IP Security

1
IP Security

• By
• Gauri Durve
• Lakshmi Vempati

2
IP benefits

• The Internet Protocol (IP) underlies the
  vast majority of large corporate, academic
  networks as well as the Internet.
• IPs strength lies in its easy and flexible
  routed packets.

3
IP vulnerabilities

• Spoofing one machine on the network masquerades
  as another.
• Sniffing an eavesdropper listens in on a
  transmission between two other parties
• Session hijacking a sophisticated attacker
  employing the above techniques take over an
  established session and masquerades as one of the
  communicating parties.

4
Security needs

• Authentication The person with whom you
  are communicating really is that person.
• Confidentiality No one can eavesdrop on your
  communication.
• IntegrityThe communication you have received has
  not been altered in any way during transmission.
• Anti Replay Detect replayed packets

5
IPSec Protocol Suite

• set of IP extensions that provide security
  services at the network level
• adds services to the IP layer in a way that is
  compatible with IPv.4 and mandatory in the
  upcoming IPv.6
• provides security to all the packets of
  applications in a transparent way
• no requirement to change the applications to
  support security

6
IPSec contd..
IPSec
Authentication
Encryption
Key Management
AH
ESP
IKE
7
Security Association

• SAs define a set of communication parameters
• Conduct Authenticate and/or encrypt?
• Encryption strength and algorithm?
• Keys which to use, and how long to use?
• Stored in the Security Association database
• Identified by the SPI of the receiving packet.

8
SA Contd..

• defined by the triple(SPI, destination addr,
  flag)
• allow different levels of security to be applied
  to different streams of packets, all running
  through the same physical interface.
• An SA is a one way relationship
• For secure two way traffic, two SAs are required

9
SPI(Security Parameter Index)

• An arbitrary 32-bit number that represents the SA
  to be used
• Chosen by the destination
• The SPI, together with the SA concept, makes
  keeping track of keys and protocols easy and
  automatic.
• can not be encrypted in the packet because you
  use it to keep track of how to decrypt the packet
  

10
Security Policy Database

• Specifies which packets should be
• dropped completely
• should be forwarded or accepted without IPSec
  protection
• which should be protected by IPSEC
• Decisions in theory could be based on any fields
  in the packet

11
Authentication Header

• Provides authentication services but does not
  provide encryption services
• Protects external IP header, along with the
  entire contents of the packet
• AH has following roles to perform
• Authentication of Messages
• (Data integrity)
• Authenticating the data origins
• Anti-replay protection

12
AH and IP Headers
13
The AH Header Format
14
ESP Encapsulating Security Payload

• Data Integrity
• Data Source Authentication
• Anti-replay Protection
• Data Confidentiality

15
ESP and IP Headers
IP Header
TCP Header
User Data.
16
ESP Packet Format
SPI Security Parameter Index
Authentication
Sequence Number Field
Variable Length Payload (User data)
Encryption
Pad Length
Next Header
0-255 Bytes of Padding
Variable length Authentication Data
17
Transport vs. Tunnel Mode

• Two ways to construct secure connections
• Transport Mode
• Used in hosts
• Tunnel Mode
• Used in hosts and routers

18
Transport Mode
19
Tunnel Mode
20
IPSec Implementations

• IP Stack Native
• Integration of IPSec into the native IP
  implementation.
• Bump-in-the-stack (BITS)
• IPsec is implemented "underneath" an existing
  implementation of an IP protocol stack.
• Bump-in-the-wire (BITW)
• use of an outboard crypto processor

21
Trusted / Untrusted

• Trusted Untrusted

INTERNET
App
IKE
App
UDP
TCP
IPSEC
IP
WAN
LAN
Security Gateway
22
Making the Forwarding Decision

• The decision to discard/ bypass/ protect a packet
  is made by checking a Security Policy Database
  (SPD)
• Each SPD entry defines
• The traffic to protect
• How to protect it
• With whom the protection is shared
• If the packet requires protection, the SPD
  indicates the SA to use.

23
IPSEC .. FLOW

• Outbound Inbound

• A matching entry in SPD
• Apply
• Bypass
• Discard
• If (Apply) get the SA
• If (found)
• ESP out
• AH out
• If (not found)
• call IKE

• A matching entry in SAD
• If (not found) then discard
• If (found)
• ESP in
• AH in
• Check with the policy
• (SPD entry)
• If (match) deliver
• Else discard

24
Internet Key Exchange (IKE)

• Provides a way to agree, between peers, on the
  protocol, algorithm, and keys to be used
• Used in conjunction with IPSec
• Defined by IETF in RFC2409
• Based on key management protocols, internet
  security association (ISAKMP RFC2408) and Oakley
  (RFC2412)
• Provides a way to exchange key generating
  material using Diffie-Hellman algorithm

25
Phases of IKE

• IKE functions in two phases
• Phase I
• Establishing the IKE SA
• Phase II
• Establishing the general purpose SA

26
IKE contd..

• IKE provides
• Negotiation Services
• Primary Authentication Services
• Key Management
• Exchange material for key generation

27
Conclusion

• IP Security is preferred over application level
  security.
• Integrity and Confidentiality can be achieved
  through IPSec.
• IKE provides perfect forward secrecy.
• Usage of standard algorithms makes IPSec more
  powerful.

28
References

• http//www.cid.alcatel.com/doctypes/technewbridgen
  ote/pdf/ipsec_nn.pdf
• http//www.ietf.org/rfc/rfc1827.txt obsoleted by
  RFC 2406
• http//www.ietf.org/rfc/rfc2406.txt
• http//www.ietf.org/rfc/rfc2401.txt

29

• ? Thank You ?