Overview on Ipsec
I.Abstract2 II.The need for IPSec3 1.
Internet threats3 2. TCP/IP security vulnerabilities4 3. The need for IPSec5 III. What is IPSec5 1. What is IPSec5 2. IPSec properties6 IV. IPSec structure6 1. Authentication header (AH)6 2. Encapsulating Security Payload (ESP)7 V. Security Associations (SA)8 1. Security Associations8 2. Combining Security Associations9 3. SA and key management10 VI. Building a real VPN with IPSec11 1. VPN overview11 2. IPSec in VPN11 VII. Future Research13 VIII. Conclusion14 IX. References14 I. Abstract It can be seen clearly that the Internet has developed with a very high speed in many recent years. In the 80s of last century, the Internet was only used in US army, but nowadays, the Internet has come to every country, every home and everyone. However, such fast develops also go along with the increasing number of security issues from the Internet. Therefore there is a need to find a security solution for this issue and that is the season why Internet Protocol Securities exists. * In this paper, i will introduce a overview about this security protocol: what is it?
What are its core components? And how this protocol was implemented in the practical? II. The need for IPSec 1. Internet threats * The Internet is quickly changing our world, particularly in the way we do business. The fast development of technology has helped to increase the connection speed of Internet and decrease the cost also. This has given the opportunity for people who know how to take advantage of it. The Internet enables such things as: * Extranets: companies can easily link with their business partners and their customers.
In the past, we have to use dial up line with low bandwidth, so we have to wait a bit long to get the connection to a web sites or send messages to our friend via yahoo messenger. But today with the quick development of the technology, the speed of the Internet has been increased significantly, therefore the Internet can enable instant and on-demand high-speed communications with our business customers and partners around the world . * Intranets: a powerful tool is widely used for providing the communication in a organization.. Remote users: the Internet also provides a solution for users who don’t need to go to the company till can connect and access to the company network. This will help to reduce the transport cost and also increase the productive of the company. * It can be said that the Internet provides many business opportunities, but if there is not the proper controls, your data can become a subject to various kinds of security attacks. * Loss of Privacy There are many ways that the Internet users can lose their privacy information such as: the address, family information, phone number, credit cards and so on.
This information can be used in marketing purposes such as send spam mail about a new product to many people or more dangerously, It can be used for thief or criminal purposes such as: credit care stealing, disclose personal information to the public and so on. * Loss of Data Integrity Even in case your credential is not stolen but there is still need a solution to help ensure the integrity of data. For example, when you do an transaction, your password are not be disclosed but if the number of money of your transaction was modified, you still got a big problem. Identity Spoofing The Internet is an un-trusted network so be careful with your identity when you surf on the Internet because an intruder can impersonate you and get the access to your confidential. * Denial-of-service As organizations take advantage of the Internet, there is a issue that the service being performed is almost always a constant time operation, so it is easy for an external observer process to detect a Dos attack. These attacks are generally transient. 2. TCP/IP security vulnerabilities
The main reason lead to Internet threats mentions above is that TCP/IP – the foundation of Internet – has many security vulnerabilities. When IP, TCP, UDP and the infrastructure protocol of TCP/IP were designed to use in a very small network and all hosts and users are known, hence the security concerns were almost non-existing. But today, with a very quick development of the Internet, there are more and more security vulnerabilities of TCP/IP were exploited. In this section I will reveal an overview about popular kinds of attacks in TCP/IP. a. TCP SYN or TCP ACK Flood Attack
This is a form of DOS attack in which an intruder sends a successful SYN request to victim’s system to consume the resources of the victim’s sever to make the sever cannot respond to the legal connection b. TCP Sequence Number Attack By predicting the IP sequence number, an attacker can inject data or take over a pre-established connection. c. ICMP Attacks Attacker could use either the ICMP message can make a host stop working such as “Time exceeded” or “Destination unreachable” messages. Attacker can make use of this by simply forging one of these ICMP messages, and sending it to one or both of the communicating hosts.
Their connection will then be fallen apart. d. Smurf Attacks The “smurf” attack is a modification of the classic ping flood attack. An attacker instead of sending ICMP echo packets from his system to the victims network, he send a packet to a broadcast address of middle network with a return IP address of the victim’s network. 3. The need for IPSec To solve issues was mentioned in the previous sections, it is necessary to have a protocol suite which can provide the authentication and decryption to IP packets to increase the security level in data communication over the Internet.
