SlideShare a Scribd company logo

IPSec—An Overview Explains How It Secures IP Communications

Download as PPT, PDF
aminpathan11
aminpathan11
EducationTechnology
1 of 24
IPSec—An Overview BY Amin Pathan MGM`s Polytechnic, Aurangabad 1
Outline  why IPSec?  IPSec Architecture  Internet Key Exchange (IKE)  IPSec Policy  discussion 2
IP is not Secure!  IP protocol was designed in the late 70s to early 80s – Part of DARPA Internet Project – Very small network All hosts are known!  So are the users!  Therefore, security was not an issue  3
Security Issues in IP  source spoofing  replay packets  no data integrity or confidentiality • DOS attacks • Replay attacks • Spying • and more… Fundamental Issue: Networks are not (and will never be) fully secure 4
Goals of IPSec  to verify sources of IP packets – authentication  to prevent replaying of old packets  to protect integrity and/or confidentiality of packets – data Integrity/Data Encryption 5
Outline  Why IPsec?  IPSec Architecture  Internet Key Exchange (IKE)  IPsec Policy  Discussion 6
The IPSec Security Model Secure Insecure 7
IPSec Architecture ESP AH Encapsulating Security Payload Authentication Header IPSec Security Policy IKE The Internet Key Exchange 8
IPSec Architecture  IPSec provides security in three situations: – Host-to-host, host-to-gateway and gateway-to-gateway  IPSec operates in two modes: – Transport mode (for end-to-end) – Tunnel mode (for VPN) 9
IPsec Architecture Transport Mode Router Router Tunnel Mode 10
Various Packets Original IP header TCP header Transport mode IP header IPSec header TCP header IP header IPSec header Tunnel mode data IP header data TCP header 11 data
IPSec  A collection of protocols (RFC 2401) – Authentication Header (AH)  RFC 2402 – Encapsulating Security Payload (ESP)  RFC 2406 – Internet Key Exchange (IKE)  RFC 2409 – IP Payload Compression (IPcomp)  RFC 3137 12
Authentication Header (AH)  Provides source authentication – Protects against source spoofing   Provides data integrity Protects against replay attacks – Use monotonically increasing sequence numbers – Protects against denial of service attacks  NO protection for confidentiality! 13
AH Details   Use 32-bit monotonically increasing sequence number to avoid replay attacks Use cryptographically strong hash algorithms to protect data integrity (96-bit) – Use symmetric key cryptography – HMAC-SHA-96, HMAC-MD5-96 14
Encapsulating Security Payload (ESP)  Provides all that AH offers, and  in addition provides data confidentiality – Uses symmetric key encryption 15
ESP Details  Same as AH: – Use 32-bit sequence number to counter replaying attacks – Use integrity check algorithms  Only in ESP: – Data confidentiality:  Uses symmetric key encryption algorithms to encrypt packets 16
Internet Key Exchange (IKE)  Exchange and negotiate security policies  Establish security sessions – Identified as Security Associations  Key exchange  Key management  Can be used outside IPsec as well 17
IPsec/IKE Acronyms  Security Association (SA) – Collection of attribute associated with a connection – Is asymmetric!    One SA for inbound traffic, another SA for outbound traffic Similar to ciphersuites in SSL Security Association Database (SADB) – A database of SAs 18
IPsec/IKE Acronyms  Security Parameter Index (SPI) – A unique index for each entry in the SADB – Identifies the SA associated with a packet  Security Policy Database (SPD) – Store policies used to establish SAs 19
How They Fit Together SPD SA-1 SA-2 SADB SPI SPI 20
SPD and SADB Example A’s SPD Transport Mode A C B D Tunnel Mode A’s SADB From To Asub Bsub From To Asub Bsub From To Protocol Port Policy A B Any Any AH[HMAC-MD5] From To Protocol SPI SA Record A B AH 12 HMAC-MD5 key Protocol Port Policy Tunnel Dest Any Any ESP[3DES] D Protocol SPI SA Record ESP 14 C’s SPD 3DES key C’s SADB 21
IPsec Policy   Phase 1 policies are defined in terms of protection suites Each protection suite – Must contain the following:     Encryption algorithm Hash algorithm Authentication method Diffie-Hellman Group – May optionally contain the following:   Lifetime … 22
IPSec Policy   Phase 2 policies are defined in terms of proposals Each proposal: – May contain one or more of the following     AH sub-proposals ESP sub-proposals IPComp sub-proposals Along with necessary attributes such as – Key length, life time, etc 23
Resources  IP, IPsec and related RFCs: – http://www.ietf.org/html.charters/ipsec-charter.html – IPsec: RFC 2401, IKE: RFC 2409 – www.freeswan.org  Google search 24

