IPsec
An Introduction
Prof. David Bernstein
James Madison University
Computer Science Department
bernstdh@jmu.edu
Overview
General Objective:
Security of IP datagrams
Specific Objectives:
Origin authentication
Connectionless data integrity and authentication
Content confidentiality
Replay protection
Limited traffic flow confidentiality
Overview (cont.)
History:
Working group created in 1992
Architecture revised in 1998
Acronyms:
Authentication Header (AH)
Encapsulating Security Payload (ESP)
Internet Key Exchange (IKE)
Security Association Databse (SAD)
Security Parameter Index (SPI)
Security Associations
Purpose:
Associate security services and keys with the traffic to be protected
Details:
SPI is used to retrieve SA parameters from a SAD
Simplex Communciation (i.e., need two SAs for bidirectional communication)
Security
Encapsulating Security Payload:
Authentication of origin
Integrity
Replay Protection
Confidentiality
Authentication Header:
Authentication of origin
Integrity
Replay Protection
AH Modes
Transport Mode:
Authenticates IP payload and selected portions of the IP header
Tunnel Mode:
Authenticates entire inner IP packet (i.e., header and payload) and selected portions of the outer IP header
ESP Modes
Transport Mode:
Encrypts IP payload
Tunnel Mode:
Encrypts entire inner IP packet
Keying Approaches
Host-Oriented:
All users on a host share the same key
User-Oriented:
Each user has a unique key
Session-Oriented:
Each session (defined by an IP address, protocol and port) has a unique key
Overview of the ESP Process
Outbound:
Insert ESP header
Encrypt payload
Authenticate
Inbound:
Check for SA (drop if invalid)
Check sequence number (drop if invalid)
Authenticate
Decrypt payload
There's Always More to Learn