Top Banner

Click here to load reader

IPSec - Auckland · PDF file Slide title In CAPITALS 50 pt Slide subtitle 32 pt Manoranjan Mohanty IPSEC COMPSCI 316 (Cyber Security) Source of some slides: University of Tennessee

Jul 03, 2020

ReportDownload

Documents

others

  • Slide title

    In CAPITALS

    50 pt

    Slide subtitle

    32 pt

    Manoranjan Mohanty

    IPSEC

    COMPSCI 316 (Cyber Security)

    Source of some slides: University of Tennessee /

    Cryptography and Network Security by Behrouz Forouzan

  • Top right

    corner for

    field

    customer or

    partner logotypes.

    See Best practice

    for example.

    Slide title

    40 pt

    Slide subtitle

    24 pt

    Text

    24 pt

    5

    20 pt

    2

    MAC ADDRESS TO IPv6 CONVERSION

  • Top right

    corner for

    field

    customer or

    partner logotypes.

    See Best practice

    for example.

    Slide title

    40 pt

    Slide subtitle

    24 pt

    Text

    24 pt

    5

    20 pt

    3

    MAC ADDRESS TO IPv6 CONVERSION

  • Top right

    corner for

    field

    customer or

    partner logotypes.

    See Best practice

    for example.

    Slide title

    40 pt

    Slide subtitle

    24 pt

    Text

    24 pt

    5

    20 pt

    4

    MAC ADDRESS TO IPv6 CONVERSION

  • Top right

    corner for

    field

    customer or

    partner logotypes.

    See Best practice

    for example.

    Slide title

    40 pt

    Slide subtitle

    24 pt

    Text

    24 pt

    5

    20 pt

    5

    MAC ADDRESS TO IPv6 CONVERSION

  • Top right

    corner for

    field

    customer or

    partner logotypes.

    See Best practice

    for example.

    Slide title

    40 pt

    Slide subtitle

    24 pt

    Text

    24 pt

    5

    20 pt

    6

    MAC ADDRESS TO IPv6 CONVERSION

    FE80::3BA7:94FF: FE07:CBD0

  • Top right

    corner for

    field

    customer or

    partner logotypes.

    See Best practice

    for example.

    Slide title

    40 pt

    Slide subtitle

    24 pt

    Text

    24 pt

    5

    20 pt

    7

    IPSEC

    Relative location of security facilities in the

    TCP/IP protocol stack.

  • Top right

    corner for

    field

    customer or

    partner logotypes.

    See Best practice

    for example.

    Slide title

    40 pt

    Slide subtitle

    24 pt

    Text

    24 pt

    5

    20 pt

    8

    IPSEC: NETWORK SECURITY LAYER

     IPSec is a framework of open standards developed by

    the Internet Engineering Task Force (IETF)

     IPsec aims at securing communications over IP

    – Both IPv4 and IPv6

     Creates secure, authenticated, reliable

    communications over IP networks

     It is designed to address fundamental shortcomings,

    such as being subject to spoofing and eavesdropping

  • Top right

    corner for

    field

    customer or

    partner logotypes.

    See Best practice

    for example.

    Slide title

    40 pt

    Slide subtitle

    24 pt

    Text

    24 pt

    5

    20 pt

    9

    IPSEC ADVANTAGES

     Provides seamless security to application and

    transport layers

    – Transparent to applications, no change required

    in any upper layer

    – Transparent to end users, no need to train users

    on security mechanisms

  • Top right

    corner for

    field

    customer or

    partner logotypes.

    See Best practice

    for example.

    Slide title

    40 pt

    Slide subtitle

    24 pt

    Text

    24 pt

    5

    20 pt

    10

    IPSEC APPLICATIONS

     Site-to-site (vpn)

    – An organisation with multiple sub-offices

    netw

    ork

    secur

    ity

    esse

    ntials

    4th

    editio

    n

  • Top right

    corner for

    field

    customer or

    partner logotypes.

    See Best practice

    for example.