Recommended

Ipsecurity
IpsecurityIpsecurity
IpsecurityChinmay Patel
 
Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar ALLCAD Services Pvt Limited
 
IP Sec - Basic Concepts
IP Sec - Basic ConceptsIP Sec - Basic Concepts
IP Sec - Basic ConceptsAvadhesh Agrawal
 
IP security
IP securityIP security
IP securityshraddha mane
 
Ip security
Ip securityIp security
Ip securityJithuK6
 
Ip security
Ip security Ip security
Ip security Dr.K.Sreenivas Rao
 
Ipsec 2
Ipsec 2Ipsec 2
Ipsec 2Sourabh Badve
 
IP Security
IP SecurityIP Security
IP Securitysahilshah200
 

Recommended

Ipsecurity
IpsecurityIpsecurity
IpsecurityChinmay Patel
 
Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar Overview of ip_security by JetArvind kumar Madhukar
Overview of ip_security by JetArvind kumar Madhukar ALLCAD Services Pvt Limited
 
IP Sec - Basic Concepts
IP Sec - Basic ConceptsIP Sec - Basic Concepts
IP Sec - Basic ConceptsAvadhesh Agrawal
 
IP security
IP securityIP security
IP securityshraddha mane
 
Ip security
Ip securityIp security
Ip securityJithuK6
 
Ip security
Ip security Ip security
Ip security Dr.K.Sreenivas Rao
 
Ipsec 2
Ipsec 2Ipsec 2
Ipsec 2Sourabh Badve
 
IP Security
IP SecurityIP Security
IP Securitysahilshah200
 
IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1CAS
 
IP Security and its Components
IP Security and its ComponentsIP Security and its Components
IP Security and its ComponentsMohibullah Saail
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6limsh
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols NetProtocol Xpert
 
Ipsec (network security)
Ipsec (network security)Ipsec (network security)
Ipsec (network security)AhmadRahmanian1
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overviewdavisli
 
Ip security
Ip security Ip security
Ip security Naveen Dubey
 
IPSec VPN tunnel
IPSec VPN tunnelIPSec VPN tunnel
IPSec VPN tunnelArunKumar Subbiah
 
Unit 6
Unit 6Unit 6
Unit 6KRAMANJANEYULU1
 
I psec
I psecI psec
I psecnlekh
 
Keymanagement of ipsec
Keymanagement of ipsecKeymanagement of ipsec
Keymanagement of ipsecPACHIYAPPAN PACHIYAPPAS
 
Ip Sec
Ip SecIp Sec
Ip SecRam Dutt Shukla
 
IP Security
IP SecurityIP Security
IP SecurityAmbo University
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1Sankaranarayanan Subramanian
 
Ipsec
IpsecIpsec
IpsecBaidyanath Dutta
 
Ipsec
IpsecIpsec
IpsecRupesh Mishra
 
IP Security
IP SecurityIP Security
IP SecurityKeshab Nath
 
Ip sec talk
Ip sec talkIp sec talk
Ip sec talkanoean
 
ip security
ip securityip security
ip securityChirag Patel
 
I psec
I psecI psec
I psecahmad1986jor
 
IPsec for IMS
IPsec for IMSIPsec for IMS
IPsec for IMSHossein Yavari
 
The Security layer
The Security layerThe Security layer
The Security layerSwetha S
 

