The IPSEC Protocol Suite Computer Science Essay

Published:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Internet Protocol Security (IPSec) is a set of security protocols which is used to transfer IP packets on the Internet. . In earlier days of internet, security approaches have inserted security at the application layer of the communications model. IPSec is used to protecting dataflow between two hosts or gateway and host. IPSec offers an open standard for building security into any Internet application. IPSec is especially useful for implementing virtual private networks (VPN) and for remote user access through dial-up connection to private networks. IPSec is mandatory for all IPv6 implementations and optional for IPv4. Cisco is a leader how implements IPSec as a standard [1, 2].

IPSec offers the following security services:

Data privacy (encryption)

Data authentication (strong authentication)

Access control

Connectionless integrity

Data origin authentication

Replay protection

Limited traffic flow confidentiality

End-to-end security for IP packets

Security tunnelling (VPN functionality)

Security architecture

The IPSec suite is an open standard. IPSec uses protocols to perform various functions are as follows:

Internet Key Exchange (IKE and IKEv2) sets up a security association (SA) by handling the negotiation of protocols and algorithms and by generating the encryption and authentication keys to be used by IPSec.[4]

Authentication Header (AH) to provide connectionless integrity and data origin authentication for IP datagram's and to provide protection against replay attacks.[2][3]

Encapsulating Security Payload (ESP) to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality.[1]

Reference:

1 http://tools.ietf.org/html/rfc2406 14 0ct 2010

2 http://tools.ietf.org/html/rfc4308

3 http://tools.ietf.org/html/rfc4302

4 http://tools.ietf.org/html/rfc2409

Implementing IPSec:-

There are several ways to implement IPSec in a host or in conjunction with a router or firewall:

ï‚· Integrate IPSec into the native IP implementation: - This approach is best and it requires rewriting the native IP implementation to include support for IPSec.

ï‚· "Bump-in-the-stack" (BITS):- IPSec implemented beneath the IP stack and the local network drivers. The IPSec implementation monitors IP traffic as it is sent or received over the local link.

ï‚· "Bump-in-the-wire" (BITW):- Implement IPSec in a hardware cryptographic processor. It gets own IP address; when used for individual hosts, When the same processor provides IPSec services to a router or firewall, it must behave as a security gateway.

Ref

October 10, 2010

Prentice Hall - IPSec (Second Edition).pdf

http://itmanagement.earthweb.com/secu/article.php/11076_615921_4/Securing-the-Internet-with-IPsec-Internet-Security-Architecture.htm

IPSEC

Contributed by Administrator

Wednesday, 07 July 2004

Last Updated Thursday, 09 February 2006

Basic IPsec Operation in Cisco Routers

We now know enough to be dangerous. Let's look at the sequence of steps for IPsec operation in Cisco routers.

1) Interesting traffic initiates IPsec

2) IKE Phase 1: set up IKE SA

3) IKE Phase 2: set up IPsec SA

4) Data transfer

5) IPsec terminates

Step 1: Interesting traffic initiates IPsec. What this means in practical terms: it takes some interesting traffic to get the router to try to do IPsec. This is good, since you don't want idle routers maintaining a Security Association (SA) -- that takes work!

Step 2: IKE Phase 1: set up IKE SA. For routers to get started doing IPsec, they first need to negotiate and agree on how to do IKE. There are several choices, and they have to agree on something or Step 2 fails. This roughly corresponds to agreeing as to how securely the devices are going to be, about how they exchange keys. Part of IKE is mutual authentication, and there are several choices for this: pre-shared key, encrypted RSA nonces, RSA or DSS signatures, Certificate Authority (CA). For now, please content yourself with recognizing that these names all represent authentication techniques, in order of increasing security. We may look at them a little more in a subsequent article.

Step 3: IKE Phase 2: set up IPsec SA. Once the IPsec devices form the IKE SA, they negotiate an IPsec SA. As we'll see (below), there are several IPsec choices the devices need to agree upon. And while they're at it, they also need to come up with a shared DES or 3DES key.

