Slide title
In CAPITALS
50 pt
Slide subtitle
32 pt
Manoranjan Mohanty
IPSEC
COMPSCI 316 (Cyber Security)
Source of some slides: University of Tennessee /
Cryptography and Network Security by Behrouz Forouzan
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
2
MAC ADDRESS TO IPv6 CONVERSION
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
3
MAC ADDRESS TO IPv6 CONVERSION
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
4
MAC ADDRESS TO IPv6 CONVERSION
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
5
MAC ADDRESS TO IPv6 CONVERSION
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
6
MAC ADDRESS TO IPv6 CONVERSION
FE80::3BA7:94FF: FE07:CBD0
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
7
IPSEC
Relative location of security facilities in the
TCP/IP protocol stack.
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
8
IPSEC: NETWORK SECURITY LAYER
IPSec is a framework of open standards developed by
the Internet Engineering Task Force (IETF)
IPsec aims at securing communications over IP
– Both IPv4 and IPv6
Creates secure, authenticated, reliable
communications over IP networks
It is designed to address fundamental shortcomings,
such as being subject to spoofing and eavesdropping
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
9
IPSEC ADVANTAGES
Provides seamless security to application and
transport layers
– Transparent to applications, no change required
in any upper layer
– Transparent to end users, no need to train users
on security mechanisms
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
10
IPSEC APPLICATIONS
Site-to-site (vpn)
– An organisation with multiple sub-offices
netw
ork
secur
ity
esse
ntials
4th
editio
n
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
11
IPSEC APPLICATIONS
Host-to-site (vpn)
– Travelling employees, Contractors
netw
ork
secur
ity
esse
ntials
4th
editio
n
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
12
IPSEC SECURITY SERVICES
Data origin authentication
– Assurance that traffic is sent by legitimate parties
Confidentiality (encryption)
– Limited traffic flow confidentiality (some traffic analysis
possible)
Connectionless integrity
– Assurance that every received IP packet has not been
modified
– Partial sequence integrity - prevents packet replay
Access control
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
13
IPSEC MAJOR COMPONENTS
IPSec base protocols
IPSec modes
IPSec Security Policy and Associations (SA)
IPSec Internet Key Exchange (IKE)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
14
IPSEC BASE PROTOCOLS
Authentication Header (AH)
– Authentication
– Protection against replay attacks
– Integrity
Encapsulating Security Payload (ESP)
– Confidentiality
– Protection against replay attacks
– Authentication (depends on algorithm)
– Integrity (depends on algorithm)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
15
IPSEC BASE PROTOCOLS: AH
Provides message
authentication and
integrity check of IP
data payload, but not
confidentiality
Provides
authentication for as
much of the IP header
as possibleHMAC-MD5, HMAC-SHA
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
16
IPSEC BASE PROTOCOLS: ESP
ESP provides source authentication, data integrity,
and confidentiality
Content of IP packet is encrypted and encapsulated
between header and trailer fields
Authentication data optionally added
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
17
IPSEC BASE PROTOCOLS: ESP
IV (Initialization Vector) is part of payload. Should it
be encrypted?
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
18
ESP PADDING
If encryption algorithm requires plaintext in multiple of
bytes, padding is useful
Padding can also provide partial traffic confidentiality –
Add padding to hide actual plaintext length
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
19
CONNECTIONLESS INTEGRITY AND
PARTIAL SEQUENCE INTEGRITY
Internet layer is connectionless
– Packets can be dropped and arrive out-of-order
IPSec provides packet-level integrity (no integrity on
flow of packets)
The “replay attack” is countered using a “sliding
window” N (Highest received
sequence number)
Width (w)
– Sequence number less than N-w+1 or an invalid packet
is discarded
– When a valid packet having sequence number N-w+1 to
N arrives, corresponding entry in the window is marked
– When a valid packet having sequence number greater
than N arrives, window advances (N updated)
N – w+1
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
20
IPSEC SECURITY
Authentication
– Message authentication code (MAC)
Integrity (Connectionless)
– Hashing (MAC)
Confidentiality
– Encryption
Countering replay attack
– Sequence number
Traffic analysis
– Padding
– Encryption
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
21
QUIZ: IPSEC BASE PROTOCOLS: ESP
Which one is better from avoiding DoS
attack point of view?
• First encrypt, then authenticate
• Or, first authenticate, then encrypt.
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
22
IPSEC MODES
Transport mode
– Used to deliver
services from
host to host or
from host to
gateway
Tunnel mode
– Used to deliver
services from
gateway to
gateway
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
23
TRANSPORT MODE
Protects what is delivered from the transport
layer to the network layer
This mode does not protect the IP header
– It only protects the information coming from the
transport layer
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
24
TUNNEL MODE
Protects the entire IP packet
– It takes an IP packet applies security methods to the entire
packet, and then adds a new IP header
This mode protects the original IP header
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
25
TRANSPORT MODE & ESP FOR IPv4 and IPv6
Required by routers
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
26
TUNNEL MODE & ESP FOR IPv4 and IPv6
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
27
TRANSPORT VS. TUNNEL MODE
Traffic analysis: Transport mode vs tunnel mode
IP header(real dest)
IPSec header TCP/UDP header + data
IP header(gateway)
IPSec header TCP/UDP header + dataIP header(real dest)
Transport mode
Tunnel mode
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
28
Will IPSec Work with NAT ?
Consider – ESP protocol and tunnel mode
Case 1: Sender – NAT – IPSec Gateway 1 -- IPSec
Gateway 2 – Receiver
Case 2: Sender – IPSec Gateway 1 – NAT -- IPSec
Gateway 2 – Receiver