Slide title

In CAPITALS

50 pt

Slide subtitle

32 pt

Manoranjan Mohanty

IPSEC

COMPSCI 316 (Cyber Security)

Source of some slides: University of Tennessee /

Cryptography and Network Security by Behrouz Forouzan

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

2

MAC ADDRESS TO IPv6 CONVERSION

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

3

MAC ADDRESS TO IPv6 CONVERSION

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

4

MAC ADDRESS TO IPv6 CONVERSION

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

5

MAC ADDRESS TO IPv6 CONVERSION

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

6

MAC ADDRESS TO IPv6 CONVERSION

FE80::3BA7:94FF: FE07:CBD0

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

7

IPSEC

Relative location of security facilities in the

TCP/IP protocol stack.

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

8

IPSEC: NETWORK SECURITY LAYER

IPSec is a framework of open standards developed by

the Internet Engineering Task Force (IETF)

IPsec aims at securing communications over IP

– Both IPv4 and IPv6

Creates secure, authenticated, reliable

communications over IP networks

It is designed to address fundamental shortcomings,

such as being subject to spoofing and eavesdropping

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

9

IPSEC ADVANTAGES

Provides seamless security to application and

transport layers

– Transparent to applications, no change required

in any upper layer

– Transparent to end users, no need to train users

on security mechanisms

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

10

IPSEC APPLICATIONS

Site-to-site (vpn)

– An organisation with multiple sub-offices

netw

ork

secur

ity

esse

ntials

4th

editio

n

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

11

IPSEC APPLICATIONS

Host-to-site (vpn)

– Travelling employees, Contractors

netw

ork

secur

ity

esse

ntials

4th

editio

n

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

12

IPSEC SECURITY SERVICES

Data origin authentication

– Assurance that traffic is sent by legitimate parties

Confidentiality (encryption)

– Limited traffic flow confidentiality (some traffic analysis

possible)

Connectionless integrity

– Assurance that every received IP packet has not been

modified

– Partial sequence integrity - prevents packet replay

Access control

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

13

IPSEC MAJOR COMPONENTS

IPSec base protocols

IPSec modes

IPSec Security Policy and Associations (SA)

IPSec Internet Key Exchange (IKE)

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

14

IPSEC BASE PROTOCOLS

Authentication Header (AH)

– Authentication

– Protection against replay attacks

– Integrity

Encapsulating Security Payload (ESP)

– Confidentiality

– Protection against replay attacks

– Authentication (depends on algorithm)

– Integrity (depends on algorithm)

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

15

IPSEC BASE PROTOCOLS: AH

Provides message

authentication and

integrity check of IP

data payload, but not

confidentiality

Provides

authentication for as

much of the IP header

as possibleHMAC-MD5, HMAC-SHA

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

16

IPSEC BASE PROTOCOLS: ESP

ESP provides source authentication, data integrity,

and confidentiality

Content of IP packet is encrypted and encapsulated

between header and trailer fields

Authentication data optionally added

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

17

IPSEC BASE PROTOCOLS: ESP

IV (Initialization Vector) is part of payload. Should it

be encrypted?

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

18

ESP PADDING

If encryption algorithm requires plaintext in multiple of

bytes, padding is useful

Padding can also provide partial traffic confidentiality –

Add padding to hide actual plaintext length

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

19

CONNECTIONLESS INTEGRITY AND

PARTIAL SEQUENCE INTEGRITY

Internet layer is connectionless

– Packets can be dropped and arrive out-of-order

IPSec provides packet-level integrity (no integrity on

flow of packets)

The “replay attack” is countered using a “sliding

window” N (Highest received

sequence number)

Width (w)

– Sequence number less than N-w+1 or an invalid packet

is discarded

– When a valid packet having sequence number N-w+1 to

N arrives, corresponding entry in the window is marked

– When a valid packet having sequence number greater

than N arrives, window advances (N updated)

N – w+1

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

20

IPSEC SECURITY

Authentication

– Message authentication code (MAC)

Integrity (Connectionless)

– Hashing (MAC)

Confidentiality

– Encryption

Countering replay attack

– Sequence number

Traffic analysis

– Padding

– Encryption

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

21

QUIZ: IPSEC BASE PROTOCOLS: ESP

Which one is better from avoiding DoS

attack point of view?

• First encrypt, then authenticate

• Or, first authenticate, then encrypt.

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

22

IPSEC MODES

Transport mode

– Used to deliver

services from

host to host or

from host to

gateway

Tunnel mode

– Used to deliver

services from

gateway to

gateway

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

23

TRANSPORT MODE

Protects what is delivered from the transport

layer to the network layer

This mode does not protect the IP header

– It only protects the information coming from the

transport layer

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

24

TUNNEL MODE

Protects the entire IP packet

– It takes an IP packet applies security methods to the entire

packet, and then adds a new IP header

This mode protects the original IP header

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

25

TRANSPORT MODE & ESP FOR IPv4 and IPv6

Required by routers

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

26

TUNNEL MODE & ESP FOR IPv4 and IPv6

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

27

TRANSPORT VS. TUNNEL MODE

Traffic analysis: Transport mode vs tunnel mode

IP header(real dest)

IPSec header TCP/UDP header + data

IP header(gateway)

IPSec header TCP/UDP header + dataIP header(real dest)

Transport mode

Tunnel mode

Top right

corner for

field

customer or

partner logotypes.

See Best practice

for example.

Slide title

40 pt

Slide subtitle

24 pt

Text

24 pt

5

20 pt

28

Will IPSec Work with NAT ?

Consider – ESP protocol and tunnel mode

Case 1: Sender – NAT – IPSec Gateway 1 -- IPSec

Gateway 2 – Receiver

Case 2: Sender – IPSec Gateway 1 – NAT -- IPSec

Gateway 2 – Receiver