Step 4: Data transfer. Once all this work is done, data can flow. Interesting traffic matching the access list (Step 1) gets encrypted. By the way, the access list also tells the router what traffic to decrypt. Practical tip: if your access list is sloppy, or if it encompasses too many packets, you may find that traffic is getting encrypted unnecessarily, or as part of an SA different than you expected. If a router decrypts such traffic using a different SA (and probably DES or 3DES key), then the resulting IP datagram may well be garbage. The router discards garbage. The best thing to do is to be precise about which hosts or subnets are on each end (senders and receivers). If you don't know which subnets are where, this is rather hopeless. If you have a well-thought out addressing scheme and network design, particularly one using summarizable blocks of subnets for routing, then you'll find the access list much, much easier to write! Another tip: since encryption should be thought of as costly, not encrypting traffic that doesn't require encryption is a Best Practice.

Step 5: IPsec terminates. IPsec terminates because of SA lifetime timeout, or because the SA lifetime packet byte counter was exceeded. The idea here is that if your TCP connection is done, there's no point to maintaining IPsec state. Lifetime and packet byte count matter because all codes can be cracked, the key question (pun intended) is how long it takes to crack them. Expiring the IPsec SA after an amount of time forces the formation of a new IPsec SA, hence a new key. Expiring early renders the encryption less likely to be cracked, but also means the IPsec device will need to re-key more often: more work. Spy novel fans also know the general cipher principle, the more coded text you have, the faster you can crack the key. So rekeying after a certain number of bytes have been sent is desirable. The Cisco IOS defaults are considered "reasonable", and if you don't like them you can configure your own settings, consistently across devices (since time and byte lifetimes are part of the SA that has to be negotiated). Note that a new SA is negotiated before the old one expires, to make sure it is available when needed.

Reference :-

http://www.netcraftsmen.net/resources/archived-articles/446.html

IPsec (Internet Protocol Security) is a framework for a set ofprotocols for security at the network or packet processing layer of network communication. Earlier security approaches have inserted security at theapplication layer of the communications model. IPsec is said to be especially useful for implementing virtual private networks and for remote user access through dial-up connection to private networks. A big advantage of IPsec is that security arrangements can be handled without requiring changes to individual user computers. Cisco has been a leader in proposing IPsec as a standard (or combination of standards and technologies) and has included support for it in its network routers.

IPsec provides two choices of security service: Authentication Header (AH), which essentially allows authentication of the sender of data, and Encapsulating Security Payload (ESP), which supports both authentication of the sender and encryption of data as well. The specific information associated with each of these services is inserted into the packet in a header that follows the IP packet header. Separate key protocols can be selected, such as the ISAKMP/Oakley protocol.

Reference:-

http://searchmidmarketsecurity.techtarget.com/sDefinition/0,,sid198_gci214037,00.html

IPsec Example

by Priscilla Oppenheimer

This example annotates the configuration of two Cisco routers configured to send encrypted traffic across an IPsec tunnel. Following the annotations are some explanations of Cisco show commands that are useful when troubleshooting IPsec. The two routers are connected via Frame Relay. Each router also has a Fast Ethernet interface where end nodes reside, as shown in the following figure. The end nodes' traffic will be encrypted when traversing the IPsec tunnel.

R1 Annotated Configuration

R1's configuration is shown below. Annotations start with !---- and are in blue.

R1#show run

Building configuration...

Current configuration : 1907 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

ip cef

!

!---- The IPsec configuration starts with configuring the Internet Security Association and Key Management Protocol (ISAKMP). ISAKMP is a framework for authentication and key exchange. Cisco uses Internet Key Exchange (IKE) which is derived from ISAKMP. IKE establishes a shared security policy and authenticated keys for IPsec to use.

First we create Policy 1. Then we say that we'll use MD5 to hash the IKE exchange, though we could use SHA (the Cisco default). We'll use DES to encrypt IKE, though we could use AES. (Because DES is the default it doesn't show in the configuration.)

We could use a Certificate Authority (CA) for authentication, but for our example we will manually enter a pre-shared key into each router. We will use "MyKey" for the key.

We also provide the address of our peer, 10.102.0.2. ----!

crypto isakmp policy 1

 hash md5

 authentication pre-share

 crypto isakmp key MyKey address 10.102.0.2

!

