• Keine Ergebnisse gefunden

• What is IPSec ?

N/A
N/A
Protected

Academic year: 2022

Aktie "• What is IPSec ?"

Copied!
20
0
0

Wird geladen.... (Jetzt Volltext ansehen)

Volltext

(1)

[email protected] hamburg.de

IPSec

• What is IPSec ?

• Concepts and Terms

• Architecture

• Operation

• Application Example

Some graphics originate (in part) from cisco

(2)

[email protected] hamburg.de

What is IPSec?

A security architecture

• Two IP security protocols

– Authentication Header (AH)

– Encapsulation Security Payload (ESP)

• Internet Key Exchange (IKE)

– Exchange of IPSec security seeds

• An open standard (RFC 2401)

A security solution on the IP layer

(3)

[email protected] hamburg.de

Concepts of IPSec

internet

intranet

• Protects data transfers throughout the Internet, procuring Authentication, Integrity, Encryption

• Transparent to network infrastructure

• End-to-end security concept

(4)

[email protected] hamburg.de

Tunnel and Transport Mode

• Transport Mode End-to-End or via ALG

• Tunnel Mode for all connection types

Transport Mode Tunnel Mode Tunnel Mode

Tunnel Mode Tunnel Mode

HR Server Joe’s

PC

Tunnel Mode Tunnel Mode

Transport Mode (with ALG)

(5)

[email protected] hamburg.de

Security Association (SA)

Router A

Insecure Channel

Router B

• Directional description of security services in use (unidirectional per connection)

• Valid for individual data flow

• Two-way communication uses two SAs

• Each SA identified by a Security Parameter Index (SPI) - as part of the IPSec Headers

- number with strictly local scope

(6)

[email protected] hamburg.de

Security Association (2)

205.49.54.237 205.49.54.237

7A390BC1 7A390BC1 AH, HMAC

AH, HMAC--MD5MD5 7572CA49F7632946 7572CA49F7632946 One Day or 100MB One Day or 100MB

Destination Address Security Parameter Index (SPI) IPSec Transform Key Additional SA Attributes (e.g. lifetime)

(7)

[email protected] hamburg.de

IPSec Authentication Header (AH)

IP HDR IP HDR

Authenticates all but variable fields AHAH DataData IP HDR

IP HDR DataData

AHAH IP HDRIP HDR New IP HDR

New IP HDR

Authenticates all but variable fields of the new IP-Header DataData

Tunnel Mode

Transport Mode

(8)

[email protected] hamburg.de

Authentication Header (2)

NextNext Header Header

Payload Payload Length

Length RESERVEDRESERVED Security Parameter Index (SPI) Security Parameter Index (SPI)

Sequence Number Field Sequence Number Field

Authentication Data Authentication Data

• Authentication header placed prior to TCP/UDP (IPv4) header (change of IPv4-Stack) or as extension Header (IPv6).

• Authenticates data source and integrity by a Message

Authentication Code (MAC).

• Remains unencrypted.

(9)

[email protected] hamburg.de

Encapsulating Security Payload (ESP)

IP HDR IP HDR

Encrypted ESP HDR

ESP HDR DataData IP HDR

IP HDR DataData

ESP HDR

ESP HDR IP HDRIP HDR DataData Tunnel Mode

Transport Mode

ESP ESP Trailer Trailer

ESP ESP Trailer Trailer

Authenticated

Encrypted Authenticated

ESPESP AuthAuth ESPESP AuthAuth

(10)

[email protected] hamburg.de

Encapsulating Security Payload

Security Parameter Index (SPI) Security Parameter Index (SPI)

Sequence Number Field Sequence Number Field

Padding (If Any) Padding (If Any)

PadPad Length Length

NextNext Header Header Initialization Vector

Initialization Vector

Authentication Data Authentication Data

Payload Data Payload Data

• ESP Header precedes IP packet (or upper protocol).

• ESP Header remains

unencrypted, but authenticated with data.

• Encrypted IP packet becomes ESP payload

• Trailer for terminating 0s and alignment.

(11)

[email protected] hamburg.de

Encryption Methods

• IPSec can employ different encryption methods.

• To initiate a Security Association either a Public Key Infrastructure (PKI) or Preshared Secrets (offline) are needed.

