IP Security(IPsec)

Chapter 19 IP SECURITY

o IP Security Overview

·        Applications of IPsec Benefits of IPsec Routing Applications IPsec Documents IPsec Services

·        Transport and Tunnel Modes

o IP Security Policy

·        Security Associations

·        Security Association Database Security Policy Database

·        IP Traffic Processing

o Encapsulating Security Payload

·        ESP Format

·        Encryption and Authentication Algorithms Padding

·        Anti-Replay Service Transport and Tunnel Modes

o Combining Security Associations

·        Authentication Plus Confidentiality

·        Basic Combinations of Security  Associations

o Internet Key Exchange

·        Key Determination Protocol Header and Payload Formats

o Cryptographic Suites

KEY POINTS

◆      IP security (IPsec) is a capability that can be added to either current version of the Internet Protocol (IPv4 or IPv6) by means of additional headers.

◆      IPsec encompasses three functional areas: authentication, confidentiality, and key management.

◆      Authentication makes use of the HMAC message authentication code. Authentication can be applied to the entire original IP packet (tunnel mode) or to all of the packet except for the IP header (transport  mode).

◆      Confidentiality is provided by an encryption format known as encapsulating security payload. Both tunnel and transport modes can be accommodated.

◆      IKE defines a number of techniques for key management.

There are application-specific security mechanisms for a number of application areas, including electronic mail (S/MIME, PGP), client/server (Kerberos), Web access (Secure Sockets Layer), and others. However, users have security concerns that cut across protocol layers. For example, an enterprise can run a secure, private IP network by disallowing links to untrusted sites, encrypting packets that leave the premises, and authenticating packets that enter the premises. By implementing security at the IP level, an organization can ensure secure networking not only for applications that have security mechanisms but also for the many security-ignorant applications.

IP-level security encompasses three functional areas: authentication, confiden- tiality, and key management. The authentication mechanism assures that a received packet was, in fact, transmitted by the party identified as the source in the packet header. In addition, this mechanism assures that the packet has not been altered in transit. The confidentiality facility enables communicating nodes to encrypt messages to prevent eavesdropping by third parties. The key management facility is concerned with the secure exchange of keys.

We begin this chapter with an overview of IP security (IPsec) and an introduction to the IPsec architecture. We then look at each of the three functional areas in detail. Appendix L reviews Internet protocols.