IP Security
IP Security
IP Header
IP Security
IP Security
• authentication, confidentiality, and key
management.
• network infrastructure from unauthorized
monitoring and control of network traffic
• secure enduser-to-end-user traffic using
authentication and encryption mechanisms
Applications of IPSec
• secure communications across a LAN, across
private and public WANs, and across the
Internet.
– Secure branch office connectivity over the
Internet
– Secure remote access over the Internet
– Establishing extranet and intranet connectivity
with partners
– Enhancing electronic commerce security
An IP Security Scenario
Benefits of IPsec
• IPSec in Firewall - provides strong security that
can be applied to all traffic
• resistant to bypass if all traffic from the outside
• There is no need to change software on a user
or server system
• IPsec can be transparent to end users
• IPsec can provide security for individual users if
needed
Routing Applications
• A router advertisement comes from an
authorized router.
• A neighbour advertisement comes from an
authorized router.
• A redirect message comes from the router to
which the initial IP packet was sent
• A routing update is not forged
IPsec Documents
• RFC 6071 [IP Security (IPsec) and Internet Key
Exchange (IKE) Document Roadmap
• Architecture: RFC 4301
• Authentication Header (AH): RFC 4302
• Encapsulating Security Payload (ESP): RFC
4303
• Internet Key Exchange (IKE): RFC 5996
IPsec Services
• Two Protocols:
– Authentication Header (AH)
– Encapsulating Security Payload (ESP).
• Access control
• Connectionless integrity
• Data origin authentication
• Rejection of replayed packets (a form of partial sequence
integrity)
• Confidentiality (encryption)
• Limited traffic flow confidentiality
Transport Mode and Tunnel Mode
IP Security Policy
• Security Association Database (SAD)
• Security Policy Database (SPD)
Security Associations
• Logical connection - affords security services
to the traffic carried on it
– Security Parameters Index (SPI)
– IP Destination Address
– Security Protocol Identifier
Security Association Database
• Security Parameter Index
• Sequence Number Counter
• Sequence Counter Overflow
• Anti-Replay Window
• AH Information
• ESP Information
• Lifetime of this Security Association
• IPsec Protocol Mode
• Path MTU
Security Policy Database
• Remote IP Address
• Local IP Address
• Next Layer Protocol
• Name
• Local and Remote Ports
Host SPD Example
Processing Model for Outbound Packets
Processing Model for Inbound Packets
Encapsulating Security Payload
Scope of ESP Encryption and Authentication
Protocol Operation for ESP