SlideShare a Scribd company logo

IPsec Encryption: Securing IP Communications

Download as DOC, PDF
Shiva Krishna Chandra Shekar
Shiva Krishna Chandra Shekar

IPsec is a standardized framework that provides security (encryption, authentication, integrity) for IP communications. It has two modes - Transport mode which encrypts only the payload, and Tunnel mode which encrypts both the header and payload. IPsec uses protocols like AH (Authentication Header) which provides authentication and integrity, and ESP (Encapsulating Security Payload) which provides confidentiality, authentication, and integrity. IPsec implementations can be in end hosts or routers depending on network requirements.

TechnologyEducation
1 of 15
IP SECURITY Introduction IPsec (IP security) is a standardized framework for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in data stream. IPsec supports two encryption modes: Transport and Tunnel. Transport mode encrypts only the data portion (payload) of each packet, but leaves the header untouched. The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an IPSec- compliant device decrypts each packet. For IPsec to work, the sending and receiving devices must share a public key. This is accomplished through a protocol known as Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley), which allows the receiver to obtain a public key and authenticate the sender using digital certificates. In the early 1980's, specifications were finished for the TCP and IP protocols. These two protocols could be considered the most important in the world today - they are the basis of the Internet. Over the past decade, the Internet has grown from a small network connecting a small community of researchers to its present state - a gigantic global network connecting people of all types. The huge success of the Internet has, for the most part, been quite beneficial. The Internet has evolved from a specialized project to a general-purpose tool. TCP and IP protocols were designed when the Internet was small, and users generally trusted each other. The protocols lack many features that are desirable or needed on an insecure network. However, the growth of the Internet has created problems with security. The TCP and IP protocols were designed when the Internet was small, and users generally trusted each other. The protocols lack many features that are desirable or needed on an insecure network. TCP/IP is the backbone of the internet today. Comprised of two protocols, TCP and IP, the TCP/IP protocol suite is one of the most widely used. The TCP/IP protocols, the basis for today's Internet, lack even the most basic
mechanisms for security, such as authentication or encryption. As usage of the Internet and TCP/IP protocols increases, their lack of built-in security has become more and more problematic. Internet Protocol The Internet Protocol (or IP as it generally known), is the network layer of the Internet. IP provides a connection-less service. The job of IP is to route and send a packet to the packet's destination. IP provides no guarantee whatever, for the packets it tries to deliver. The IP packets are usually termed datagrams. The datagrams go through a series of routers before they reach the destination. At each node that the datagram passes through, the node determines the next hop for the datagram and routes it to the next hop. Since the network is dynamic, it is possible that two datagrams from the same source take different paths to make it to the destination. Since the network has variable delays, it is not guaranteed that the datagrams will be received in sequence. IP only tries for a best- effort delivery. It does not take care of lost packets; this is left to the higher layer protocols. There is no state maintained between two datagrams; in other words, IP is connection-less. Transmission Control Protocol Transmission Control Protocol (TCP) runs on top of IP, and provides a connection oriented service between the sender and the receiver. TCP provides guaranteed delivery, and ensures that the packets are delivered in sequence. The underlying network IP, is highly unreliable and does not provide any guarantee for TCP. In order to provide reliability between the sender and the receiver, TCP uses various mechanisms, such as sequence numbers, acknowledgments, 3-way handshakes and timers.
A TCP connection is identified by the 4-tuple ((destination-ip-address, destination-port), (source-ip-address, source-port)). Ports are the actual end-points of the TCP connection. The working of TCP could be described using a TCP state machine. Transitions to different states are based on events received in the form of TCP segments. The TCP states are very closely associated with timers. There are various timers associated with connection establishment (or termination), flow control, and retransmission. In order to understand the security problems associated with TCP, it is necessary that we look at the state-machine in detail. It is also important to get an overview of TCP implementations, and how they implement the TCP state-machine, the state-transitions and the associated timers. The TCP layer on either end maintains table entries corresponding to the 4-tuple (remote-ip-address, remote-port, source-ip-address, source-port). This 4-tuple uniquely identifies a connection. For every connection, the end-systems implementing TCP need to keep the TCP state information for the duration of the connection. IPSec Implementation Methods Three different implementation architectures are defined for IPSec in RFC 2401. Which one we use depends on various factors including the version of IP used, the requirements of the application and other factors. These in turn rest on a primary implementation decision: whether IPSec should be programmed into all hosts on a network, or just into certain routers or other “intermediate devices”. This implementation decision is one that must be based on the requirements of the network. There are two options: to implement IPSec in end hosts, or in routers.
End Host Implementation Putting IPSec into all host devices provides the most flexibility and security. It enables “end-to-end” security between any two devices on the network. However, there are many hosts on a typical network, so this means far more work than just implementing IPSec in routers. Router Implementation This option is much less work because it means we only make changes to a few routers instead of hundreds or thousands of clients. It only provides protection between pairs of routers that implement IPSec, but this may be sufficient for certain applications such as virtual private networks (VPNs). The routers can be used to provide protection only for the portion of the route that datagrams take outside the organization, leaving connections between routers and local hosts unsecured (or possibly, secured by other means). Modes of IPsec operation There are two modes of IPsec operation: transport mode and tunnel mode. In transport mode only the payload (message) of the IP packet is encrypted. It is fully-routable since the IP header is sent as plain text; however, it can not cross NAT interfaces, as this will invalidate its hash value. Transport mode is used for host-to-host communications over a LAN. In tunnel mode, the entire IP packet is encrypted. It must then be encapsulated into a new IP packet for routing to work. Tunnel mode is used for network-to-network communications (secure tunnels between routers) or host-to-network and host-to-host communications over the Internet.
IPsec is implemented by a set of cryptographic protocols for (1) securing packet flows and (2) Internet key exchange. Of the former, there are two: Authentication Header (AH) :which provides authentication, payload (message) and IP header integrity and with some cryptography algorithm also non-repudiation , but does not offer confidentiality Encapsulating Security Payload (ESP) :which provides data confidentiality, payload (message) integrity and with some cryptography algorithm also authentication. In some countries message encryption is prohibited by law and ESP protocol can not be used. In this case AH provides entire IPsec functionality without confidentiality. Originally AH was only used for integrity and ESP was used only for encryption; authentication functionality was added subsequently to ESP. Currently only one key exchange protocol is defined, the IKE (Internet Key Exchange) protocol. IPsec protocols operate at the network layer, layer 3 of the OSI model. Other Internet security protocols in widespread use, such as SSL and TLS, operate from the transport layer up (OSI layers 4 - 7). This makes IPsec more flexible, as it can be used for protecting both TCP and UDP-based protocols, but increases its complexity and processing overhead, as it cannot rely on TCP (layer 4 OSI model) to manage reliability and fragmentation. Current status as a standard IPsec is an obligatory part of IPv6, and is optional for use with IPv4. While the standard is designed to be agnostic to IP versions, current widespread deployment and experience concerns IPv4 implementations. IPsec protocols were originally defined by RFCs 1825–1829, published in 1995. In 1998, these documents were obsoleted by RFCs 2401–2412. 2401–2412 are not compatible with 1825–1829, although they are conceptually identical. In December 2005 a third generation documents RFCs 4301– 4309, were produced. They are largely a superset of 2401–2412.
It is unusual to see any product that offers RFC1825–1829 support. "ESP" generally refers to 2406, while ESPbis refers to 4303. Design intent IPsec was intended to provide either transport mode: end-to-end security of packet traffic in which the end-point computers do the security processing, or tunnel mode: portal-to-portal communications security in which security of packet traffic is provided to several machines even to whole LANs by a single node. IPsec can be used to create Virtual Private Networks (VPN) in either mode, and this is the dominant use. Note, however, that the security implications are quite different between the two operational modes. End-to-end communication security on an Internet-wide scale has been slower to develop than many had expected. Part of the reason is that no universal, or universally trusted, Public Key Infrastructure (PKI) has emerged (DNSSEC was originally envisioned for this); part is that many users understand neither their needs nor the available options well enough to promote inclusion in vendors' products. Since the Internet Protocol does not inherently provide any security capabilities, IPsec was introduced to provide security services such as: 1. Encrypting traffic (So it can not be read in its transmission) 2. Integrity validation (Ensuring traffic has not been modified along its path) 3. Authenticating the Peers (Both ends are sure they are communicating with a trusted entity the traffic is intended for) 4. Anti-Replay (Protect against session replay)
Technical details Authentication Header (AH) One of the two core security protocols in IPSec is the Authentication Header (AH). This is another protocol whose name has been well chosen: AH is a protocol that provides authentication of either all or part of the contents of a datagram through the addition of a header that is calculated based on the values in the datagram. What parts of the datagram are used for the calculation, and the placement of the header, depends on the mode (tunnel or transport) and the version of IP (IPv4 or IPv6). The operation of the AH protocol is surprisingly simple—especially for any protocol that has anything to do with network security. It can be considered analogous to the algorithms used to calculate checksums or perform CRC checks for error detection. In those cases, a standard algorithm is used by the sender to compute a checksum or CRC code based on the contents of a message. This computed result is transmitted along with the original data to the destination, which repeats the calculation and discards the message if any discrepancy is found between its calculation and the one done by the source. This is the same idea behind AH, except that instead of using a simple algorithm known to everyone, we use a special hashing algorithm and a specific key known only to the source and the destination. A security association between two devices is set up that specifies these particulars so that the source and destination know how to perform the computation but nobody else can. On the source device, AH performs the computation and puts the result (called the Integrity Check Value or ICV) into a special header with other fields for transmission. The destination device does the same calculation using the key the two devices share, which enables it to see immediately if any of the fields in the original datagram were modified (either due to error or malice). It's important that I point out explicitly that just as a checksum doesn't change the original data, neither does the ICV calculation change the original data. The
presence of the AH header allows us to verify the integrity of the message, but doesn't encrypt it. Thus, AH provides authentication but not privacy. An AH packet diagram: 0 1 2 3 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 Next Header Payload Length RESERVED Security Parameters Index (SPI) Sequence Number Authentication Data (variable) Field meanings: Next Header Identifies the protocol of the transferred data. Payload Length Size of AH packet. RESERVED Reserved for future use (all zero until then). Security Parameters Index (SPI) Identifies the security parameters in combination with IP address. Sequence Number A monotonically increasing number, used to prevent replay attacks.
Authentication Data Contains the data necessary to authenticate the packet. Encapsulated Security Payload (ESP) The Encapsulating Security Payload (ESP) extension header provides origin authenticity, integrity, and confidentiality of a packet. Unlike the AH header, the IP packet header is not accounted for. ESP operates directly on top of IP using IP protocol number 50. The IPSec Authentication Header (AH) provides integrity authentication services to IPSec-capable devices, so they can verify that messages are received intact from other devices. For many applications, however, this is only one piece of the puzzle. We want to not only protect against intermediate devices changing our datagrams, we want to protect against them examining their contents as well. For this level of private communication, AH is not enough; we need to use the Encapsulating Security Payload (ESP) protocol. The main job of ESP is to provide the privacy we seek for IP datagrams by encrypting them. An encryption algorithm combines the data in the datagram with a key to transform it into an encrypted form. This is then repackaged using a special format that we will see shortly, and transmitted to the destination, which decrypts it using the same algorithm. ESP also supports its own authentication scheme like that used in AH, or can be used in conjunction with AH. ESP has several fields that are the same as those used in AH, but packages its fields in a very different way
