Download IPSec - depovere.com

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
Document related concepts
no text concepts found
Transcript 
IPSec
IP Security (IPSec)
1/26 Groep T Leuven – Information department
2003-2004 - Information management
1
IP Security (IPSec)
•
•
•
•
•
•
•
IPSec overview
Authentication Header (AH)
Encapsulating Security Payload (ESP)
Internet Key Exchange (IKE)
Main Mode negotiation
Quick Mode negotiation
Retransmit behavior
2/26 Groep T Leuven – Information department
2003-2004 - Information management
2
Overall Architecture (RFC 1825)
• Framework for security protocols
to provide:
– Data integrity
– Data authentication
– Data confidentiality
– Security association management
– Key management
3/26 Groep T Leuven – Information department
2003-2004 - Information management
3
Authentication Header (RFC 1826)
IP Header plus Data
IP Header plus Data
Authentication
Data (00ABCDEF)
Authentication
Data (00ABCDEF)
Router
•
•
•
•
IP HDR AH
Data
Router
Data integrity—no twiddling of bits
Origin authentication—definitely came from router
Uses keyed-hash mechanism
Does not provide confidentiality
4/26 Groep T Leuven – Information department
2003-2004 - Information management
4
Encapsulating Security Payload
(RFC 1827)
Router
•
•
•
•
All Data-Encrypted
Router
Confidentiality
Data origin authentication
Data integrity
Replay protection (optional)
5/26 Groep T Leuven – Information department
2003-2004 - Information management
5
Security Association (SA)
Firewall
Router
Insecure Channel
• Agreement between two entities
on method to communicate securely
• Unidirectional—two way communication consists of two SAs
6/26 Groep T Leuven – Information department
2003-2004 - Information management
6
IKE Policy Negotiation
Encryption Algorithm, Hash Algorithm,
and Method of Authentication
3DES, MD5, and RSA Signatures,
or
IDEA, SHA, and DSS Signatures,
or
Blowfish, SHA, and RSA Encryption
IDEA, SHA, and DSS Signatures
ISAKMP Policy Tunnel
7/26 Groep T Leuven – Information department
2003-2004 - Information management
7
IPSec Model
• Device authentication
– Crypto devices obtain digital
certificates from CAs
• Authorization
– Packet selection
via ACLs
Internal Network
Certificate
Authority
– Security Association (SA)
established via
ISAKMP/OAKLAY
Digital Certificate
SA
• Privacy and integrity
– IPSec-based encryption
and digital signature
Internal Network
Clear Text
Encrypted
8/26 Groep T Leuven – Information department
2003-2004 - Information management
8
IPsec Protocols and Formats
Headers
Authentication
• Integrity, authentication
Header
Encapsulating
• Adds confidentiality
Security Payload
ISAKMP/Oakley
• Negotiates security parameters
• Uses digital certificates
Diffie-Hellman
• Generates shared secret keys
Transport
• IP payload only, Layer 4 is obscured
• Both end systems need IPsec
Tunnel
• Entire datagram
• No changes to intermediate systems
Key
Exchange
Modes
Encryption
• DES, 3DES, RC4, IDEA, AES ...
