09_ipsec - IPSEC: AH and ESP Markus Hidell mahidell@kth.se...

Info iconThis preview shows pages 1–9. Sign up to view the full content.

View Full Document Right Arrow Icon
1 IPSEC: AH and ESP Markus Hidell mahidell@kth.se Based on material by Vitaly Shmatikov, Univ. of Texas, and by the previous course teachers
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
2 Reading • Kaufman, chapter 16-17
Background image of page 2
3 TCP/IP Example
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
4 IP Security Issues •E a v e s d r o p p i n g • Modification of packets in transit • Identity spoofing (forged source IP addresses) •D e n i a l o f s e r v i c e • Many solutions are application-specific – TLS for Web, S/MIME for email, SSH for remote login • IPsec aims to provide a framework of open standards for secure communications over IP – Protect every protocol running on top of IPv4 and IPv6
Background image of page 4
Operating system layers • SSL (Secure Socket Layer) changes the API to TCP/IP – Applications change, but OS doesn’t • IPSec implemented in OS – Applications and API remain unchanged (at least in theory) • To make full use of IPSec, API and apps have to change! – and accordingly also the applications L1 L2 IP TCP App. Socket API OS kernel Interface specific User process Device driver
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
6 Overview of IPsec • Authenticated Keying – Internet Key Exchange (IKE) • Next part of the lecture • Data Encapsulation – ESP: IP Encapsulating Security Payload (RFC 4303) – AH: IP Authentication Header (RFC 4302) • Security Architecture (RFC 4301) – Tunnel/transport Mode – Databases (Security Association, Policy, Peer Authorization)
Background image of page 6
7 IPsec = AH + ESP + IKE IPsec: Network Layer Security Protection for IP traffic AH provides integrity and origin authentication ESP also confidentiality Sets up keys and algorithms for AH and ESP • AH and ESP rely on an existing security association – Idea: parties must share a set of secret keys and agree on each other’s IP addresses and crypto algorithms • Internet Key Exchange (IKE) – Goal: establish security association for AH and ESP – If IKE is broken, AH and ESP provide no protection!
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
8 IPsec Security Services • Authentication and integrity for packet sources – Ensures connectionless integrity (for a single packet) and partial
Background image of page 8
Image of page 9
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 24

09_ipsec - IPSEC: AH and ESP Markus Hidell mahidell@kth.se...

This preview shows document pages 1 - 9. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online