ip security - IP SECURITY IP security(IPsec is a capability...

This preview shows page 1 out of 33 pages.

Unformatted text preview: IP SECURITY IP security (IPsec) is a capability that can be added to either current version of the Internet Protocol (IPv4 or IPv6) by means of additional headers. IPsec encompasses three functional areas: authentication, confidentiality, and key management. Applications of IPsec Secure branch office connectivity over the Internet Secure remote access over the Internet Establishing extranet and intranet connectivity with partners Enhancing electronic commerce security Benefits of IPsec When IPsec is implemented in a firewall or router, it provides strong security that can be applied to all IPsec in a firewall is resistant to bypass if all traffic from the outside must use IP and the firewall is the only means of entrance from the Internet into the organization traffic crossing the perimeter. IPsec is below the transport layer (TCP, UDP) and so is transparent to applications Benefits of IPsec IPsec can be transparent to end users. IPsec can provide security for individual users if needed. IPsec Documents Architecture Authentication Header (AH) Encapsulating Security Payload (ESP) Internet Key Exchange (IKE) Cryptographic algorithms IPsec Services Access control • Connectionless integrity • Data origin authentication • Rejection of replayed packets (a form of partial sequence integrity) • Confidentiality (encryption) • Limited traffic flow confidentiality TRANSPORT MODE ESP in transport mode encrypts and optionally authenticates the IP payload but not the IP header. AH in transport mode authenticates the IP payload and selected portions of the IP header. TUNNEL MODE . ESP in tunnel mode encrypts and optionally authenticates the entire inner IP packet, including the inner IP header. AH in tunnel mode authenticates the entire inner IP packet and selected portions of the outer IP header. IP SECURITY POLICY-SECURITY ASSOCIATION . An association is a one-way logical connection between a sender and a receiver that affords security services to the traffic carried on it. If a peer relationship is needed for two-way secure exchange, then two security associations are required. SECURITY ASSOCIATION PARAMETERS .Security Parameter Index (SPI) IP Destination Address Security Protocol Identifier. Security Association Database . Security Parameter Index Sequence Number Counter Sequence Counter Overflow Anti-Replay Window AH Information ESP Information Lifetime of this Security Association IPsec Protocol Mode Path MTU Security Policy Database (SPD) SPD contains entries, each of which defines a subset of IP traffic and points to an SA for that traffic. Each SPD entry is defined by a set of IP and upper-layer protocol field values, called selectors. Security Policy Database (SPD) Selectors Remote IP Address Local IP Address Next Layer Protocol Name Local and Remote Ports Security Policy Database (SPD) Selectors Remote IP Address Local IP Address Next Layer Protocol Name Local and Remote Ports: PROCESSING OF OUTBOUND IP PACKET PROCESSING OF INBOUND IP PACKET ENCAPSULATING SECURITY PAYLOAD (ESP) HEADER FORMAT ENCAPSULATING SECURITY PAYLOAD (ESP) PAYLOAD FORMAT ESP – ANTI REPLAY SERVICE IPV4 & IPV6 PACKET FORMAT IPV4 & IPV6TRANSPORT MODE IPV4 & IPV6 TUNNEL MODE COMBINING SECURITY ASSOCIATIONS COMBINING SECURITY ASSOCIATIONS COMBINING SECURITY ASSOCIATIONS COMBINING SECURITY ASSOCIATIONS INTERNET KEY EXCHANGE (IKE) Oakley Key Determination Protocol: Based in the Diffie-Hellman algorithm but providing added security. Internet Security Association Key Management Protocol (ISAKMP): ISAKMP provides a framework for Internet key management PROS OF DIFFIE - HELLMAN Secret keys are created only when needed. There is no need to store secret keys for a long period of time, exposing them to increased vulnerability. • The exchange requires no pre-existing infrastructure other than an agreement on the global parameters CONS OF DIFFIE - HELLMAN It does not provide any information about the identities of the parties. It is subject to a man-in-the-middle attack, It is computationally intensive. As a result, it is vulnerable to a clogging attack, in which an opponent requests a high number of keys. FEATURES OF IKE KEY DETERMINATION 1. It employs a mechanism known as cookies to thwart clogging attacks. 2. It enables the two parties to negotiate a group; this, in essence, specifies the global parameters of the Diffie-Hellman key exchange. 3. It uses nonces to ensure against replay attacks. FEATURES OF IKE KEY DETERMINATION 4. It enables the exchange of Diffie- Hellman public key values. 5. It authenticates the Diffie-Hellman exchange to thwart man-in-the-middle attacks. IKE V2 KEY EXCHANGES IKE HEADER FORMAT ...
View Full Document

  • Winter '12
  • praveen
  • IP address, Internet Key Exchange

{[ snackBarMessage ]}

Get FREE access by uploading your study materials

Upload your study materials now and get free access to over 25 million documents.

Upload now for FREE access Or pay now for instant access
Christopher Reinemann
"Before using Course Hero my grade was at 78%. By the end of the semester my grade was at 90%. I could not have done it without all the class material I found."
— Christopher R., University of Rhode Island '15, Course Hero Intern

Ask a question for free

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern