l16 Security 3 secure protocols

l16 Security 3 secure protocols - IPSec, TLS, and DNSSEC...

Info iconThis preview shows pages 1–10. Sign up to view the full content.

View Full Document Right Arrow Icon
IPSec, TLS, and DNSSEC
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Three Major Secure Protocols Last lecture presented mechanisms This lecture presents 3 examples of their use - Layer 3: IPSec - Layer 4: TLS - Layer 7: DNSSEC
Background image of page 2
IPSec Overview Layer 3: between hosts, covers both IPv4 and IPv6 [RFC 4301] AH: IP Authentication Header (MAY, [RFC 4302] ) ESP: Encapsulated Security Payload (MUST, [RFC 4303] ) Very comprehensive: this lecture will only cover some of the basics (no multicast, combined ESP+AH, IPv6, etc.)
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
IPSec Operation [RFC 4301] Hosts can use IPSec directly (“transport mode”) Security gateways can tunnel traffic through IPSec (“tunnel mode”) Security Associations (SAs) specify security services for traffic in a half-duplex “connection” - Bi-directional traffic requires two SAs - Security Parameters Index (SPI) field specifies SA in unicast traffic Security Association Database (SAD) maintained at each endpoint - Packets processed based on SA, src/dest IP address - SAD managed “semi-manually”
Background image of page 4
Transport Mode vs. Tunneling Mode Transport mode operates directly on top of IP - Next header is TCP, UDP, etc. - IPSec header interposes between IP and transport header Tunneling mode encapsulates entire IP packet - Next header is IP - Separate source, destination addresses
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Encapsulating Security Payload [RFC 4303] integrity tag Sequence Number Payload Padding plen nhdr dest IP address src IP address Security Parameter Index checksum prot=51 pktlen v MACed data Encrypted data IP header IPsec ESP Provides confidentiality, integrity, or both Next header field specifies payload
Background image of page 6
Transport vs. Tunneling TCP header, payload integrity tag Sequence Number Payload padding plen nhdr=4 dest IP address Security Parameter Index Tunneling mode (IPv4, TCP) integrity tag Sequence Number Padding plen nhdr=6 dest IP address Security Parameter Index Transport mode (TCP) dest IP address src IP address checksum prot=6 pktlen v dest port src port Sequence Number Acknowledgment Number rest of TCP header, payload
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
ESP Algorithm Support Complications Some algorithms require an initialization vector (IV), e.g. CBC Some algorithms integrate confidentiality and integrity (“combined mode algorithms”) - If confidentiality is required for integrity, need to repeat SPI and sequence number Algorithm can specify payload substructure (append/prepend data)
Background image of page 8
ESP details Must avoid replays - Keep counter for 64-bit sequence number - Receiver must accept some packets out of order (e.g., up to 32) - Only low 32 bits of sequence number in actual packet (would be bad if you lost 4 billion packets) Support for traffic flow confidentiality (TFC) - Can pad packets to fixed length - Can send dummy packets Support for encryption without MAC.
Background image of page 9

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 10
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 04/02/2012 for the course CS 144 at Stanford.

Page1 / 44

l16 Security 3 secure protocols - IPSec, TLS, and DNSSEC...

This preview shows document pages 1 - 10. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online