IPsec

Forward

IPsec
An Introduction

Prof. David Bernstein
James Madison University

Computer Science Department

bernstdh@jmu.edu

Print

Overview

Back

Forward

General Objective:
- Security of IP datagrams
Specific Objectives:
- Origin authentication
- Connectionless data integrity and authentication
- Content confidentiality
- Replay protection
- Limited traffic flow confidentiality

Overview (cont.)

Back

Forward

History:
- Working group created in 1992
- Architecture revised in 1998
Acronyms:
- Authentication Header (AH)
- Encapsulating Security Payload (ESP)
- Internet Key Exchange (IKE)
- Security Association Databse (SAD)
- Security Parameter Index (SPI)

Security Associations

Back

Forward

Purpose:
- Associate security services and keys with the traffic to be protected
Details:
- SPI is used to retrieve SA parameters from a SAD
- Simplex Communciation (i.e., need two SAs for bidirectional communication)

Security

Back

Forward

Encapsulating Security Payload:
- Authentication of origin
- Integrity
- Replay Protection
- Confidentiality
Authentication Header:
- Authentication of origin
- Integrity
- Replay Protection

AH Modes

Back

Forward

Transport Mode:
- Authenticates IP payload and selected portions of the IP header
Tunnel Mode:
- Authenticates entire inner IP packet (i.e., header and payload) and selected portions of the outer IP header

ESP Modes

Back

Forward

Transport Mode:
- Encrypts IP payload
Tunnel Mode:
- Encrypts entire inner IP packet

Keying Approaches

Back

Forward

Host-Oriented:
- All users on a host share the same key
User-Oriented:
- Each user has a unique key
Session-Oriented:
- Each session (defined by an IP address, protocol and port) has a unique key

Overview of the ESP Process

Back

Forward

Outbound:
1. Insert ESP header
2. Encrypt payload
3. Authenticate
Inbound:
1. Check for SA (drop if invalid)
2. Check sequence number (drop if invalid)
3. Authenticate
4. Decrypt payload