And that is reason why we have Internet Protocol Security (IPSec). III. What is IPSec 1. What is IPSec? * Internet Protocol Security (IPSec) has revolutionized Internet Protocol (IP) security. The IPSec protocol suite utilizes cryptographic techniques to ensure data confidentiality, and digital signatures to authenticate the source of the data transmission.IPSec also brings a new level of interoperability to the Internet that never existed before. It doesn’t rely on proprietary protocols or techniques to establish secure links between network nodes.
By utilizing IPSec in virtual private networking solutions organizations can exchange sensitive data over public networks with the knowledge that the parties they are exchanging the data with are the intended receivers, that the data was kept confidential in transit, and that the data did not change during transmission. * IPSec has two goals: * To ensure the integrity and confidentiality of IP packets. * To provide a defense against network attacks. Both goals are met through the use of cryptography-based protection services, security protocols, and dynamic key management. 2. IPSec properties IPSec has following properties: * Anti –replay (replay prevention): ensures the uniqueness of each IP packet, any packet was captured by the attacker cannot be put back into the network to establish a session or steal information. * Integrity: protect data from being modified in transit, ensure that received data is the same as the first data. * Confidentiality (encryption): ensures that data is only know by the authorized recipients. To do this, data will be encrypted before being send, and the received has to use a public, private key to decrypt the data when receiving it. Authentication: verifies that a message can only be send from a receiver who knows the shared, secret key. The sender will include a authentication message to the data before sending, the receiver has to use their key to encrypt the authentication message to enable watching the data. If the key is wrong, the data will be discarded. IV. IPSec structure 1. Authentication header (AH) * AH is used to authenticate- but not encrypt – IP traffic, or in other words this protocol guarantees connectionless integrity and data origin authentication of the packet.
Moreover, it can optionally guard against replay attacks by attackers who obtain a copy of authenticated packet and later put it back to the network. * Structure of AH: The AH header consist of 6 parts: * Next hdr (8 bits): this identifies what the upper-level protocol following the AH is * AH len (8bit): this field indentifies the size of the authentication header. * Reserved: this field is a place holder for future use. * Security Parameters Index (32bits): this is a random number that indicates the setting that being selected by the transmitter to communicate with the receiver.
This includes the encryption algorithms that are being used, which encryption keys are being used, and the information about the validity period for these encryption keys. * Sequence Number: this is a counter that increases incrementally each time a packet is transmitted using the parameters setup in the SPI. * Authentication Data: this is the Integrity Check Value(ICV) for the packet. The originator will create a keyed-one-way-hash of the packet payload and attach this hash value to the packet as the authentication field.
The receiver can check the integrity of the payload data by hashing the payload data once it has been decrypted with the same hash algorithm, which sender used. If two hash values are identical then the recipient can be sure that the data was not modified during the transmission. However, because the data was not encrypted this does not ensure the confidentiality of the payload data only the integrity. 2. Encapsulating Security Payload (ESP) The ESP is the portions of the IPSec that addresses the confidentiality of the data that is being transmitted as well as offers authentication capabilities.
ESP utilizes symmetric encryption techniques to encrypt the IP packet payload. The symmetric encryption algorithms that must be supported in order to be compliant to standard are DES, 3 DES, RSA, CAST, and Blowfish. The ESP will encrypt the IP header or information, which includes the information required for routing. It will only encrypt the packet payload, which will ensure the confidentiality of the data. There are six elements which make up the ESP which include: V. Security Associations (SA) 1. Security Associations * A key issue appears in both authentication and encryption mechanism for IPSec, that is Security Association (SA).
SA is a simply the bundle of algorithm are parameters that is used to provide authentication and confidentiality a particular flow of traffic stream in one direction. Thus in normal bi-directional traffic process, the flows are secured by a pair of security associations. * In order to decide what protection is to be provided for an outgoing packet, IPSec uses the Security Parameter Index (SPI), an index to the security association database (SADB), along with the destination address in a packet header, which together uniquely identify a security association for that packet.