More Related Content

What's hot

IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1CAS
 
IP Security and its Components
IP Security and its ComponentsIP Security and its Components
IP Security and its ComponentsMohibullah Saail
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6limsh
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols NetProtocol Xpert
 
Ipsec (network security)
Ipsec (network security)Ipsec (network security)
Ipsec (network security)AhmadRahmanian1
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overviewdavisli
 
I psec
I psecI psec
I psecnlekh
 
Ip sec talk
Ip sec talkIp sec talk
Ip sec talkanoean
 

What's hot (19)

IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1
 
IP Security and its Components
IP Security and its ComponentsIP Security and its Components
IP Security and its Components
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols
 
Ipsec (network security)
Ipsec (network security)Ipsec (network security)
Ipsec (network security)
 
IPSec Overview
IPSec OverviewIPSec Overview
IPSec Overview
 
Ip security
Ip security Ip security
Ip security
 
IPSec VPN tunnel
IPSec VPN tunnelIPSec VPN tunnel
IPSec VPN tunnel
 
Unit 6
Unit 6Unit 6
Unit 6
 
I psec
I psecI psec
I psec
 
Keymanagement of ipsec
Keymanagement of ipsecKeymanagement of ipsec
Keymanagement of ipsec
 
Ip Sec
Ip SecIp Sec
Ip Sec
 
IP Security
IP SecurityIP Security
IP Security
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1
 
Ipsec
IpsecIpsec
Ipsec
 
Ipsec
IpsecIpsec
Ipsec
 
IP Security
IP SecurityIP Security
IP Security
 
Ip sec talk
Ip sec talkIp sec talk
Ip sec talk
 
ip security
ip securityip security
ip security
 

Similar to IPSec—An Overview Explains How It Secures IP Communications

The Security layer
The Security layerThe Security layer
The Security layerSwetha S
 
IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1Shobhit Sharma
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network SecurityKathirvel Ayyaswamy
 
Multilayer Security Architecture for Internet Protocols
Multilayer Security Architecture for Internet ProtocolsMultilayer Security Architecture for Internet Protocols
Multilayer Security Architecture for Internet ProtocolsNasir Bhutta
 
Chapter 6 (1).ppt
Chapter 6 (1).pptChapter 6 (1).ppt
Chapter 6 (1).pptDivyaSek
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and sslMohd Arif
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network securityPriyadharshiniVS
 
IS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email SecurityIS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email SecuritySarthak Patel
 

Similar to IPSec—An Overview Explains How It Secures IP Communications (20)

I psec
I psecI psec
I psec
 
IPsec for IMS
IPsec for IMSIPsec for IMS
IPsec for IMS
 
The Security layer
The Security layerThe Security layer
The Security layer
 
IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1IPSec (Internet Protocol Security) - PART 1
IPSec (Internet Protocol Security) - PART 1
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 
I psecurity
I psecurityI psecurity
I psecurity
 
IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
 
Multilayer Security Architecture for Internet Protocols
Multilayer Security Architecture for Internet ProtocolsMultilayer Security Architecture for Internet Protocols
Multilayer Security Architecture for Internet Protocols
 
IPSec
IPSecIPSec
IPSec
 
Chapter 6.ppt
Chapter 6.pptChapter 6.ppt
Chapter 6.ppt
 
Chapter 6 (1).ppt
Chapter 6 (1).pptChapter 6 (1).ppt
Chapter 6 (1).ppt
 
Chapter 6 (1).ppt
Chapter 6 (1).pptChapter 6 (1).ppt
Chapter 6 (1).ppt
 
Lecture14..pdf
Lecture14..pdfLecture14..pdf
Lecture14..pdf
 
IS Unit-4 .ppt
IS Unit-4 .pptIS Unit-4 .ppt
IS Unit-4 .ppt
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and ssl
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network security
 
IPSEC
IPSECIPSEC
IPSEC
 
ESP.ppt
ESP.pptESP.ppt
ESP.ppt
 
05 06 ike
05 06 ike05 06 ike
05 06 ike
 
IS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email SecurityIS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email Security
 