• While an SA is running, data will be encrypted via symmetric encryption methods (performance).

• To regularly exchange keys an Internet Key Exchange Daemon is part of the IPSec concept.

(12)

[email protected] hamburg.de

Internet Key Exchange (IKE)

• IKE-Protocol (RFC 2409) implements Oakley and SKEME key exchange in ISAKMP Framework.

• Negotiates policies to use.

• Modi: Main, Aggressive, Quick and New Group.

• Authenticated Diffie-Hellman key exchange.

• Negotiates SAs to initiate IPSec.

(13)

[email protected] hamburg.de

Encryption Technologies supported by IPSec

Integrity -

Hash Functions

Encryption Authentication

Secret Key: MAC DES, 3DES

Public Key:

RSA

HMAC

MD5 SHA

Key Management

Manual

Operation Secret Key Exchange:

Diffie-Hellman Public Key Exchange:

Certificate Authority Digital

Signature

(14)

[email protected] hamburg.de

Operation of IPSec

IKE Negociation

IPSec Negociation

Tunnel Construction Notable Traffic?

IKEIKE IPSec IPSec Data

(15)

[email protected] hamburg.de

IKE Initiation of a SA

SA Request IPSec (triggered by ACL)

Fred Wilma

IKE SA Offer - des, sha, rsa sig, D-H group 1, lifetime Policy Match accept offer

Fred D-H exchange : KE, nonce Wilma D-H exchange : KE, nonce Fred Authenticate D-H apply Hash

Wilma Authenticate D-H apply Hash ISAKMP

Phase 1

Oakley Main Mode

IKE Bi-directional SA Established

In the Clear

Protected

(16)

[email protected] hamburg.de

IPSec Constructing the SA

Fred Wilma

IPSec SA Offer - transform, mode, pfs, authentication, lifetime Policy Match accept offer

Protected by the IKE SA ISAKMP

Phase 2

Oakley Quick Mode

Fred D-H exchange or refresh IKE key Wilma D-H exchange or refresh IKE key

IPSec Outbound SA Established IPSec Inbound SA Established

(17)

[email protected] hamburg.de

Tunnels of Tunnels

(18)

Secure WLAN Access

[email protected] hamburg.de

Registrieren IPsec

Authentifizieren

(19)

[email protected] hamburg.de

Components

♦ IPsec: Tunnel mode with ESP, Aggressive Mode

♦ Tunnel routers: PCs, FreeBSD 4.x / Kame

♦ IKE-Daemon Racoon (patched)

♦ Wrapper Script to stir packet filtering

♦ ISC DHCPD 3.x (patched), OpenLDAP 2.x

♦ Web-Administration tool

♦ Clients: SSH Sentinell (MS), PGP (MAC OS9),

Native BSD, Linux, MAC OSX

(20)

[email protected] hamburg.de

Performance

Load tests with many Clients producing high traffic load:

♦ Main load produced by data, not # of clients

♦ Processing load dominates

♦ A 2,4 GHz PIV can handle about 80 Mbit/s

⇒ One tunnel router serves 10 Accesspoints

Improvements expected by upcoming crypto processor cards

Referenzen

ÄHNLICHE DOKUMENTE

Messaging Apps: WhatsApp, Snapchat, Facebook Messenger, Telegram, Viber, LINE and Skype, etc.. Types of protocols: HTTP + Push Notifications / Extensive Messaging and Presence

We derive Internet penetration estimates from geolocated network mea- surements of the globally used IPv4 address space using two different approaches, and then compare our

We show that the resource augmentation is necessary by proving polyno- mial lower bounds on the max-stretch and total flow time for the case where online and offline algorithms

Since statistics is the science of data, we welcome research on both statistical theory of networks and the statistical modeling of data arising from network

He deserves to be praised by a grateful present and posterity as the man who first liberated mankind from immaturity (as far as government is concerned), and who left all men free

As the Internet first opened to commerce and the wider public in the mid-1990s, the term referred to a limited set of policy issues associated with the global... synchronization

Russian geo-political hard power may have trumped EU soft power in the short-run in both Armenia and Ukraine, but the democratic power of the Ukrainian people in alliance with

But, at the same time, this new merger of what was formerly separated as Indian Ocean and Asia-Pacific also brings together US essential interests in both macro regions,