Scribd Logo
Carica

Benvenuto in Scribd!

  • Ipsec2 Eng

    Caricato da

    Kelvin Biao
    57 visualizzazioni20 pagine
    traitement de signal

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    traitement de signal

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    57 visualizzazioni20 pagine

    Ipsec2 Eng

    Caricato da

    Kelvin Biao
    traitement de signal

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 20

    Thomas Schmidt schmidt@informatik.hawhamburg.

    de

    IPSec
    What is IPSec ? Concepts and Terms Architecture Operation Application Example
    Some graphics originate (in part) from cisco

    What is IPSec?
    A security architecture
    Two IP security protocols Authentication Header (AH) Encapsulation Security Payload (ESP) Internet Key Exchange (IKE) Exchange of IPSec security seeds An open standard (RFC 2401) A security solution on the IP layer

    Thomas Schmidt schmidt@informatik.hawhamburg.de

    Concepts of IPSec
    internet

    Thomas Schmidt schmidt@informatik.hawhamburg.de

    intranet

    Protects data transfers throughout the Internet, procuring


    Authentication, Integrity, Encryption Transparent to network infrastructure End-to-end security concept

    Tunnel and Transport Mode


    Tunnel Mode Tunnel Mode
    Tunnel Mode

    Thomas Schmidt schmidt@informatik.hawhamburg.de

    Joes PC

    HR Server

    Transport Mode (with ALG)


    Transport Mode

    Transport Mode End-to-End or via ALG Tunnel Mode for all connection types

    Security Association (SA)


    Router A Insecure Channel

    Thomas Schmidt schmidt@informatik.hawhamburg.de

    Router B

    Directional description of security services in use (unidirectional per connection) Valid for individual data flow Two-way communication uses two SAs Each SA identified by a Security Parameter Index (SPI) - as part of the IPSec Headers - number with strictly local scope

    Security Association (2)

    Thomas Schmidt schmidt@informatik.hawhamburg.de

    Destination Address Security Parameter Index (SPI) IPSec Transform Key Additional SA Attributes (e.g. lifetime)

    205.49.54.237 7A390BC1 AH, HMAC-MD5 7572CA49F7632946 One Day or 100MB

    IPSec Authentication Header (AH)


    IP HDR

    Thomas Schmidt schmidt@informatik.hawhamburg.de

    Data

    Transport Mode IP HDR AH Data

    Authenticates all but variable fields

    Tunnel Mode New IP HDR AH IP HDR Data

    Authenticates all but variable fields of the new IP-Header

    Authentication Header (2)


    Authentication header placed prior to TCP/UDP (IPv4) header (change of IPv4-Stack) or as extension Header (IPv6). Authenticates data source and integrity by a Message Authentication Code (MAC). Remains unencrypted.

    Thomas Schmidt schmidt@informatik.hawhamburg.de

    Next Payload Header Length RESERVED Security Parameter Index (SPI) Sequence Number Field Authentication Data

    Encapsulating Security Payload (ESP)


    IP HDR

    Thomas Schmidt schmidt@informatik.hawhamburg.de

    Data

    Transport Mode IP HDR ESP HDR Data


    Encrypted Authenticated
    ESP ESP Trailer Auth

    Tunnel Mode ESP HDR IP HDR Data


    ESP ESP Trailer Auth

    Encrypted Authenticated

    Encapsulating Security Payload


    ESP Header precedes IP packet (or upper protocol). ESP Header remains unencrypted, but authenticated with data. Encrypted IP packet becomes ESP payload Trailer for terminating 0s and alignment.

    Thomas Schmidt schmidt@informatik.hawhamburg.de

    Security Parameter Index (SPI) Sequence Number Field Initialization Vector Payload Data Padding (If Any) Pad Length Authentication Data Next Header

    Encryption Methods
    IPSec can employ different encryption methods.

    Thomas Schmidt schmidt@informatik.hawhamburg.de

    To initiate a Security Association either a Public Key Infrastructure (PKI) or Preshared Secrets (offline) are needed. While an SA is running, data will be encrypted via symmetric encryption methods (performance). To regularly exchange keys an Internet Key Exchange Daemon is part of the IPSec concept.

    Internet Key Exchange (IKE)

    Thomas Schmidt schmidt@informatik.hawhamburg.de

    IKE-Protocol (RFC 2409) implements Oakley and SKEME key exchange in ISAKMP Framework. Negotiates policies to use. Modi: Main, Aggressive, Quick and New Group. Authenticated Diffie-Hellman key exchange. Negotiates SAs to initiate IPSec.

    Encryption Technologies supported by IPSec


    Encryption Authentication

    Thomas Schmidt schmidt@informatik.hawhamburg.de

    Integrity Hash Functions

    Secret Key: DES, 3DES

    Public Key: RSA

    MAC

    SHA

    MD5

    HMAC Key Management

    Digital Signature

    Manual Operation

    Secret Key Exchange: Diffie-Hellman

    Public Key Exchange: Certificate Authority

    Operation of IPSec
    Notable Traffic? IKE Negociation IPSec Negociation

    Thomas Schmidt schmidt@informatik.hawhamburg.de

    Tunnel Construction
    IKE IPSec Data

    IKE Initiation of a SA
    SA Request IPSec (triggered by ACL) Fred

    Thomas Schmidt schmidt@informatik.hawhamburg.de

    Wilma IKE SA Offer - des, sha, rsa sig, D-H group 1, lifetime Policy Match accept offer In the Clear

    ISAKMP Phase 1 Oakley Main Mode

    Fred D-H exchange : KE, nonce Wilma D-H exchange : KE, nonce Fred Authenticate D-H apply Hash Wilma Authenticate D-H apply Hash IKE Bi-directional SA Established Protected

    IPSec Constructing the SA


    Fred

    Thomas Schmidt schmidt@informatik.hawhamburg.de

    Wilma Policy Match accept offer

    IPSec SA Offer - transform, mode, pfs, authentication, lifetime Protected by the IKE SA

    ISAKMP Phase 2 Oakley Quick Mode

    Fred D-H exchange or refresh IKE key Wilma D-H exchange or refresh IKE key IPSec Outbound SA Established IPSec Inbound SA Established

    Tunnels of Tunnels

    Thomas Schmidt schmidt@informatik.hawhamburg.de

    Application Example: Secure WLAN Access


    I e Ps c

    Thomas Schmidt schmidt@informatik.hawhamburg.de

    Authentifizieren Registrieren

    Components

    Thomas Schmidt schmidt@informatik.hawhamburg.de

    IPsec: Tunnel mode with ESP, Aggressive Mode Tunnel routers: PCs, FreeBSD 4.x / Kame IKE-Daemon Racoon (patched) Wrapper Script to stir packet filtering ISC DHCPD 3.x (patched), OpenLDAP 2.x Web-Administration tool Clients: SSH Sentinell (MS), PGP (MAC OS9), Native BSD, Linux, MAC OSX

    Performance
    Main load produced by data, not # of clients Processing load dominates A 2,4 GHz PIV can handle about 80 Mbit/s One tunnel router serves 10 Accesspoints

    Thomas Schmidt schmidt@informatik.hawhamburg.de

    Load tests with many Clients producing high traffic load:

    Improvements expected by upcoming crypto processor cards

    Potrebbero piacerti anche