More from aminpathan11

4 g technology by amin
4 g technology by amin4 g technology by amin
4 g technology by aminaminpathan11
 
Cloud computing by amin
Cloud computing by aminCloud computing by amin
Cloud computing by aminaminpathan11
 
Access control by amin
Access control by aminAccess control by amin
Access control by aminaminpathan11
 
Tracing an email by Amin Pathan
Tracing an email by Amin PathanTracing an email by Amin Pathan
Tracing an email by Amin Pathanaminpathan11
 
Human resource management by Amin
Human resource management by AminHuman resource management by Amin
Human resource management by Aminaminpathan11
 
System security by Amin Pathan
System security by Amin PathanSystem security by Amin Pathan
System security by Amin Pathanaminpathan11
 
VPN by Amin Pathan
VPN by Amin PathanVPN by Amin Pathan
VPN by Amin Pathanaminpathan11
 
Active directory and application
Active directory and applicationActive directory and application
Active directory and applicationaminpathan11
 
Forms of ownerships in Management
Forms of ownerships in ManagementForms of ownerships in Management
Forms of ownerships in Managementaminpathan11
 

More from aminpathan11 (15)

E wallet by amin
E wallet by aminE wallet by amin
E wallet by amin
 
4 g technology by amin
4 g technology by amin4 g technology by amin
4 g technology by amin
 
Cloud computing by amin
Cloud computing by aminCloud computing by amin
Cloud computing by amin
 
Hololens
HololensHololens
Hololens
 
Biometric by amin
Biometric by aminBiometric by amin
Biometric by amin
 
Access control by amin
Access control by aminAccess control by amin
Access control by amin
 
Tracing an email by Amin Pathan
Tracing an email by Amin PathanTracing an email by Amin Pathan
Tracing an email by Amin Pathan
 
Human resource management by Amin
Human resource management by AminHuman resource management by Amin
Human resource management by Amin
 
System security by Amin Pathan
System security by Amin PathanSystem security by Amin Pathan
System security by Amin Pathan
 
VPN by Amin Pathan
VPN by Amin PathanVPN by Amin Pathan
VPN by Amin Pathan
 
ISDN
ISDNISDN
ISDN
 
Active directory and application
Active directory and applicationActive directory and application
Active directory and application
 
PSTN
PSTNPSTN
PSTN
 
Management
ManagementManagement
Management
 
Forms of ownerships in Management
Forms of ownerships in ManagementForms of ownerships in Management
Forms of ownerships in Management
 

Recently uploaded

Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxAshokKarra1
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4MiaBumagat1
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfJemuel Francisco
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Celine George
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONHumphrey A Beña
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfSpandanaRallapalli
 
Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)cama23
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYKayeClaireEstoconing
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 

Recently uploaded (20)

LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptx
 
ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4ANG SEKTOR NG agrikultura.pptx QUARTER 4
ANG SEKTOR NG agrikultura.pptx QUARTER 4
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
Raw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptxRaw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptx
 
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptxFINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdf
 
Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)Global Lehigh Strategic Initiatives (without descriptions)
Global Lehigh Strategic Initiatives (without descriptions)
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 