    Slide title

    40 pt

    Slide subtitle

    24 pt

    Text

    24 pt

    5

    20 pt

    11

    IPSEC APPLICATIONS

     Host-to-site (vpn)

    – Travelling employees, Contractors

    netw

    ork

    secur

    ity

    esse

    ntials

    4th

    editio

    n

  • Top right

    corner for

    field

    customer or

    partner logotypes.

    See Best practice

    for example.

    Slide title

    40 pt

    Slide subtitle

    24 pt

    Text

    24 pt

    5

    20 pt

    12

    IPSEC SECURITY SERVICES

     Data origin authentication

    – Assurance that traffic is sent by legitimate parties

     Confidentiality (encryption)

    – Limited traffic flow confidentiality (some traffic analysis

    possible)

     Connectionless integrity

    – Assurance that every received IP packet has not been

    modified

    – Partial sequence integrity - prevents packet replay

     Access control

  • Top right

    corner for

    field

    customer or

    partner logotypes.

    See Best practice

    for example.

    Slide title

    40 pt

    Slide subtitle

    24 pt

    Text

    24 pt

    5

    20 pt

    13

    IPSEC MAJOR COMPONENTS

     IPSec base protocols

     IPSec modes

     IPSec Security Policy and Associations (SA)

     IPSec Internet Key Exchange (IKE)

  • Top right

    corner for

    field

    customer or

    partner logotypes.

    See Best practice

    for example.

    Slide title

    40 pt

    Slide subtitle

    24 pt

    Text

    24 pt

    5

    20 pt

    14

    IPSEC BASE PROTOCOLS

     Authentication Header (AH)

    – Authentication

    – Protection against replay attacks

    – Integrity

     Encapsulating Security Payload (ESP)

    – Confidentiality

    – Protection against replay attacks

    – Authentication (depends on algorithm)

    – Integrity (depends on algorithm)

  • Top right

    corner for

    field

    customer or

    partner logotypes.

    See Best practice

    for example.

    Slide title

    40 pt

    Slide subtitle

    24 pt

    Text

    24 pt

    5

    20 pt

    15

    IPSEC BASE PROTOCOLS: AH

     Provides message

    authentication and

    integrity check of IP

    data payload, but not

    confidentiality

     Provides

    authentication for as

    much of the IP header

    as possibleHMAC-MD5, HMAC-SHA

  • Top right

    corner for

    field

    customer or

    partner logotypes.

    See Best practice

    for example.

    Slide title

    40 pt

    Slide subtitle

    24 pt

    Text

    24 pt

    5

    20 pt

    16

    IPSEC BASE PROTOCOLS: ESP

     ESP provides source authentication, data integrity,

    and confidentiality

     Content of IP packet is encrypted and encapsulated

    between header and trailer fields

     Authentication data optionally added

  • Top right

    corner for

    field

    customer or

    partner logotypes.

    See Best practice

    for example.

    Slide title

    40 pt

    Slide subtitle

    24 pt

    Text

    24 pt

    5

    20 pt

    17

    IPSEC BASE PROTOCOLS: ESP

     IV (Initialization Vector) is part of payload. Should it

    be encrypted?

  • Top right

    corner for

    field

    customer or

    partner logotypes.

    See Best practice

    for example.

    Slide title

    40 pt

    Slide subtitle

    24 pt

    Text

    24 pt

    5

    20 pt

    18

    ESP PADDING

     If encryption algorithm requires plaintext in multiple of

    bytes, padding is useful

     Padding can also provide partial traffic confidentiality –

    Add padding to hide actual plaintext length

  • Top right

    corner for

    field

    customer or

    partner logotypes.

    See Best practice

    for example.

    Slide title

    40 pt

    Slide subtitle

    24 pt

    Text

    24 pt

    5

    20 pt

    19

    CONNECTIONLESS INTEGRITY AND

    PARTIAL SEQUENCE INTEGRITY

     Internet layer is connectionless

    – Packets can be dropped and arrive out-of-order

     IPSec provides packet-level integrity (no integrity on

    flow of packets)

     The “replay attack” is countered using a “sliding

    window” N (Highest received

Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.