An ESP packet diagram: 0 1 2 3 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 Security Parameters Index (SPI) Sequence Number Payload * (variable) Padding (0-255 bytes) Pad Length Next Header Authentication Data (variable) Field meanings: Security Parameters Index (SPI) Identifies the security parameters in combination with IP address Sequence Number A monotonically increasing number, used to prevent replay attacks. Payload Data The data to be transferred. Padding Used with some block ciphers to pad the data to the full length of a block. Pad Length Size of padding in bytes. Next Header Identifies the protocol of the transferred data.
Authentication Data Contains the data used to authenticate the packet. Implementations IPsec support is usually implemented in the kernel with key management and ISAKMP/IKE negotiation carried out from user-space. Existing IPsec implementations tend to include both of these functionalities. However, as there is a standard interface for key management, it is possible to control one kernel IPsec stack using key management tools from a different implementation. Because of this, there is confusion as to the origins of the IPsec implementation that is in the Linux kernel. The FreeS/WAN project made the first complete and open source implementation of IPsec for Linux. It consists of a kernel IPsec stack (KLIPS), as well as a key management daemon (pluto) and many shell scripts. The FreeS/WAN project was disbanded in March 2004. Openswan and strongSwan are continuations of FreeS/WAN. The KAME project also implemented complete IPsec support for NetBSD, FreeBSD. Its key management daemon is called racoon. OpenBSD made its own ISAKMP/IKE daemon, simply named isakmpd (that was also ported to other systems, including Linux). However, none of these kernel IPsec stacks were integrated into the Linux kernel. Alexey Kuznetsov and David S. Miller wrote a kernel IPsec implementation from scratch for the Linux kernel around the end of 2002. This stack was subsequently released as part of Linux 2.6, and is referred variously as "native" or "NETKEY". Therefore, contrary to popular belief, the Linux IPsec stack did not originate from the KAME project. As it supports the standard PF_KEY protocol (RFC 2367) and the native XFRM interface for key management, the Linux IPsec stack can be used in conjunction with either pluto from Openswan/strongSwan, isakmpd from OpenBSD
project, racoon from the KAME project or without any ISAKMP/IKE daemon (using manual keying). There are a number of implementations of IPsec and ISAKMP/IKE protocols. These include: 1. NRL IPsec, one of the original sources of IPsec code 2. OpenBSD, with its own code derived from NRL IPsec 3. the KAME stack, that is included in Mac OS X, NetBSD and FreeBSD 4. "IPsec" in Cisco IOS Software 5. "IPsec" in Microsoft Windows, including Windows XP, Windows 2000, and Windows 2003 6. SSH Sentinel provides toolkits 7. IPsec in Solaris 8. IBM AIX operating system 9. IBM z/OS 10. IPsec and IKE in HP-UX (HP-UX IPSec) 11. "IPsec and IKE" in VxWorks IPSec General Operation, Components and Protocols IPSec provides the tools that devices on a TCP/IP network need in order to communicate securely. When two devices (either end user hosts or intermediate devices such as routers or firewalls) want to engage in secure communications, they set up a secure path between themselves that may traverse across many insecure intermediate systems.
To accomplish this, they must perform (at least) the following tasks: 1. They must agree on a set of security protocols to use, so that each one sends data in a format the other can understand. 2. They must decide on a specific encryption algorithm to use in encoding data. 3. They must exchange keys that are used to “unlock” data that has been cryptographically encoded. 4. Once this background work is completed, each device must use the protocols, methods and keys previously agreed upon to encode data and send it across the network. IPSec Key Exchange (IKE) IPSec, like many secure networking protocol sets, is based on the concept of a “shared secret”. Two devices that want to send information securely encode and decode it using a piece of information that only they know. Anyone who isn't “in” on the secret is able to intercept the information but is prevented either from reading it (if ESP is used to encrypt the payload) or from tampering with it undetected (if AH is used). Before either AH or ESP can be used, however, it is necessary for the two devices to exchange the “secret” that the security protocols themselves will use. The primary support protocol used for this purpose in IPSec is called Internet Key Exchange (IKE). IKE is defined in RFC 2409, and is one of the more complicated of the IPSec protocols to comprehend. In fact, it is simply impossible to truly understand more than a real simplification of its operation without significant background in cryptography.
IKE Overview and Relationship to Other Key Exchange Methods The purpose of IKE is to allow devices to exchange information required for secure communication. As the title suggests, this includes cryptographic keys used for encoding authentication information and performing payload encryption. IKE works by allowing IPSec-capable devices to exchange security associations (SAs), to populate their security association databases (SADs). These are then used for the actual exchange of secured datagrams with the AH and ESP protocols. IKE is considered a “hybrid” protocol because it combines (and supplements) the functions of three other protocols. The first of these is the Internet Security Association and Key Management Protocol (ISAKMP). This protocol provides a framework for exchanging encryption keys and security association information. It operates by allowing security associations to be negotiated through a series of phases. ISAKMP is a generic protocol that supports many different key exchange methods. In IKE, the ISAKMP framework is used as the basis for a specific key exchange method that combines features from two key exchange protocols: (1) OAKLEY: Describes a specific mechanism for exchanging keys through the definition of various key exchange “modes”. Most of the IKE key exchange process is based on OAKLEY. (2) SKEME: Describes a different key exchange mechanism than OAKLEY. IKE uses some features from SKEME, including its method of public key encryption and its fast re-keying feature.
Conclusion IPsec (IP security) is a standardized framework for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in data stream. IPsec supports two encryption modes: Transport and Tunnel. Transport mode encrypts only the data portion (payload) of each packet, but leaves the header untouched. The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an IPSec- compliant device decrypts each packet. IPsec was intended to provide either transport mode: end-to-end security of packet traffic in which the end-point computers do the security processing, or tunnel mode: portal-to-portal communications security in which security of packet traffic is provided to several machines even to whole LANs by a single node.