A similar procedure is performed for an incoming packet, where IPSec gathers decryption and verification keys from the security association database. There are two types of SAs are defined: transport mode and tunnel mode. * Transport mode SA is used to provide security communication between two hosts, and in this mode only the payload of packet is encrypted (with ESP) or authenticated (with AH) so it only provide protection for upper layer protocols. A tunnel mode SA is used to provide security communication between two gateway or between a gateway and a host and in this mode the entire IP packet is encrypted (with ESP) or authenticated (with AH). 2. Combining Security Associations * Any single SA can select AH or ESP to protect the data transmits over an IP network but it cannot combine 2 of these protocols. Therefore, there is a need to combine many SAs to achieve the required security policy. The term “security association bundle” or “SA bundle” is applied to a sequence of SAs through which traffic must be processed to satisfy a security policy. Security associations may be combined into bundles in two ways: transport adjacency and iterated tunneling. * Transport adjacency refers to applying more than one security protocol to the same IP datagram, without invoking tunneling. This is only applicable for combining AH and ESP at the same level. * Iterated tunneling refers to the application of multiple layers of security protocols affected through IP tunneling. This approach allows for multiple levels of nesting, since each tunnel can originate or terminate at a different IPSec site along the path. Basic ways of SAs’ combination: documents about IPSec structure has listed four cases of combining SAs based on the compatibility between severs or gateways * Case 1: all securities properties are provided between systems. * Case 2: security is only provided between gateways and there is no any host implemented IPSec * Case 3: based on the case 2 but add the End to End security. * Case 4: support the remote access through the Internet in the scope of firewalls and expandable accept of server or host in behind the firewalls. 3. SA and key management Key management is an important part of IPSec regarded to identify and distribute the secret key. And basic demand is four keys to communicate between two applications: receiving key and sending keys include two AH and ESP. IPSec structure allows to support two type of key management is: * Manually: every administrator configure manually their private keys with other communicate systems’ keys. In practice, this type of key management is used for small resources in a static environment. * Automated: it is a system which allows creating keys for SAs and being used in a large distribution system with dynamic configuration. The default automated key management in IPSec is called ISAKMP/Oakley with following components: * Oakley key indentifying protocol: Oakley is a basic key exchanging protocol based on Diffie-Hellman algorithm, but added security condition. Oakley is a general standard; it does not have any specific format. * Internet Security Association and Key Management Protocol (ISAKMP): ISAKMP provide a framework for establishing SAs and cryptographic keys in an Internet environment VI. Building a real VPN with IPSec 1. VPN overview
VPN (Virtual Private Network) is the expansion of LAN by adding connections over a shared network or public network like the Internet. In other words, VPN is a private network uses public communication infrastructure but still remains the privacy by using a tunneling protocol and security procedures. VPN can be used to establish a connection between a computer and a private network or between 2 private networks. 2. IPSec in VPN * In IPSec, ESP is the unique way to provide encryption, but ESP and AH both can provide authentication, so what is the most efficient way to combine 2 of them together. The traditional solution of wrapping ESP inside of AH is technically possible, but because of the limitations of AH with NAT (Network Address Translation), hence combining AH and ESP by this way will make this tunnel not work with devices using NAT. * Instead, ESP + Authentication is used in Tunnel mode to fully encapsulate the traffic on its way across an un-trusted network, protected by both encryption and authentication in the same thing. * What’s especially nice thing about this way of implement is that VPN and other security measures are almost invisible to the end-user hosts.
Because a VPN is carried out by a gateway device which treats the VPN as yet another interface, traffic destined for the other end is routed normally. VII. Future Research This paper only provides an overview about IPSec but not focus on securities components of IPSec such as encryption algorithms and detail of mechanism of SAs. Therefore in the future research I will spend more time on those issues. VIII. Conclusion * After covering most of components of IPSec structure, it can be seen clearly that IPSec is a strong security protocol; it can provide both ncryption and authentications. It also use various types of encryption and authentications algorithm such as Triple-DES, 128 bit C4, AES (for encryption) ; MD5 or SHA-1 (for authentication). * However IPSec still have security issue: when a authorized IPSec user access to the network, they can also access to unauthorized resources. Moreover data file is uploaded and downloaded easily also creates the threats from virus infection. IX. References 1. Www. wikipedia. org 2. http://tools. ietf. org/html/rfc2401#section-4. 4. 3