IPSec—An Overview Explains How It Secures IP Communications

  • 1. IPSec—An Overview BY Amin Pathan MGM`s Polytechnic, Aurangabad 1
  • 2. Outline  why IPSec?  IPSec Architecture  Internet Key Exchange (IKE)  IPSec Policy  discussion 2
  • 3. IP is not Secure!  IP protocol was designed in the late 70s to early 80s – Part of DARPA Internet Project – Very small network All hosts are known!  So are the users!  Therefore, security was not an issue  3
  • 4. Security Issues in IP  source spoofing  replay packets  no data integrity or confidentiality • DOS attacks • Replay attacks • Spying • and more… Fundamental Issue: Networks are not (and will never be) fully secure 4
  • 5. Goals of IPSec  to verify sources of IP packets – authentication  to prevent replaying of old packets  to protect integrity and/or confidentiality of packets – data Integrity/Data Encryption 5
  • 6. Outline  Why IPsec?  IPSec Architecture  Internet Key Exchange (IKE)  IPsec Policy  Discussion 6
  • 7. The IPSec Security Model Secure Insecure 7
  • 8. IPSec Architecture ESP AH Encapsulating Security Payload Authentication Header IPSec Security Policy IKE The Internet Key Exchange 8
  • 9. IPSec Architecture  IPSec provides security in three situations: – Host-to-host, host-to-gateway and gateway-to-gateway  IPSec operates in two modes: – Transport mode (for end-to-end) – Tunnel mode (for VPN) 9
  • 11. Various Packets Original IP header TCP header Transport mode IP header IPSec header TCP header IP header IPSec header Tunnel mode data IP header data TCP header 11 data
  • 12. IPSec  A collection of protocols (RFC 2401) – Authentication Header (AH)  RFC 2402 – Encapsulating Security Payload (ESP)  RFC 2406 – Internet Key Exchange (IKE)  RFC 2409 – IP Payload Compression (IPcomp)  RFC 3137 12
  • 13. Authentication Header (AH)  Provides source authentication – Protects against source spoofing   Provides data integrity Protects against replay attacks – Use monotonically increasing sequence numbers – Protects against denial of service attacks  NO protection for confidentiality! 13
  • 14. AH Details   Use 32-bit monotonically increasing sequence number to avoid replay attacks Use cryptographically strong hash algorithms to protect data integrity (96-bit) – Use symmetric key cryptography – HMAC-SHA-96, HMAC-MD5-96 14
  • 15. Encapsulating Security Payload (ESP)  Provides all that AH offers, and  in addition provides data confidentiality – Uses symmetric key encryption 15
  • 16. ESP Details  Same as AH: – Use 32-bit sequence number to counter replaying attacks – Use integrity check algorithms  Only in ESP: – Data confidentiality:  Uses symmetric key encryption algorithms to encrypt packets 16
  • 17. Internet Key Exchange (IKE)  Exchange and negotiate security policies  Establish security sessions – Identified as Security Associations  Key exchange  Key management  Can be used outside IPsec as well 17
  • 18. IPsec/IKE Acronyms  Security Association (SA) – Collection of attribute associated with a connection – Is asymmetric!    One SA for inbound traffic, another SA for outbound traffic Similar to ciphersuites in SSL Security Association Database (SADB) – A database of SAs 18
  • 19. IPsec/IKE Acronyms  Security Parameter Index (SPI) – A unique index for each entry in the SADB – Identifies the SA associated with a packet  Security Policy Database (SPD) – Store policies used to establish SAs 19
  • 20. How They Fit Together SPD SA-1 SA-2 SADB SPI SPI 20
  • 21. SPD and SADB Example A’s SPD Transport Mode A C B D Tunnel Mode A’s SADB From To Asub Bsub From To Asub Bsub From To Protocol Port Policy A B Any Any AH[HMAC-MD5] From To Protocol SPI SA Record A B AH 12 HMAC-MD5 key Protocol Port Policy Tunnel Dest Any Any ESP[3DES] D Protocol SPI SA Record ESP 14 C’s SPD 3DES key C’s SADB 21
  • 22. IPsec Policy   Phase 1 policies are defined in terms of protection suites Each protection suite – Must contain the following:     Encryption algorithm Hash algorithm Authentication method Diffie-Hellman Group – May optionally contain the following:   Lifetime … 22
  • 23. IPSec Policy   Phase 2 policies are defined in terms of proposals Each proposal: – May contain one or more of the following     AH sub-proposals ESP sub-proposals IPComp sub-proposals Along with necessary attributes such as – Key length, life time, etc 23
  • 24. Resources  IP, IPsec and related RFCs: – http://www.ietf.org/html.charters/ipsec-charter.html – IPsec: RFC 2401, IKE: RFC 2409 – www.freeswan.org  Google search 24