1

IP LAYER SECURITY
Lecture #5

Learning Objectives
2

Understand the ESP and AH protocols

Understand IPSec and its architecture

Understand IPSec protocol processing

Understand the ESP and AH protocols Understand the ISAKMP protocol

Understand the IKE protocol

Understand VPN

Introduction
3

The increased connectivity of the Internet has given

opportunity to intruders to carry out a variety of attacks

A broad range of solutions to achieve secure data communication These These solutions solutions operate operate at at different different layers layers of of protocol protocol stack: stack:

Application-level security (ALS)

Transport-level security (TLS)

Network-level security

Introduction
4

and socket layer

IP layer security or IPSec

Guarantees privacy and integrity of IP data packets irrespective of the security features at the application and socket layer Any application will benefit from the underlying IP security as long as it uses IP to send data

Introduction
5

IPSec is the most transparent solution because

it does not require modifying the application

IPSecs existence is hidden from the application We discuss the security mechanism provided at the IP layer and its applications here

Short Introduction to the IP Suite

6

guarantee of packet delivery

The IP has the task of enabling communication between systems

IP offers a connectionless datagram service with no guarantee of packet delivery IP does not provide explicit mechanisms to guarantee correct delivery

Short Introduction to the IP Suite

7

Internet
Application Protocol TCP UDP IP

Access Control Application Protocol TCP UDP IP Access Control System B Application Protocol TCP UDP IP Access Control System A System C

Source: http://s000jiq.springnote.com/pages/4649045/attachments/2521669

Short Introduction to the IP Suite

Byte Version Protocol Fragment Offset Version of IP Protocol. 4 and 6 are valid. This diagram represents version 4 structure only Header Length Number of 32-bit words in TOP header, minimum value of 5 Multiply by 4 to get byte count. Total Length

Total length of IP datagram, or IP fragment if fragmented. Measured in Bytes. Fragment offset from start of IP datagram. Measured in 8 byte (2 words, 64 bits) increments. I1 IP datagram is fragmented, fragment size (Tota\ Length) mus! be a multiple of 8 bytes. x 0x80 reserved {evil bit) D 0x40 Do Not Fragment M 0x20 More Fragments follow Header Checksum Checks-um 01 entire IP header Please refer to RFC for ihe complete Internet Protocol (IF) Specication. Copyright 2004 - Malt Baxter - mjb@fa1pipe.org

Internet Threats
9

The Internet opens up a huge array of vulnerabilities

Without proper control and measures, any transaction over the Internet is subjected to the followings:

Packet sniffing

Loss of data integrity

Identity spoofing

Replay of old packets

10

IPSec

A method proposed to solve the mentioned attacks

through the interaction with the network layer

It can encrypt and authenticate all traffic at the IP level