Seminar Presentation of Internet Protocol Security

1. 10-Dec-16 1
Ambo University
Institute of Technology
Gradute program in Computer Science
IP SECURITY
Presented By:
Dejene Techane

2. In today's massively interconnected business world of the Internet, intranets, branch offices, and
remote access, sensitive information constantly crosses the networks.
Without security, both public and private networks are susceptible to unauthorized monitoring
and access.
Therefore, there are different network security protocols widespread use for protecting private
and public networks such as
 IP Security(IPSec),
 Transport Layer Security(TLS)
 and Secure Shell(SSH) .
Hence, only IPsec protects all application traffic over an IP network.
10-Dec-16 2

3. IP security refers to security mechanism implemented at the IP
(Internet Protocol) Layer to ensure
integrity,
authentication and
 confidentiality of data during transmission in the open Internet environment
It is a protocol suite for secure IP communications that works by
Authenticating
And encrypting each IP packet of a communication session.
10-Dec-16 3

4. IPSec is a set of protocol and algorithm used to secure IP
data and network layer
Open standard for VPN implementation
Inbuilt in IPV6 and compatible with IPV4
10-Dec-16 4

5. to verify sources of IP packets
authentication
to prevent replaying of old packets
to protect integrity and/or confidentiality of packets
data Integrity/Data Encryption
10-Dec-16 5

6. 10-Dec-16 6
ESP AH
IKE
IPSec Security Policy
Encapsulating Security
Payload
Authentication Header
The Internet Key Exchange
 Architecture: Covers the general concepts, security requirements, definitions and
mechanisms defining IPsec technology.

7. Provides source authentication
Protects against source spoofing
Provides connectionless data integrity
Protects against replay attacks
Use monotonically increasing sequence numbers
Protects against denial of service attacks
NO protection for confidentiality!
10-Dec-16 7

8. Use 32-bit monotonically increasing sequence number to avoid replay
attacks
Use cryptographically strong hash algorithms to protect data integrity
(96-bit)
Use symmetric key cryptography
HMAC-SHA-96, HMAC-MD5-96
10-Dec-16 8

9. 10-Dec-16 9
Authentication Data
Sequence Number
Security Parameters Index (SPI)
Next
header
Payload
length
Reserved
Old IP header (only in Tunnel mode)
TCP header
New IP header
Authenticated
Data
Encapsulated
TCP or IP packet
Hash of everything
else

10. Provides all that AH offers, and
in addition provides data confidentiality
Uses symmetric key encryption
Same as AH:
◦ Use 32-bit sequence number to counter replaying attacks
◦ Use integrity check algorithms
Only in ESP:
◦ Data confidentiality:
◦ Uses symmetric key encryption algorithms to encrypt packets
10-Dec-16 10

11. 10-Dec-16 11
Authentication Data
Sequence Number
Security Parameters Index (SPI)
Next
header
Payload
length
Reserved
TCP header
Authenticated
IP header
Initialization vector
Data
Pad Pad length Next
Encrypted TCP
packet

12. 10-Dec-16 12
 Bothe AH and ESP support transport and Tunnel modes
Transport Mode SA Tunnel Mode SA
AH Authenticates IP payload
and selected portions of IP
header and IPv6 extension
headers
Authenticates entire inner
IP packet plus selected
portions of outer IP header
ESP Encrypts IP payload and
any IPv6 extension header
Encrypts inner IP packet
ESP with
Authentication
Encrypts IP payload and
any IPv6 extension header
Authenticates IP payload
but no IP header
Encrypts inner IP packet
Authenticates inner IP
packet

13.  The key management portion of IPSec involves
 the determination and distribution of the secret keys.
 A typical requirement is four keys for communication between
two applications:
 transmit and receive pairs for both AH and ESP
 Support for two types of key management
 Manual
 Authomatic
10-Dec-16 13

14. 10-Dec-16 14
SA describes a particular kind of secure connection between
one device and another.
Security Associations are key to IPSEC’s authentication and
confidentiality mechanisms.
SAs are needed to negotiate in the exchange of the “shared
secret” process
 Sharing the shared key secrete

15. uniquely identified by three parameters:
Security Parameters Index (SPI): The SPI assigns a bit string to this SA that has
local significance only.
 The SPI is carried in AH and ESP headers to enable the receiving system to select the
SA under which a received packet will be processed.
IP destination address : Currently, only unicast addresses are allowed; this is the
address of the destination endpoint of the SA, which may be an end-user system or
a network system such as a firewall or router.
Security protocol identifier : This indicates whether the association is an AH or
ESP security association.
10-Dec-16 15

16. Provides strong security when implemented in a firewall or router
that can be applied to all traffic crossing the perimeter.
IPsec is resistant to bypass if all traffic from the outside must use
IP and the firewall is the only way of entrance from the Internet into
the organization.
 Is below transport layer, hence transparent to applications.
Can be transparent to end users.
Can provide security for individual users if needed.
10-Dec-16 16

17. Secure branch office connectivity over the Internet
Secure remote access over the Internet
Establishment of extranet and intranet connectivity with partners
Enhancement of electronic commerce security
10-Dec-16 17

18. IP Security importance is growing, but unfortunately its operation
imposes a significant burden on the encrypting devices. Furthermore,
certain applications may suffer from the increase in latency (i.e., the
time required to pass through an IPSec network device) due to the
extra processing.
Finally, at a time when network security is increasingly vital, IPSec
makes it easy for network managers to provide a strong layer of
protection to their organization's information resources.
10-Dec-16 18

19. 10-Dec-16 19