet looks like as follows: • New IP Header (say H1) followed by • AH header followed by • Original entire IP packet. Note that, original IP packet remains un-modified in Tunnel Model. – Note the shuffling/usage of protocol code • In new IP Header, proto field of IP Header is set to “AH” – indicating that – this packet is of IPSec:AH type • Further, next field of AH Header is set to IP. This is required because entire original IP packet is encapsulated. – Lets see, how receiver node reconstructs the original IP packet as sent by sender node. • Packet is Authenticated • New IP header & AH Header is removed • That’s it. – Suited for VPN kind of environment where tunnel needs to be simply created V1.0/Dec-2013 11
  • 12. AH – Transport vs Tunnel Mode(7/N) • How to distinguish between Transport Mode and Tunnel mode? – Mode information not added explicitly – Answer lies in the value stored in next field of AH header • If next = IP then Tunnel Mode • If next = <proto i.e. UDP/TCP/etc> then Transport Mode • Authentication Algorithms – SHA-1 – MD5 V1.0/Dec-2013 12
  • 13. ESP– Overview(1/N) • More complex that AH • Allows Authentication as well as Encryption – Authentication – Optional • Header format is different than AH – discussed later – Even has a trailer as well • Provides Tunnel as Transport Mode – as in AH • ESP Encryption algorithms commonly used – DES, DES3, AES, Blowfish – Algorithm & key used during encryption, is already negotiated during connection establishment phase (a new world in itself – discussed separately) • ESP Authentication algorithms commonly used – Same as used in AH i.e. SHA-1, MD5 V1.0/Dec-2013 13
  • 14. ESP Header/Trailer (w/o Auth)(2/N) Field Length (Bytes) Purpose ESP Header ESP Trailer 4 Security Parameter Index. In simple words, identifies security parameters associated with a given connection. Sequence Number 4 Continuously increasing number – with every packet. Primarily to avoid replay attacks. On reaching maximum value, rather than wrapping-around – connection is re-negotiated Encrypted Payload V1.0/Dec-2013 SPI Variable Depending upon the mode – Transport or Tunnel, Either IP payload (Transport) or entire IP Packet (Tunnel) gets encrypted here. Note: ESP Header (i.e. SPI & Sequence No.) is NOT encrypted. Padding 0-255 Place-holder for aligning block-oriented algorithms. Pad Len 1 Length of padding bytes Next Header 1 Protocol type of next payload. Note that, in Tunnel Mode, next payload will be complete IP Packet. 14
  • 15. ESP Header/Trailer(with Auth)(3/N) • Here, Authentication data has been added additionally. • Only (i) ESP Header & (ii) Encrypted Payload is authenticated • Authentication Data field in trailer – not encrypted • Presence/Absence of Authentication is known to sender. Receiver gets to know – by virtue of SPI. Field Length (Bytes) Purpose Authentication Data Variable Same as ICV in case of AH. V1.0/Dec-2013 15
  • 16. ESP – Transport Mode (4/N) V1.0/Dec-2013 16
  • 17. ESP– Transport Mode(5/N) • Key noticeable points: – Original IP packet is modified – as new header viz ESP Header, gets added between IP Header & IP Payload. – Additionally ESP Trailer (consisting of padding, pad_len, next) gets added – Optionally, Authentication data may also be added at the end of packet – IP payload (i.e. TCP Header + TCP payload from previous figure) along with ESP trailer is encrypted • ESP Header and Authentication Data (if present) – are excluded from encryption – In case if Authentication is needed then • ESP Header + encrypted payload + ESP Trailer - authenticated. ICV stored as Authentication Data at the end of packet • IP Header - excluded – Note the shuffling/usage of protocol code in modified IP Packet. • In original IP packet, proto field of IP Header was set to “TCP” where as in modified packet, proto field is set to “ESP” • Further, in modified packet, next field of ESP Trailer is set to TCP. Helps receiver in identifying the actual protocol. • Note that, actual protocol type is encrypted – hence hidden from packet sniffers V1.0/Dec-2013 17
  • 18. ESP – Tunnel Mode (6/N) V1.0/Dec-2013 18
  • 19. ESP– Tunnel Mode(7/N) • Key noticeable points: – Entire IP packet (IP Header + IP Payload) is encapsulated within another IP packet. – Thus, modified packet looks like as follows: • New IP Header (say H1) followed by • ESP header followed by • Original entire IP packet. Note that, original IP packet remains un-modified in Tunnel Model. • Then ESP Trailer followed by • Optional Authentication Data – Key difference from ESP – Transport Mode is • Original IP Header (along with IP payload) gets encrypted as well. – Note the shuffling/usage of protocol code • In new IP Header, proto field of IP Header is set to “ESP” – indicating that – this packet is of IPSec:ESP type • Further, next field of ESP Trailer is set to IP. This is required because entire original IP packet is encapsulated. V1.0/Dec-2013 19
  • 20. More To Come … • Security Association • SPI • Key Management - IKE V1.0/Dec-2013 20
  • 21. Resources • Pretty good tutorial for beginners – An illustrated guide to IPSec @ unixwiz.net V1.0/Dec-2013 21