!---- Next, we create an IPsec transform set that we call MySet. We specify the authentication protocol for the IPsec Authentication Header (AH) and we specify the encryption protocol for the IPsec Encapsulating Security Payload (ESP). These don't have to be the same proocols that IKE uses. In fact, we'll use SHA for authentication and AES-256 for encryption.----!

crypto ipsec transform-set MySet ah-sha-hmac esp-aes 256

!

!---- You can't expect Cisco to make anything easy! So next we create a crypto map, called MyMap, with sequence number 1. (A crypto map can be a collection of entries, each with a different sequence number, though we'll just use one entry.) The ipsec-isakmp argument tells the router that this map is an IPsec map. We tell the router about its peer (10.102.0.2) yet again and we set the security-association (SA) lifetime.

We will use 190 seconds for the SA lifetime because Cisco examples use 190. It seems too short but there's a tradeoff. If you make it too long you risk attackers being more successful. If you make it too short, the routers have to do more work to renegotiate the SA more often. The default is based on a global command that affects all maps and is 3600 seconds (one hour).

Our crypto map points to our MySet transform set. It also references access-list 101, which is later in the configuration and specifies which traffic will be encrypted. ----!

crypto map MyMap 1 ipsec-isakmp 

 set peer 10.102.0.2

 set security-association lifetime seconds 190

 set transform-set MySet 

 match address 101

!

interface FastEthernet0/0

 ip address 10.1.0.1 255.255.0.0

!

interface Serial1/0

 no ip address

 encapsulation frame-relay

 serial restart-delay 0

!

!---- Here we apply our crypto map to the interface that will be sending the encrypted traffic. The interface is a Frame Relay sub-interface with DLCI 102 that connects to our peer at the other end. Our address is 10.102.0.1. (Our peer is 10.102.0.2 as we've already seen.) ----!

interface Serial1/0.102 point-to-point

 ip address 10.102.0.1 255.255.0.0

 frame-relay interface-dlci 102   

 crypto map MyMap

!

router ospf 100

 log-adjacency-changes

 network 10.0.0.0 0.255.255.255 area 0

!

no ip http server

no ip http secure-server

!

!---- Access list 101 specifies which traffic will use IPsec. Note that access-list 101 is referenced in the crypto map statement for MyMap above. ----!

access-list 101 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

!

line con 0

 logging synchronous

 stopbits 1

line aux 0

 stopbits 1

line vty 0 4

 login

!

end

R1#    

R2 Annotated Configuration

R2's configuration is shown below. Annotations start with !---- and are in blue. Notice that R2 needs fewer annotations. It needs to match R1 so they will act like nice peers and not fight with each other.

R2#show run

Building configuration...

Current configuration : 1894 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

ip cef

!

!---- Here we configure ISAKMP (IKE) as we did on R1. Note that for R2, we use 10.102.0.1 (R1) for our peer. ----!

crypto isakmp policy 1

 hash md5

 authentication pre-share

crypto isakmp key MyKey address 10.102.0.1

!

!---- Next, we create an IPsec transform like we did on R1.  ----!

crypto ipsec transform-set MySet ah-sha-hmac esp-aes 256 

!

!---- Here's our map that points to our peer (R1) and references access list 101.  ----!

crypto map MyMap 1 ipsec-isakmp 

 set peer 10.102.0.1

 set security-association lifetime seconds 190

 set transform-set MySet 

 match address 101

!

interface FastEthernet0/0

ip address 10.2.0.1 255.255.0.0

!

interface Serial1/0

 no ip address

 encapsulation frame-relay

 serial restart-delay 0

 frame-relay lmi-type ansi

!

!---- Add the crypto map to the interface that connects back to R1.  ----!

interface Serial1/0.201 point-to-point

 ip address 10.102.0.2 255.255.0.0

 frame-relay interface-dlci 201   

 crypto map MyMap

!

router ospf 100

 log-adjacency-changes

 network 10.0.0.0 0.255.255.255 area 0

!

no ip http server

no ip http secure-server

!

!---- As we did on R1, we define an access list to specify which traffic will use IPsec. The access-list is referenced in the crypto map statement for MyMap above. ----!

access-list 101 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

!

line con 0

 logging synchronous

 stopbits 1

line aux 0

 stopbits 1

line vty 0 4

 login

!