Recommended

Ip security
Ip security Ip security
Ip security Dr.K.Sreenivas Rao
 
L2 tp., ip sec
L2 tp., ip secL2 tp., ip sec
L2 tp., ip secZekriaMuzafar
 
Ip security
Ip security Ip security
Ip security Naveen Dubey
 
Ipsec
IpsecIpsec
IpsecRupesh Mishra
 
IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1CAS
 
Types of VPN
Types of VPNTypes of VPN
Types of VPNNetProtocol Xpert
 
How Secure are IPsec and SSL VPN encryptions
How Secure are IPsec and SSL VPN encryptionsHow Secure are IPsec and SSL VPN encryptions
How Secure are IPsec and SSL VPN encryptionsUday Bhatia
 
VPN presentation
VPN presentationVPN presentation
VPN presentationRiazehri
 

Recommended

Ip security
Ip security Ip security
Ip security Dr.K.Sreenivas Rao
 
L2 tp., ip sec
L2 tp., ip secL2 tp., ip sec
L2 tp., ip secZekriaMuzafar
 
Ip security
Ip security Ip security
Ip security Naveen Dubey
 
Ipsec
IpsecIpsec
IpsecRupesh Mishra
 
IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1CAS
 
Types of VPN
Types of VPNTypes of VPN
Types of VPNNetProtocol Xpert
 
How Secure are IPsec and SSL VPN encryptions
How Secure are IPsec and SSL VPN encryptionsHow Secure are IPsec and SSL VPN encryptions
How Secure are IPsec and SSL VPN encryptionsUday Bhatia
 
VPN presentation
VPN presentationVPN presentation
VPN presentationRiazehri
 
VPN - Virtual Private Network
VPN - Virtual Private NetworkVPN - Virtual Private Network
VPN - Virtual Private NetworkPeter R. Egli
 
ip security
ip securityip security
ip securityChirag Patel
 
IP Security
IP SecurityIP Security
IP SecurityAmbo University
 
IP Security
IP SecurityIP Security
IP Securitysahilshah200
 
Ip security
Ip securityIp security
Ip securityJithuK6
 
IP security
IP securityIP security
IP securityshraddha mane
 
IP Security and its Components
IP Security and its ComponentsIP Security and its Components
IP Security and its ComponentsMohibullah Saail
 
VPN Theory
VPN TheoryVPN Theory
VPN TheoryLJ PROJECTS
 
Ipsec
IpsecIpsec
IpsecBaidyanath Dutta
 
Npppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSDNpppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSDGiovanni Bechis
 
IP Security
IP SecurityIP Security
IP SecurityDr.Florence Dayana
 
Cns unit4
Cns unit4Cns unit4
Cns unit4PRADEEPJ30
 
Vpn
VpnVpn
VpnKamalPreet Saluja
 
I psec cisco
I psec ciscoI psec cisco
I psec ciscoDeepak296
 
Cisco Router As A Vpn Server
Cisco Router As A Vpn ServerCisco Router As A Vpn Server
Cisco Router As A Vpn Servermmoizuddin
 
Implementation of IPSec VPN on Cisco routers and Configuring it on ISP. (1)
Implementation of IPSec VPN on Cisco routers and Configuring it on ISP. (1)Implementation of IPSec VPN on Cisco routers and Configuring it on ISP. (1)
Implementation of IPSec VPN on Cisco routers and Configuring it on ISP. (1)Vanitha Joshi
 
Keymanagement of ipsec
Keymanagement of ipsecKeymanagement of ipsec
Keymanagement of ipsecPACHIYAPPAN PACHIYAPPAS
 
Lecture 5 ip security
Lecture 5 ip securityLecture 5 ip security
Lecture 5 ip securityrajakhurram
 
4G LTE Security - What hackers know?
4G LTE Security - What hackers know?4G LTE Security - What hackers know?
4G LTE Security - What hackers know?Stephen Kho
 
IP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfIP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfsolimankellymattwe60
 
Lec 9.pptx
Lec 9.pptxLec 9.pptx
Lec 9.pptxssuserbab2f4
 
Vpn protocols
Vpn protocolsVpn protocols
Vpn protocolsJadavsejal
 

More Related Content

What's hot

VPN - Virtual Private Network
VPN - Virtual Private NetworkVPN - Virtual Private Network
VPN - Virtual Private NetworkPeter R. Egli
 
Ip security
Ip securityIp security
Ip securityJithuK6
 
IP Security and its Components
IP Security and its ComponentsIP Security and its Components
IP Security and its ComponentsMohibullah Saail
 
Npppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSDNpppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSDGiovanni Bechis
 
I psec cisco
I psec ciscoI psec cisco
I psec ciscoDeepak296
 
Cisco Router As A Vpn Server
Cisco Router As A Vpn ServerCisco Router As A Vpn Server
Cisco Router As A Vpn Servermmoizuddin
 
Implementation of IPSec VPN on Cisco routers and Configuring it on ISP. (1)
Implementation of IPSec VPN on Cisco routers and Configuring it on ISP. (1)Implementation of IPSec VPN on Cisco routers and Configuring it on ISP. (1)
Implementation of IPSec VPN on Cisco routers and Configuring it on ISP. (1)Vanitha Joshi
 
Lecture 5 ip security
Lecture 5 ip securityLecture 5 ip security
Lecture 5 ip securityrajakhurram
 
4G LTE Security - What hackers know?
4G LTE Security - What hackers know?4G LTE Security - What hackers know?
4G LTE Security - What hackers know?Stephen Kho
 

What's hot (19)

VPN - Virtual Private Network
VPN - Virtual Private NetworkVPN - Virtual Private Network
VPN - Virtual Private Network
 
ip security
ip securityip security
ip security
 
IP Security
IP SecurityIP Security
IP Security
 
IP Security
IP SecurityIP Security
IP Security
 
Ip security
Ip securityIp security
Ip security
 
IP security
IP securityIP security
IP security
 
IP Security and its Components
IP Security and its ComponentsIP Security and its Components
IP Security and its Components
 
VPN Theory
VPN TheoryVPN Theory
VPN Theory
 
Ipsec
IpsecIpsec
Ipsec
 
Npppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSDNpppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSD
 
IP Security
IP SecurityIP Security
IP Security
 
Cns unit4
Cns unit4Cns unit4
Cns unit4
 
Vpn
VpnVpn
Vpn
 
I psec cisco
I psec ciscoI psec cisco
I psec cisco
 
Cisco Router As A Vpn Server
Cisco Router As A Vpn ServerCisco Router As A Vpn Server
Cisco Router As A Vpn Server
 
Implementation of IPSec VPN on Cisco routers and Configuring it on ISP. (1)
Implementation of IPSec VPN on Cisco routers and Configuring it on ISP. (1)Implementation of IPSec VPN on Cisco routers and Configuring it on ISP. (1)
Implementation of IPSec VPN on Cisco routers and Configuring it on ISP. (1)
 
Keymanagement of ipsec
Keymanagement of ipsecKeymanagement of ipsec
Keymanagement of ipsec
 
Lecture 5 ip security
Lecture 5 ip securityLecture 5 ip security
Lecture 5 ip security
 
4G LTE Security - What hackers know?
4G LTE Security - What hackers know?4G LTE Security - What hackers know?
4G LTE Security - What hackers know?
 

