Apnic Elearning:: Ipsec Basics
Apnic Elearning:: Ipsec Basics
Apnic Elearning:: Ipsec Basics
IPSec Basics
Contact: [email protected]
eSEC03_v1.0
Overview
Virtual Private Networks
What is IPsec?
Benefits of IPsec
Tunnel and Transport Mode
IPsec Architecture
Security Associations and ISAKMP
Authentication Header (AH)
Encapsulating Security Payload (ESP)
Internet Key Exchange (IKE)
IPSec Tunnel Creation
VPN Protocols
IPsec
Provides Layer 3 security (RFC 2401)
Transparent to applications (no need for integrated IPSec support)
Why IPsec?
Internet Protocol (IP) is not secure
IP protocol was designed in the early stages of the Internet where
security was not an issue
All hosts in the network are known
IPsec Standards
RFC 4301 The IP Security Architecture
Defines the original IPsec architecture and elements common to both AH
and ESP
RFC 4302
Defines authentication headers (AH)
RFC 4303
Defines the Encapsulating Security Payload (ESP)
RFC 2408
ISAKMP
RFC 5996
IKE v2 (Sept 2010)
RFC 4835
Cryptographic algorithm implementation for ESP and AH
Benefits of IPsec
Confidentiality
By encrypting data
Integrity
Routers at each end of a tunnel calculates the checksum or hash
value of the data
Authentication
Signatures and certificates
All these while still maintaining the ability to route through existing IP
networks
IPsec is designed to provide interoperable, high quality, cryptographicallybased security for IPv4 and IPv6 - (RFC 2401)
Benefits of IPsec
Offers Confidentiality (encrypting data), Integrity , and
Authentication
Data integrity and source authentication
Data signed by sender and signature is verified by the recipient
Modification of data can be detected by signature verification
Because signature is based on a shared secret, it gives source
authentication
Anti-replay protection
Optional; the sender must provide it but the recipient may ignore
Key management
Destination
Source
Network Layer - IPsec
IPsec Modes
Tunnel Mode
Entire IP packet is encrypted and becomes the data component of a
new (and larger) IP packet.
Frequently used in an IPsec site-to-site VPN
Transport Mode
IPsec header is inserted into the IP packet
No new packet is created
Works well in networks where increasing a packets size could cause
an issue
Frequently used for remote-access VPNs
Without IPsec
Payload
IP
TCP
IP
IPsec
Header Header Header
IP
TCP
New IP IPsec
Header Header Header Header
Transport Mode
IPsec
Payload
Payload
Tunnel Mode
IPsec
IPsec Architecture
AH
Authentication Header
Security Protocols
ESP
Encapsulating Security
Payload
IKE
The Internet Key Exchange
An SA is unidirectional
Two SAs required for a bidirectional communication
How to Set Up an SA
Manually
Sometimes referred to as manual keying
You configure on each node:
Participating nodes (I.e. traffic selectors)
AH and/or ESP [tunnel or transport]
Cryptographic algorithm and key
Automatically
Using IKE (Internet Key Exchange)
14
ISAKMP
Internet Security Association and Key Management
Protocol
Defined by RFC 2408
Used for establishing Security Associations (SA) and
cryptographic keys
Only provides the framework for authentication and key
exchange, but key exchange independent
Key exchange protocols
Internet Key Exchange (IKE) and Kerberized Internet Negotiation of
Keys (KINK)
Without AH
With AH
Original
IP Header
TCP/UDP
Original
IP Header
AH
Header
Data
TCP/UDP
ToS
TTL
Header Checksum
Offset
Flags
Data
Before applying
ESP:
Original
IP Header
TCP/UDP
After applying
ESP:
Original
IP Header
ESP
Header
Data
TCP/UDP
Data
Encrypted
Authenticated
ESP
Trailer
ESP
Authentication
Before applying
AH:
Original
IP Header
TCP/UDP
After applying
AH:
New
IP Header
AH
Header
Data
Original
IP Header
ToS
TTL
Header Checksum
Offset
Flags
Data
Before applying
ESP:
Original
IP Header
TCP/UDP
After applying
ESP:
New
IP Header
ESP
Header
Data
Original
IP Header
TCP/UDP
Encrypted
Authenticated
Data
ESP
Trailer
ESP
Authentication
IKE Modes
Mode
Description
Main mode
Aggressive Mode
Quick Mode
Phase II
Establishes a secure channel between computers intended for the
transmission of data (IPsec SA)
Using quick mode
Overview of IKE
1
IPsec Peer
IPsec Peer
2
IKE Phase 1
IKE Phase 2
3
IPsec Tunnel
Secured traffic exchange
4
Initiator
Responder
Internet
Negotiate
IKE Policy
Authenticated
DH Exchange
Protect IKE
Peer Identity
(Encrypted)
28
29
4
Validate
message 2
Validate
message 1
Responder
Internet
6
Validate
message 3
30
Questions
Please remember to fill out the
feedback form
<survey-link>
Thank You!
End of Session