Internet Protocol Security An Overview of IPSec

Internet Protocol Security An Overview of IPSec

Outline: What Security Problem? Understanding TCP/IP. Security at What Level? IP Security. IPSec Security Services. Modes of operation. IPSec Security Protocols. Outbound/Inbound IPSec Processing. Real World Deployment Examples.

What Security Problem? Today's Internet is primarily comprised of : Public Un-trusted Unreliable IP networks Because of this inherent lack of security, the Internet is subject to various types of threats

Internet Threats Data integrity The contents of a packet can be accidentally or deliberately modified. Identity spoofing The origin of an IP packet can be forged. Anti-reply attacks Unauthorized data can be retransmitted. Loss of privacy The contents of a packet can be examined in transit.

Understanding TCP/IP OSI Reference Model Application Layer NFS SNMP FTP DNS FTP SMTP Session Layer HTTP Presentation Layer Application Transport Layer TCP, UDP Network Layer IP Logical Link Layer Device Driver Physical Layer Network Adapter

Understanding TCP/IP Encapsulation of Data for Network Delivery Application Layer Original Message

Understanding TCP/IP Encapsulation of Data for Network Delivery Application Layer Transport Layer (TCP, UDP) Original Message Data 3

Understanding TCP/IP Encapsulation of Data for Network Delivery Application Layer Original Message Transport Layer Header 3 Data 3 (TCP, UDP)

Understanding TCP/IP Encapsulation of Data for Network Delivery Application Layer Original Message Transport Layer Header 3 Data 3 (TCP, UDP) Network Layer (IP) Data 2

Understanding TCP/IP Encapsulation of Data for Network Delivery Application Layer Original Message Transport Layer Header 3 Data 3 (TCP, UDP) Network Layer (IP) Header 2 Data 2

Understanding TCP/IP Encapsulation of Data for Network Delivery Application Layer Original Message Transport Layer Header 3 Data 3 (TCP, UDP) Network Layer (IP) Data Link Layer Header 2 Data 2 Data 1

Understanding TCP/IP Encapsulation of Data for Network Delivery Application Layer Original Message Transport Layer Header 3 Data 3 (TCP, UDP) Network Layer (IP) Data Link Header 1 Layer Header 2 Data 2 Data 1

Understanding TCP/IP Packet Sent by Host A Packet Data Link Header 1 Layer Data 1

Understanding TCP/IP Packet Received by intermediary Router Network Layer Data Link Layer

Understanding TCP/IP Packet Received by Host B Packet Data Link Header 1 Layer Data 1

Understanding TCP/IP De-capsulation of Data from Network Delivery Data Link Header 1 Layer Data 1

Understanding TCP/IP De-capsulation of Data from Network Delivery Data Link Layer Data 1

Understanding TCP/IP De-capsulation of Data from Network Delivery Network Layer (IP) Header 2 Data 2

Understanding TCP/IP De-capsulation of Data from Network Delivery Network Layer (IP) Data 2

Understanding TCP/IP De-capsulation of Data from Network Delivery Transport Layer Header 3 Data 3 (TCP, UDP)

Understanding TCP/IP De-capsulation of Data from Network Delivery Transport Layer (TCP, UDP) Data 3

Understanding TCP/IP De-capsulation of Data from Network Delivery Application Layer Original Message

Understanding TCP/IP De-capsulation of Data from Network Delivery Application Layer Original Message

Security at What Level? Application Layer PGP, Kerberos, SSH, etc. Transport Layer Transport Layer Security (TLS) Network Layer IP Security Data Link Layer Hardware encryption

Security at Application Layer (PGP, Kerberos, SSH, etc.) Implemented in end-hosts Advantages - Extend application without involving operating system. Application can understand the data and can provide the appropriate security. Disadvantages - Security mechanisms have to be designed independently of each application.

Security at Transport Layer Transport Layer Security (TLS) Implemented in end-hosts Advantages - Existing applications get security seamlessly Disadvantages - Protocol specific

Security at Network Layer IP Security (IPSec) Advantages - Provides seamless security to application and transport layers (ULPs). Allows per flow or per connection security and thus allows for very fine-grained security control. Disadvantages - More difficult to to exercise on a per user basis on a multi-user machine.

Security at Data Link Layer (Hardware encryption) Need a dedicated link between host/routers. Advantages - Speed. Disadvantages - Not scalable. Need dedicated links.

IP Security (IPSec) IPSec is a framework of open standards developed by the Internet Engineering Task Force (IETF). Creates secure, authenticated, reliable communications over IP networks

IPSec Security Services Connectionless integrity Assurance that received traffic has not been modified. Integrity includes anti-reply defenses. Data origin authentication Assurance that traffic is sent by legitimate party or parties. Confidentiality (encryption) Assurance that user’s traffic is not examined by nonauthorized parties. Access control Prevention of unauthorized use of a resource.

IPSec Modes of Operation Transport Mode: protect the upper layer protocols Original IP Datagram IP Header TCP Header Transport Mode protected packet IP Header IPSec Header Data TCP Header Data protected Tunnel Mode: protect the entire IP payload Tunnel Mode protected packet New IP Header IPSec Header Original IP Header protected TCP Header Data

Tunnel Mode Host-to-Network, Network-to-Network Application Layer Transport Layer Application Layer Protected Data Protected Data Internet Internet IP Layer Host A Transport Layer IP Layer IPSec IPSec IP Layer IP Layer SG SG Security Gateway SG Host B

Transport Mode Host-to-Host Application Layer Application Layer Transport Layer Transport Layer IPSec IPSec IP Layer IP Layer Data Link Layer Data Link Layer Host A Host B

IPSec Security Protocols Authentication Header (AH) Encapsulating Security Payload (ESP)

IPSec Security Protocols Authentication Header (AH) provides: - Connectionless integrity - Data origin authentication - Protection against replay attacks Encapsulating Security Payload (ESP) provides: - Confidentiality (encryption) - Connectionless integrity - Data origin authentication - Protection against reply attacks Both protocols may be used alone or applied in combination with each other.

Outbound/Inbound IPSec Processing The inbound and the outbound IPSec processing are completely independent. Packet

Outbound IPSec Processing SPD IPSec policies Packet to c e l e s r SAD SAout 1. Drop the packet. 2. Bypass IPSec. SPD Security Policy Database SAD Security Association Database 3. Apply IPSec. SA Security Association

Inbound IPSec Processing Packet Case 1: If IPSec headers exists 1. 2. Headers are processed. SPD is consulted to determine if the packet can be admitted based on the Sain. SPD IPSec policies SPD Security Policy Database SAD Security Association Database SA Security Association

Inbound IPSec Processing Packet Case 2: If IPSec headers are absent 1. 2. SPD is consulted to determine the type of service to afford this packet. If certain traffic is required to be IPSec protected and its not it must be dropped. SPD IPSec policies SPD Security Policy Database SAD Security Association Database SA Security Association

Real World Deployment Examples VPNs Encrypted / Authenticated Internet SG Wireless Internet

Conclusion The Internet was not created with security in mind. Communications can be altered, examined and exploited. There is a growing need to protect private information crossing the public networks that make up the Internet infrastructure. IPSec is a set of protocols and methodologies to create secure IP connections.

Questions?