Similar to IPsec Encryption: Securing IP Communications

IP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfIP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfsolimankellymattwe60
 
IP security and VPN presentation
IP security and VPN presentation IP security and VPN presentation
IP security and VPN presentation KishoreTs3
 
The Security layer
The Security layerThe Security layer
The Security layerSwetha S
 
Introduction to OSI and QUIC
Introduction to OSI and QUICIntroduction to OSI and QUIC
Introduction to OSI and QUICFarzad Soltani
 
Cybersecurity Tutorial | Demo On Man In The Middle Attack | Cybersecurity Tra...
Cybersecurity Tutorial | Demo On Man In The Middle Attack | Cybersecurity Tra...Cybersecurity Tutorial | Demo On Man In The Middle Attack | Cybersecurity Tra...
Cybersecurity Tutorial | Demo On Man In The Middle Attack | Cybersecurity Tra...Edureka!
 
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)n|u - The Open Security Community
 
Working Survey of Authentication Header and Encapsulating Security Payload
Working Survey of Authentication Header and Encapsulating Security PayloadWorking Survey of Authentication Header and Encapsulating Security Payload
Working Survey of Authentication Header and Encapsulating Security Payloadijtsrd
 
college assignment on Applications of ipsec
college assignment on Applications of ipsec college assignment on Applications of ipsec
college assignment on Applications of ipsec bigchill29
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6limsh
 
Future protocol IP v6
Future protocol IP v6Future protocol IP v6
Future protocol IP v6Manesh Sharma
 
TCP/IP-Protocol Suite-Simple Explanation
TCP/IP-Protocol Suite-Simple ExplanationTCP/IP-Protocol Suite-Simple Explanation
TCP/IP-Protocol Suite-Simple ExplanationKANNANKR12
 
BASIC TO ADVANCED NETWORKING TUTORIALS
BASIC TO ADVANCED NETWORKING TUTORIALSBASIC TO ADVANCED NETWORKING TUTORIALS
BASIC TO ADVANCED NETWORKING TUTORIALSVarinder Singh Walia
 
A Comparative Analysis of Additional Overhead Imposed by Internet Protocol Se...
A Comparative Analysis of Additional Overhead Imposed by Internet Protocol Se...A Comparative Analysis of Additional Overhead Imposed by Internet Protocol Se...
A Comparative Analysis of Additional Overhead Imposed by Internet Protocol Se...ijceronline
 
ETE405-lec7.ppt
ETE405-lec7.pptETE405-lec7.ppt
ETE405-lec7.pptmashiur
 

Similar to IPsec Encryption: Securing IP Communications (20)

IP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdfIP Security One problem with Internet protocol (IP) is that it has.pdf
IP Security One problem with Internet protocol (IP) is that it has.pdf
 
Lec 9.pptx
Lec 9.pptxLec 9.pptx
Lec 9.pptx
 
Vpn protocols
Vpn protocolsVpn protocols
Vpn protocols
 
IP security and VPN presentation
IP security and VPN presentation IP security and VPN presentation
IP security and VPN presentation
 
The Security layer
The Security layerThe Security layer
The Security layer
 
Introduction to OSI and QUIC
Introduction to OSI and QUICIntroduction to OSI and QUIC
Introduction to OSI and QUIC
 
Cybersecurity Tutorial | Demo On Man In The Middle Attack | Cybersecurity Tra...
Cybersecurity Tutorial | Demo On Man In The Middle Attack | Cybersecurity Tra...Cybersecurity Tutorial | Demo On Man In The Middle Attack | Cybersecurity Tra...
Cybersecurity Tutorial | Demo On Man In The Middle Attack | Cybersecurity Tra...
 
V P N
V P NV P N
V P N
 
Lecture14..pdf
Lecture14..pdfLecture14..pdf
Lecture14..pdf
 
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
Converting your linux Box in security Gateway Part – 2 (Looking inside VPN)
 
Working Survey of Authentication Header and Encapsulating Security Payload
Working Survey of Authentication Header and Encapsulating Security PayloadWorking Survey of Authentication Header and Encapsulating Security Payload
Working Survey of Authentication Header and Encapsulating Security Payload
 
college assignment on Applications of ipsec
college assignment on Applications of ipsec college assignment on Applications of ipsec
college assignment on Applications of ipsec
 
Internet protocol
Internet protocolInternet protocol
Internet protocol
 
Cn36539543
Cn36539543Cn36539543
Cn36539543
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6
 
Future protocol IP v6
Future protocol IP v6Future protocol IP v6
Future protocol IP v6
 
TCP/IP-Protocol Suite-Simple Explanation
TCP/IP-Protocol Suite-Simple ExplanationTCP/IP-Protocol Suite-Simple Explanation
TCP/IP-Protocol Suite-Simple Explanation
 
BASIC TO ADVANCED NETWORKING TUTORIALS
BASIC TO ADVANCED NETWORKING TUTORIALSBASIC TO ADVANCED NETWORKING TUTORIALS
BASIC TO ADVANCED NETWORKING TUTORIALS
 
A Comparative Analysis of Additional Overhead Imposed by Internet Protocol Se...
A Comparative Analysis of Additional Overhead Imposed by Internet Protocol Se...A Comparative Analysis of Additional Overhead Imposed by Internet Protocol Se...
A Comparative Analysis of Additional Overhead Imposed by Internet Protocol Se...
 
