- Forward


IPsec
An Introduction


Prof. David Bernstein
James Madison University

Computer Science Department
bernstdh@jmu.edu

Print

Overview
Back SMYC Forward
  • General Objective:
    • Security of IP datagrams
  • Specific Objectives:
    • Origin authentication
    • Connectionless data integrity and authentication
    • Content confidentiality
    • Replay protection
    • Limited traffic flow confidentiality
Overview (cont.)
Back SMYC Forward
  • History:
    • Working group created in 1992
    • Architecture revised in 1998
  • Acronyms:
    • Authentication Header (AH)
    • Encapsulating Security Payload (ESP)
    • Internet Key Exchange (IKE)
    • Security Association Databse (SAD)
    • Security Parameter Index (SPI)
Security Associations
Back SMYC Forward
  • Purpose:
    • Associate security services and keys with the traffic to be protected
  • Details:
    • SPI is used to retrieve SA parameters from a SAD
    • Simplex Communciation (i.e., need two SAs for bidirectional communication)
Security
Back SMYC Forward
  • Encapsulating Security Payload:
    • Authentication of origin
    • Integrity
    • Replay Protection
    • Confidentiality
  • Authentication Header:
    • Authentication of origin
    • Integrity
    • Replay Protection
AH Modes
Back SMYC Forward
  • Transport Mode:
    • Authenticates IP payload and selected portions of the IP header
  • Tunnel Mode:
    • Authenticates entire inner IP packet (i.e., header and payload) and selected portions of the outer IP header
ESP Modes
Back SMYC Forward
  • Transport Mode:
    • Encrypts IP payload
  • Tunnel Mode:
    • Encrypts entire inner IP packet
Keying Approaches
Back SMYC Forward
  • Host-Oriented:
    • All users on a host share the same key
  • User-Oriented:
    • Each user has a unique key
  • Session-Oriented:
    • Each session (defined by an IP address, protocol and port) has a unique key
Overview of the ESP Process
Back SMYC Forward
  • Outbound:
    1. Insert ESP header
    2. Encrypt payload
    3. Authenticate
  • Inbound:
    1. Check for SA (drop if invalid)
    2. Check sequence number (drop if invalid)
    3. Authenticate
    4. Decrypt payload
There's Always More to Learn
Back -