Transcript Slide 1
IP Security By Chetan Dhakan What is IP Security? - IP security refers to security mechanisms implemented at the IP (Internet Protocol) Layer to ensure integrity, authentication and confidentiality of data during transmission in the open Internet environment. - A common protocol used is IPsec, which is developed by IETF (Internet Engineering Task Force), the main standards organization for the Internet. What is TCP/IP? TCP/IP (Transmission Control Protocol/Internet Protocol) is a set of protocols that enable communication between Computers. It is the most widely used suite of communication protocol used, and is required for Communication on the Internet. Features of TCP/IP Support from vendors -TCP/IP receives support from major software and hardware vendors. Interoperability -A reason for its popularity is that the suite can be installed and used on virtually every platform. It eliminates cross platform boundaries. Eg. A unix host can communicate and transfer data to a windows host. Flexibility - It is a very flexible protocol suite, giving the users flexibility in a number of aspects. Eg. An administrator can automatically or manually assign an IP address to a host, and TCP/IP converts it to a easy name. Routability - TCP/IP lets the routing of data from one segment of the network to another, or from a host on a network to another in a different part of the world. The origins of the Internet: ARPAnet The Internet was originally conceived by the Advanced Research Project Agency (ARPA) of the U.S. government in 1969 and was known as ARPAnet. It was designed to enable U.S. military leaders to stay in contact in case of a nuclear war. The protocol used in ARPAnet was called Network Control Protocol (NCP). The protocol had too many limitations and was not robust enough for the super network, which was in development. After a lot of testing and development, on Jan 1, 1983 ARPRAnet switched to TCP/IP What are Protocols? A Protocol is a rule or set of rules and standards for communicating that computers use when they send data back and forth. When two computers want to communicate they need to communicate on the what the data will look like or placement of 1s and 0s and the protocols to use. A combination of protocols is called a protocol suite or a protocol stack. Examples include IPX/SPX, Apple Talk, TCP/IP. The OSI Reference Model The Open Standards Interconnection (OSI) Model is made up of seven layers and is used to break down the many tasks involved in moving data from one host to another. The OSI model acts as a baseline for creating and comparing networking protocols. The Seven Layers of the OSI Model Application Layer -The purpose is to manage communication between applications. - The layer where applications receive and request data. Presentation Layer - Adds structure to packets of data being exchanged. - Makes sure message transmitted is understood by the receiving computer. Session Layer - Controls the dialogue during communications. - Allows machines to establish sessions between them. Transport Layer - It can guarantee that the packets are received. - Determines the type of service to provide to the Session layer. The Seven Layers of the OSI Model Network Layer - Is responsible for routing the packets based on its logical address. Data-Link Layer - Is where data is prepared for final delivery to the network. The packet is encapsulated into a frame. - Made up of two sub layers: Logical Link Control sub layer (LLC) and the Media Access Control sub layer (MAC). Physical Layer - This is concerned with transmitting raw bits over a communication layer. IP Security Overview - IPSec is not a single protocol. Instead, IPSec provides a set of security algorithms plus a general framework that allows a pair of communicating entities to use whichever algorithms provide security appropriate for the communication. IP Security Overview Applications of IPSec Secure branch office connectivity over the Internet Secure remote access over the Internet Establsihing extranet and intranet connectivity with partners Enhancing electronic commerce security IP Security functional areas Authentication - Assures the received packet was transmitted by the party identified as the source. Confidentiality - Protection of data content during transmission from third parties. Key Management - Is concerned with the secure exchange of keys. How can IP Security be achieved? There are two specific headers that can be attached to IP packet to achieve security. They are the IP Authentication Header (AH) and the IP Encapsulating Security Payload (ESP) header. The IP Authentication Header (AH) is used to provide connectionless integrity and data origin authentication for IP datagrams and protection against replays. The IP Encapsulating Security Payload (ESP) header provides integrity, authentication, and confidentiality to IP datagrams . IP Security Scenario IP Security Overview Benefits of IPSec Transparent to applications (below transport layer (TCP, UDP) Provide security for individual users IPSec can assure that: A router or neighbor advertisement comes from an authorized router A redirect message comes from the router to which the initial packet was sent A routing update is not forged IP Security Architecture IPSec documents: RFC 2401: An overview of security architecture RFC 2402: Description of a packet encryption extension to IPv4 and IPv6 RFC 2406: Description of a packet emcryption extension to IPv4 and IPv6 RFC 2408: Specification of key managament capabilities IPSec Document Overview IPSec Services Access Control Connectionless integrity Data origin authentication Rejection of replayed packets Confidentiality (encryption) Limited traffic flow confidentiallity Security Associations (SA) A one way relationsship between a sender and a receiver. Identified by three parameters: Security Parameter Index (SPI) IP Destination address Security Protocol Identifier Transport Mode SA Tunnel Mode SA AH Authenticates IP payload and selected portions of IP header and IPv6 extension headers Authenticates entire inner IP packet plus selected portions of outer IP header ESP Encrypts IP payload and any IPv6 extesion header Encrypts inner IP packet ESP with authentication Encrypts IP payload and any IPv6 extesion header. Authenticates IP payload but no IP header Encrypts inner IP packet. Authenticates inner IP packet. Before applying AH Transport Mode (AH Authentication) Tunnel Mode (AH Authentication) Authentication Header Provides support for data integrity and authentication (MAC code) of IP packets. Guards against replay attacks. End-to-end versus End-to-Intermediate Authentication Encapsulating Security Payload ESP provides confidentiality services Encryption and Authentication Algorithms Encryption: Three-key triple DES RC5 IDEA Three-key triple IDEA CAST Blowfish Authentication: HMAC-MD5-96 HMAC-SHA-1-96 ESP Encryption and Authentication ESP Encryption and Authentication Combinations of Security Associations Combinations of Security Associations Combinations of Security Associations Combinations of Security Associations Key Management Two types: Manual Automated Oakley Key Determination Protocol Internet Security Association and Key Management Protocol (ISAKMP) Oakley Three authentication methods: Digital signatures Public-key encryption Symmetric-key encryption ISAKMP Refrences Network Security Essentials by William Stallings http://www.ietf.org/html.charters/ipsec-charter.html http://www.networkmagazine.com/article/NMG20000711 S0001 Good Bye and Have a Nice Day.