ETE405-lec7.ppt
ETE405-lec7.pptETE405-lec7.ppt
ETE405-lec7.ppt
 

More from Shiva Krishna Chandra Shekar

More from Shiva Krishna Chandra Shekar (20)

Airtel final
Airtel finalAirtel final
Airtel final
 
Airtel COMPNAY
Airtel COMPNAYAirtel COMPNAY
Airtel COMPNAY
 
Microsoft data access components
Microsoft data access componentsMicrosoft data access components
Microsoft data access components
 
Ad hoc
Ad hocAd hoc
Ad hoc
 
Mobile adhoc
Mobile adhocMobile adhoc
Mobile adhoc
 
Ldap
LdapLdap
Ldap
 
L2tp1
L2tp1L2tp1
L2tp1
 
Ivrs
IvrsIvrs
Ivrs
 
I pod
I podI pod
I pod
 
Internet
InternetInternet
Internet
 
Image compression
Image compressionImage compression
Image compression
 
Hyper thread technology
Hyper thread technologyHyper thread technology
Hyper thread technology
 
Raju html
Raju htmlRaju html
Raju html
 
Raju
RajuRaju
Raju
 
Dba
DbaDba
Dba
 
Di splay systems
Di splay systemsDi splay systems
Di splay systems
 
Ananth3
Ananth3Ananth3
Ananth3
 
Ppt
PptPpt
Ppt
 
Honeypots
HoneypotsHoneypots
Honeypots
 
Ananth1
Ananth1Ananth1
Ananth1
 

Recently uploaded

Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 

Recently uploaded (20)

Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 

IPsec Encryption: Securing IP Communications

  • 1. IP SECURITY Introduction IPsec (IP security) is a standardized framework for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in data stream. IPsec supports two encryption modes: Transport and Tunnel. Transport mode encrypts only the data portion (payload) of each packet, but leaves the header untouched. The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an IPSec- compliant device decrypts each packet. For IPsec to work, the sending and receiving devices must share a public key. This is accomplished through a protocol known as Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley), which allows the receiver to obtain a public key and authenticate the sender using digital certificates. In the early 1980's, specifications were finished for the TCP and IP protocols. These two protocols could be considered the most important in the world today - they are the basis of the Internet. Over the past decade, the Internet has grown from a small network connecting a small community of researchers to its present state - a gigantic global network connecting people of all types. The huge success of the Internet has, for the most part, been quite beneficial. The Internet has evolved from a specialized project to a general-purpose tool. TCP and IP protocols were designed when the Internet was small, and users generally trusted each other. The protocols lack many features that are desirable or needed on an insecure network. However, the growth of the Internet has created problems with security. The TCP and IP protocols were designed when the Internet was small, and users generally trusted each other. The protocols lack many features that are desirable or needed on an insecure network. TCP/IP is the backbone of the internet today. Comprised of two protocols, TCP and IP, the TCP/IP protocol suite is one of the most widely used. The TCP/IP protocols, the basis for today's Internet, lack even the most basic
  • 2. mechanisms for security, such as authentication or encryption. As usage of the Internet and TCP/IP protocols increases, their lack of built-in security has become more and more problematic. Internet Protocol The Internet Protocol (or IP as it generally known), is the network layer of the Internet. IP provides a connection-less service. The job of IP is to route and send a packet to the packet's destination. IP provides no guarantee whatever, for the packets it tries to deliver. The IP packets are usually termed datagrams. The datagrams go through a series of routers before they reach the destination. At each node that the datagram passes through, the node determines the next hop for the datagram and routes it to the next hop. Since the network is dynamic, it is possible that two datagrams from the same source take different paths to make it to the destination. Since the network has variable delays, it is not guaranteed that the datagrams will be received in sequence. IP only tries for a best- effort delivery. It does not take care of lost packets; this is left to the higher layer protocols. There is no state maintained between two datagrams; in other words, IP is connection-less. Transmission Control Protocol Transmission Control Protocol (TCP) runs on top of IP, and provides a connection oriented service between the sender and the receiver. TCP provides guaranteed delivery, and ensures that the packets are delivered in sequence. The underlying network IP, is highly unreliable and does not provide any guarantee for TCP. In order to provide reliability between the sender and the receiver, TCP uses various mechanisms, such as sequence numbers, acknowledgments, 3-way handshakes and timers.
  • 3. A TCP connection is identified by the 4-tuple ((destination-ip-address, destination-port), (source-ip-address, source-port)). Ports are the actual end-points of the TCP connection. The working of TCP could be described using a TCP state machine. Transitions to different states are based on events received in the form of TCP segments. The TCP states are very closely associated with timers. There are various timers associated with connection establishment (or termination), flow control, and retransmission. In order to understand the security problems associated with TCP, it is necessary that we look at the state-machine in detail. It is also important to get an overview of TCP implementations, and how they implement the TCP state-machine, the state-transitions and the associated timers. The TCP layer on either end maintains table entries corresponding to the 4-tuple (remote-ip-address, remote-port, source-ip-address, source-port). This 4-tuple uniquely identifies a connection. For every connection, the end-systems implementing TCP need to keep the TCP state information for the duration of the connection. IPSec Implementation Methods Three different implementation architectures are defined for IPSec in RFC 2401. Which one we use depends on various factors including the version of IP used, the requirements of the application and other factors. These in turn rest on a primary implementation decision: whether IPSec should be programmed into all hosts on a network, or just into certain routers or other “intermediate devices”. This implementation decision is one that must be based on the requirements of the network. There are two options: to implement IPSec in end hosts, or in routers.
  • 4. End Host Implementation Putting IPSec into all host devices provides the most flexibility and security. It enables “end-to-end” security between any two devices on the network. However, there are many hosts on a typical network, so this means far more work than just implementing IPSec in routers. Router Implementation This option is much less work because it means we only make changes to a few routers instead of hundreds or thousands of clients. It only provides protection between pairs of routers that implement IPSec, but this may be sufficient for certain applications such as virtual private networks (VPNs). The routers can be used to provide protection only for the portion of the route that datagrams take outside the organization, leaving connections between routers and local hosts unsecured (or possibly, secured by other means). Modes of IPsec operation There are two modes of IPsec operation: transport mode and tunnel mode. In transport mode only the payload (message) of the IP packet is encrypted. It is fully-routable since the IP header is sent as plain text; however, it can not cross NAT interfaces, as this will invalidate its hash value. Transport mode is used for host-to-host communications over a LAN. In tunnel mode, the entire IP packet is encrypted. It must then be encapsulated into a new IP packet for routing to work. Tunnel mode is used for network-to-network communications (secure tunnels between routers) or host-to-network and host-to-host communications over the Internet.
  • 5. IPsec is implemented by a set of cryptographic protocols for (1) securing packet flows and (2) Internet key exchange. Of the former, there are two: Authentication Header (AH) :which provides authentication, payload (message) and IP header integrity and with some cryptography algorithm also non-repudiation , but does not offer confidentiality Encapsulating Security Payload (ESP) :which provides data confidentiality, payload (message) integrity and with some cryptography algorithm also authentication. In some countries message encryption is prohibited by law and ESP protocol can not be used. In this case AH provides entire IPsec functionality without confidentiality. Originally AH was only used for integrity and ESP was used only for encryption; authentication functionality was added subsequently to ESP. Currently only one key exchange protocol is defined, the IKE (Internet Key Exchange) protocol. IPsec protocols operate at the network layer, layer 3 of the OSI model. Other Internet security protocols in widespread use, such as SSL and TLS, operate from the transport layer up (OSI layers 4 - 7). This makes IPsec more flexible, as it can be used for protecting both TCP and UDP-based protocols, but increases its complexity and processing overhead, as it cannot rely on TCP (layer 4 OSI model) to manage reliability and fragmentation. Current status as a standard IPsec is an obligatory part of IPv6, and is optional for use with IPv4. While the standard is designed to be agnostic to IP versions, current widespread deployment and experience concerns IPv4 implementations. IPsec protocols were originally defined by RFCs 1825–1829, published in 1995. In 1998, these documents were obsoleted by RFCs 2401–2412. 2401–2412 are not compatible with 1825–1829, although they are conceptually identical. In December 2005 a third generation documents RFCs 4301– 4309, were produced. They are largely a superset of 2401–2412.
  • 6. It is unusual to see any product that offers RFC1825–1829 support. "ESP" generally refers to 2406, while ESPbis refers to 4303. Design intent IPsec was intended to provide either transport mode: end-to-end security of packet traffic in which the end-point computers do the security processing, or tunnel mode: portal-to-portal communications security in which security of packet traffic is provided to several machines even to whole LANs by a single node. IPsec can be used to create Virtual Private Networks (VPN) in either mode, and this is the dominant use. Note, however, that the security implications are quite different between the two operational modes. End-to-end communication security on an Internet-wide scale has been slower to develop than many had expected. Part of the reason is that no universal, or universally trusted, Public Key Infrastructure (PKI) has emerged (DNSSEC was originally envisioned for this); part is that many users understand neither their needs nor the available options well enough to promote inclusion in vendors' products. Since the Internet Protocol does not inherently provide any security capabilities, IPsec was introduced to provide security services such as: 1. Encrypting traffic (So it can not be read in its transmission) 2. Integrity validation (Ensuring traffic has not been modified along its path) 3. Authenticating the Peers (Both ends are sure they are communicating with a trusted entity the traffic is intended for) 4. Anti-Replay (Protect against session replay)