Hashing
• HMAC MD5, HMAC SHA1
9/26 Groep T Leuven – Information department
2003-2004 - Information management
9
IPSec Modes
IP HDR
DATA
Tunnel Mode
New IP HDR IPSec HDR IP HDR
IP HDR
DATA
Encrypted
DATA
Transport Mode
IP HDR
IPSec HDR
DATA
Encrypted
10/26 Groep T Leuven – Information department
2003-2004 - Information management
10
Tunnel and Transport Modes
• Transport mode for end-to-end session
• Tunnel mode for everything else
Transport Mode
Tunnel Mode
Joe’s PC
11/26 Groep T Leuven – Information department
HR
Server
2003-2004 - Information management
11
Ipsec—Standards Based
Internet
IPsec
Dial
IPsec
VLANs
IPsec
Firewall
Campus
12/26 Groep T Leuven – Information department
2003-2004 - Information management
12
IPSec Overview
• Proposed Internet standard for IPlayer cryptography with
IPv4 and IPv6
Router to Firewall
Router to Router
PC to Router
PC to Server
13/26 Groep T Leuven – Information department
2003-2004 - Information management
13
IPSec Process
• Initiating the IPSec session
– Phase one—exchanging keys
– Phase two—setting up security associations
• Encrypting/decrypting packets
• Rebuilding security associations
• Timing out security associations
14/26 Groep T Leuven – Information department
2003-2004 - Information management
14
Initiating the IPSec Session Phase One — ISAKMP
• Internet Security Association Key Management
Protocol (ISAKMP)
• Both sides need to agree on the ISAKMP security
parameters (ISAKMP SADB)
– ISAKMP parameters
• Encryption algorithm
• Hash algorithm
• Authentication method
• Diffie-Hellman modulus
• Group lifetime
15/26 Groep T Leuven – Information department
2003-2004 - Information management
15
Initiating the IPSec Session Phase Two
• Both sides need to agree on the IPSec security
parameters (IPSec SADB)
• IPSec parameters
– IPSec peer
• Endpoint of IPSec tunnel
– IPSec proxy
• Traffic to be encrypted/decrypted
– IPSec transform
• Encryption and hashing
– IPSec lifetime
• Phase two SA regeneration time
16/26 Groep T Leuven – Information department
2003-2004 - Information management
16
Encrypting and Decrypting Packets
• Phase one and phase two completes
• Security Associations (SA) are created at both IPSec
endpoints
• Using the negotiated SADB information
– Outbound packets are encrypted
– Inbound packets are decrypted
17/26 Groep T Leuven – Information department
2003-2004 - Information management
17
Rebuilding Security Associations
• To ensure that keys are not compromised they are
periodically refreshed
• Security associations will be rebuilt when:
– The lifetime expires, or
– Data volume has been exceeded, or
– Another SA is attempted with identical
parameters
18/26 Groep T Leuven – Information department
2003-2004 - Information management
18
Security Associations
• Combination of mutually agreed security services, protection
mechanisms, and cryptographic keys
• ISAKMP SA
• IPSec SAs
– One for inbound traffic
– One for outbound traffic
• Security Parameters Index (SPI)
– Helps identify an SA
• Creating SAs
– Main Mode for ISAKMP SA
– Quick Mode for IPSec SAs
19/26 Groep T Leuven – Information department
2003-2004 - Information management
19
IPSec Headers
• Authentication Header (AH)
– Provides data origin authentication, data integrity,
and replay protection for the entire IP datagram
• Encapsulating Security Payload (ESP)
– Provides data origin authentication, data integrity,
replay protection, and data confidentiality for the
ESP-encapsulated portion of the packet
20/26 Groep T Leuven – Information department
2003-2004 - Information management
20
IPSec Modes
• Transport mode
– Typically used for IPSec peers doing end-to-end
security
– Provides protection for upper-layer protocol data
units (PDUs)
• Tunnel mode
– Typically used by network routers to protect IP
datagrams
– Provides protection for entire IP datagrams
21/26 Groep T Leuven – Information department
2003-2004 - Information management
21
AH Transport Mode
IP
IP
Upper layer PDU
AH
Upper layer PDU
Authenticated
22/26 Groep T Leuven – Information department
2003-2004 - Information management
22
AH Tunnel Mode
IP (new)
AH
IP
Upper layer PDU
IP
Upper layer PDU
Authenticated
23/26 Groep T Leuven – Information department
2003-2004 - Information management
23
ESP Transport Mode
IP
IP
ESP
Upper layer PDU
Upper layer PDU
ESP
Auth
Data
Encrypted
Authenticated
24/26 Groep T Leuven – Information department
2003-2004 - Information management
24
ESP with AH Transport Mode
IP
IP
AH
ESP
Upper layer PDU
Upper layer PDU
ESP
ESP
Auth
Encrypted
Authenticated with ESP
Authenticated with AH
25/26 Groep T Leuven – Information department
2003-2004 - Information management
25
ESP Tunnel Mode
IP (new)
ESP
IP
Upper layer PDU
IP
Upper layer PDU
ESP
Auth
Data
Encrypted
Authenticated
26/26 Groep T Leuven – Information department
2003-2004 - Information management
26
Related documents