!

end

R2#  

R2 Show Commands

Once you have configured the router peers, a variety of show commands will help you verify that the security associations are live and the traffic is being encrypted.

!---- The show crypto session command lets us verify that the IKE session is active. Notice that we're talking to our peer via UDP port 500, the port for IKE. ----!

R2#show crypto session

Crypto session current status

Interface: Serial1/0.201

Session status: UP-ACTIVE     

Peer: 10.102.0.1 port 500 

  IKE SA: local 10.102.0.2/500 remote 10.102.0.1/500 Active 

  IPSEC FLOW: permit ip 10.0.0.0/255.0.0.0 10.0.0.0/255.0.0.0 

        Active SAs: 4, origin: crypto map

!---- The show crypto isakmp policy command tells us more than we ever wanted to know about our IKE session. ----!

R2#show crypto isakmp policy

Global IKE policy

Protection suite of priority 1

        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).

        hash algorithm:         Message Digest 5

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #1 (768 bit)

        lifetime:               86400 seconds, no volume limit

Default protection suite

        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).

        hash algorithm:         Secure Hash Standard

        authentication method:  Rivest-Shamir-Adleman Signature

        Diffie-Hellman group:   #1 (768 bit)

        lifetime:               86400 seconds, no volume limit

!---- The show crypto map verifies our IPsec status. We aren't using Perfect Forward Secrecy (PFS) as we don't need that extra protection from evil-doers. ----!

R2#show crypto map 

Crypto Map "MyMap" 1 ipsec-isakmp

        Peer = 10.102.0.1

        Extended IP access list 101

            access-list 101 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

        Current peer: 10.102.0.1

        Security association lifetime: 4608000 kilobytes/190 seconds

        PFS (Y/N): N

        Transform sets={ 

                MySet, 

        }

        Interfaces using crypto map MyMap:

                Serial1/0.201

!---- The show crypto ipsec transform-set verifies our IPsec status and shows that we're using tunnel mode (rather than transport mode). Tunnel mode is appropriate for a router-to-router configuration as opposed to an end node talking to another end node. ----!

R2#show crypto ipsec transform-set

Transform set MySet: { ah-sha-hmac  } 

   will negotiate = { Tunnel,  }, 

   { esp-256-aes  } 

   will negotiate = { Tunnel,  },

!---- The show crypto ipsec sa command shows identity information and packet counts and then displays information about all our security associations (SAs) . Notice that there's an inbound SA and an outbound SA for both authentication (AH) and encryption (ESP). The inbound and outbound Payload Compression Protocol (PCP) SAs aren't active, but the others are. They became active because a PC connected to R1's Fast Ethernet interface pinged a PC connected to R2's Fast Ethernet interface. Each SA is identified by a unique security parameter index (SPI). ----!

R2#show crypto ipsec sa                

interface: Serial1/0.201

    Crypto map tag: MyMap, local addr 10.102.0.2

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)

   current_peer 10.102.0.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13

    #pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 2, #recv errors 0

     local crypto endpt.: 10.102.0.2, remote crypto endpt.: 10.102.0.1

     path mtu 1500, ip mtu 1500, ip mtu idb Serial1/0.201

     current outbound spi: 0x8590D11F(2240860447)

     inbound esp sas:

      spi: 0xFDC7B87B(4257724539)

        transform: esp-256-aes ,

        in use settings ={Tunnel, }

        conn id: 2004, flow_id: SW:4, crypto map: MyMap

        sa timing: remaining key lifetime (k/sec): (4565647/146)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

      spi: 0x11B79D1C(297245980)

        transform: ah-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2004, flow_id: SW:4, crypto map: MyMap

        sa timing: remaining key lifetime (k/sec): (4565647/140)

        replay detection support: Y

        Status: ACTIVE

     inbound pcp sas:

     outbound esp sas:

      spi: 0x8590D11F(2240860447)

        transform: esp-256-aes ,

        in use settings ={Tunnel, }

        conn id: 2003, flow_id: SW:3, crypto map: MyMap

        sa timing: remaining key lifetime (k/sec): (4565647/134)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

      spi: 0xECA2A6B8(3970082488)

        transform: ah-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2003, flow_id: SW:3, crypto map: MyMap

        sa timing: remaining key lifetime (k/sec): (4565647/132)

        replay detection support: Y

        Status: ACTIVE

     outbound pcp sas:

reference:-

http://www.priscilla.com/ipsecexample.htm

Best Practices for Implementing IPSec

A few recommendations for implementing IPSec, as defined by Microsoft, are listed here:

Before you can implement any security measures and IPSec security policies to secure your network and mission critical data, you need to plan your IPSec implementation and configuration.

You should develop a test tab and use the test lab to test the implementation of your IPSec policies before you implement any policies in your production network environment. Remember that some features of IPSec are not supported in all versions of the Windows operating systems. Windows Server 2003 does though support all the features of IPSec and it also includes IPSec-specific enhancements.

Because pre-shared keys is considered the least secure supported authentication method, you should only use pre-shared keys when you cannot use the digital certificates or the Kerberos v5 authentication protocol. Pre-shared keys should really only be used in testing environments.

You should refrain from using the Kerberos v5 authentication protocol for computers which are connected to the Internet. This is primarily because the identity of the computer remains unencrypted up to the point that the whole payload is encrypted.

You should use digital certificates as the authentication method for computers which are connected to the Internet. When sending the certificate request, do not however transmit the name of the Certification Authority (CA) together with the request.

For all computers which are connected to the Internet, only allow secured connections and communication to occur. You should ensure that the following options are disabled:

Allow Unsecured Communication With Non-IPSec Aware Computers

Accept Unsecured Communication, But Always Respond Using IPSec

Diffie-Hellman key agreement enables two computers to create a shared private key that authenticates data and encrypts an IP datagram. IPSec in Windows Server 2003 includes support for the Group 3 2048-bit Diffie-Hellman key exchange which is much stronger and more complex than the previous Group 2 1024-bit Diffie-Hellman key exchange. If you need backward compatibility with Windows 2000 and Windows XP, then you have to use the Group 2 1024-bit Diffie-Hellman key exchange. You should though never use Group 1 768-bit Diffie-Hellman key exchange because it offers the lowest keying strength.

If you are running Windows XP and Windows Server 2003 computers, use the Triple Data Encryption Standard (3DES) encryption algorithm which provides the strongest encryption algorithm. When you use 3DES, data is encrypted with one key, decrypted with another key, and encrypted again with a different key. If you running Windows 2000 computers, install the High Encryption Pack or Service Pack 2 so that 3DES can be used.

The Windows Server 2003 IPSec Policy Management MMC snap-in should be used to manage IPSec policies. If you are planning a Windows Server 2003 IPSec implementation, then you have to use the Windows Server 2003 IPSec Policy Management MMC snap-in if you want to use the latest IPSec features.

Writing Services

Essay Writing
Service

Find out how the very best essay writing service can help you accomplish more and achieve higher marks today.

Assignment Writing Service

From complicated assignments to tricky tasks, our experts can tackle virtually any question thrown at them.

Dissertation Writing Service

A dissertation (also known as a thesis or research project) is probably the most important piece of work for any student! From full dissertations to individual chapters, we’re on hand to support you.

Coursework Writing Service

Our expert qualified writers can help you get your coursework right first time, every time.

Dissertation Proposal Service

The first step to completing a dissertation is to create a proposal that talks about what you wish to do. Our experts can design suitable methodologies - perfect to help you get started with a dissertation.

Report Writing
Service

Reports for any audience. Perfectly structured, professionally written, and tailored to suit your exact requirements.

Essay Skeleton Answer Service

If you’re just looking for some help to get started on an essay, our outline service provides you with a perfect essay plan.

Marking & Proofreading Service

Not sure if your work is hitting the mark? Struggling to get feedback from your lecturer? Our premium marking service was created just for you - get the feedback you deserve now.

Exam Revision
Service

Exams can be one of the most stressful experiences you’ll ever have! Revision is key, and we’re here to help. With custom created revision notes and exam answers, you’ll never feel underprepared again.