  • 7. Technical details Authentication Header (AH) One of the two core security protocols in IPSec is the Authentication Header (AH). This is another protocol whose name has been well chosen: AH is a protocol that provides authentication of either all or part of the contents of a datagram through the addition of a header that is calculated based on the values in the datagram. What parts of the datagram are used for the calculation, and the placement of the header, depends on the mode (tunnel or transport) and the version of IP (IPv4 or IPv6). The operation of the AH protocol is surprisingly simple—especially for any protocol that has anything to do with network security. It can be considered analogous to the algorithms used to calculate checksums or perform CRC checks for error detection. In those cases, a standard algorithm is used by the sender to compute a checksum or CRC code based on the contents of a message. This computed result is transmitted along with the original data to the destination, which repeats the calculation and discards the message if any discrepancy is found between its calculation and the one done by the source. This is the same idea behind AH, except that instead of using a simple algorithm known to everyone, we use a special hashing algorithm and a specific key known only to the source and the destination. A security association between two devices is set up that specifies these particulars so that the source and destination know how to perform the computation but nobody else can. On the source device, AH performs the computation and puts the result (called the Integrity Check Value or ICV) into a special header with other fields for transmission. The destination device does the same calculation using the key the two devices share, which enables it to see immediately if any of the fields in the original datagram were modified (either due to error or malice). It's important that I point out explicitly that just as a checksum doesn't change the original data, neither does the ICV calculation change the original data. The
  • 8. presence of the AH header allows us to verify the integrity of the message, but doesn't encrypt it. Thus, AH provides authentication but not privacy. An AH packet diagram: 0 1 2 3 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 Next Header Payload Length RESERVED Security Parameters Index (SPI) Sequence Number Authentication Data (variable) Field meanings: Next Header Identifies the protocol of the transferred data. Payload Length Size of AH packet. RESERVED Reserved for future use (all zero until then). Security Parameters Index (SPI) Identifies the security parameters in combination with IP address. Sequence Number A monotonically increasing number, used to prevent replay attacks.
  • 9. Authentication Data Contains the data necessary to authenticate the packet. Encapsulated Security Payload (ESP) The Encapsulating Security Payload (ESP) extension header provides origin authenticity, integrity, and confidentiality of a packet. Unlike the AH header, the IP packet header is not accounted for. ESP operates directly on top of IP using IP protocol number 50. The IPSec Authentication Header (AH) provides integrity authentication services to IPSec-capable devices, so they can verify that messages are received intact from other devices. For many applications, however, this is only one piece of the puzzle. We want to not only protect against intermediate devices changing our datagrams, we want to protect against them examining their contents as well. For this level of private communication, AH is not enough; we need to use the Encapsulating Security Payload (ESP) protocol. The main job of ESP is to provide the privacy we seek for IP datagrams by encrypting them. An encryption algorithm combines the data in the datagram with a key to transform it into an encrypted form. This is then repackaged using a special format that we will see shortly, and transmitted to the destination, which decrypts it using the same algorithm. ESP also supports its own authentication scheme like that used in AH, or can be used in conjunction with AH. ESP has several fields that are the same as those used in AH, but packages its fields in a very different way
  • 10. An ESP packet diagram: 0 1 2 3 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 Security Parameters Index (SPI) Sequence Number Payload * (variable) Padding (0-255 bytes) Pad Length Next Header Authentication Data (variable) Field meanings: Security Parameters Index (SPI) Identifies the security parameters in combination with IP address Sequence Number A monotonically increasing number, used to prevent replay attacks. Payload Data The data to be transferred. Padding Used with some block ciphers to pad the data to the full length of a block. Pad Length Size of padding in bytes. Next Header Identifies the protocol of the transferred data.
  • 11. Authentication Data Contains the data used to authenticate the packet. Implementations IPsec support is usually implemented in the kernel with key management and ISAKMP/IKE negotiation carried out from user-space. Existing IPsec implementations tend to include both of these functionalities. However, as there is a standard interface for key management, it is possible to control one kernel IPsec stack using key management tools from a different implementation. Because of this, there is confusion as to the origins of the IPsec implementation that is in the Linux kernel. The FreeS/WAN project made the first complete and open source implementation of IPsec for Linux. It consists of a kernel IPsec stack (KLIPS), as well as a key management daemon (pluto) and many shell scripts. The FreeS/WAN project was disbanded in March 2004. Openswan and strongSwan are continuations of FreeS/WAN. The KAME project also implemented complete IPsec support for NetBSD, FreeBSD. Its key management daemon is called racoon. OpenBSD made its own ISAKMP/IKE daemon, simply named isakmpd (that was also ported to other systems, including Linux). However, none of these kernel IPsec stacks were integrated into the Linux kernel. Alexey Kuznetsov and David S. Miller wrote a kernel IPsec implementation from scratch for the Linux kernel around the end of 2002. This stack was subsequently released as part of Linux 2.6, and is referred variously as "native" or "NETKEY". Therefore, contrary to popular belief, the Linux IPsec stack did not originate from the KAME project. As it supports the standard PF_KEY protocol (RFC 2367) and the native XFRM interface for key management, the Linux IPsec stack can be used in conjunction with either pluto from Openswan/strongSwan, isakmpd from OpenBSD
  • 12. project, racoon from the KAME project or without any ISAKMP/IKE daemon (using manual keying). There are a number of implementations of IPsec and ISAKMP/IKE protocols. These include: 1. NRL IPsec, one of the original sources of IPsec code 2. OpenBSD, with its own code derived from NRL IPsec 3. the KAME stack, that is included in Mac OS X, NetBSD and FreeBSD 4. "IPsec" in Cisco IOS Software 5. "IPsec" in Microsoft Windows, including Windows XP, Windows 2000, and Windows 2003 6. SSH Sentinel provides toolkits 7. IPsec in Solaris 8. IBM AIX operating system 9. IBM z/OS 10. IPsec and IKE in HP-UX (HP-UX IPSec) 11. "IPsec and IKE" in VxWorks IPSec General Operation, Components and Protocols IPSec provides the tools that devices on a TCP/IP network need in order to communicate securely. When two devices (either end user hosts or intermediate devices such as routers or firewalls) want to engage in secure communications, they set up a secure path between themselves that may traverse across many insecure intermediate systems.
  • 13. To accomplish this, they must perform (at least) the following tasks: 1. They must agree on a set of security protocols to use, so that each one sends data in a format the other can understand. 2. They must decide on a specific encryption algorithm to use in encoding data. 3. They must exchange keys that are used to “unlock” data that has been cryptographically encoded. 4. Once this background work is completed, each device must use the protocols, methods and keys previously agreed upon to encode data and send it across the network. IPSec Key Exchange (IKE) IPSec, like many secure networking protocol sets, is based on the concept of a “shared secret”. Two devices that want to send information securely encode and decode it using a piece of information that only they know. Anyone who isn't “in” on the secret is able to intercept the information but is prevented either from reading it (if ESP is used to encrypt the payload) or from tampering with it undetected (if AH is used). Before either AH or ESP can be used, however, it is necessary for the two devices to exchange the “secret” that the security protocols themselves will use. The primary support protocol used for this purpose in IPSec is called Internet Key Exchange (IKE). IKE is defined in RFC 2409, and is one of the more complicated of the IPSec protocols to comprehend. In fact, it is simply impossible to truly understand more than a real simplification of its operation without significant background in cryptography.
  • 14. IKE Overview and Relationship to Other Key Exchange Methods The purpose of IKE is to allow devices to exchange information required for secure communication. As the title suggests, this includes cryptographic keys used for encoding authentication information and performing payload encryption. IKE works by allowing IPSec-capable devices to exchange security associations (SAs), to populate their security association databases (SADs). These are then used for the actual exchange of secured datagrams with the AH and ESP protocols. IKE is considered a “hybrid” protocol because it combines (and supplements) the functions of three other protocols. The first of these is the Internet Security Association and Key Management Protocol (ISAKMP). This protocol provides a framework for exchanging encryption keys and security association information. It operates by allowing security associations to be negotiated through a series of phases. ISAKMP is a generic protocol that supports many different key exchange methods. In IKE, the ISAKMP framework is used as the basis for a specific key exchange method that combines features from two key exchange protocols: (1) OAKLEY: Describes a specific mechanism for exchanging keys through the definition of various key exchange “modes”. Most of the IKE key exchange process is based on OAKLEY. (2) SKEME: Describes a different key exchange mechanism than OAKLEY. IKE uses some features from SKEME, including its method of public key encryption and its fast re-keying feature.
  • 15. Conclusion IPsec (IP security) is a standardized framework for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in data stream. IPsec supports two encryption modes: Transport and Tunnel. Transport mode encrypts only the data portion (payload) of each packet, but leaves the header untouched. The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an IPSec- compliant device decrypts each packet. IPsec was intended to provide either transport mode: end-to-end security of packet traffic in which the end-point computers do the security processing, or tunnel mode: portal-to-portal communications security in which security of packet traffic is provided to several machines even to whole LANs by a single node.