ietf standard that employs cryptographic mechanism on network layer:
authentication of every ip packet
verification of data integrity for each packet
confidentiality of packet payload
verification of data integrity for each packet
confidentiality of packet payload
ipsec acts at network layer, protecting and authenticating ip packet b/w ipsec devices (peer)
IPsec is the only standard layer 3 technology that provides:
confidentiality
data integrity
authentication
replay detection (by comparing sequence number of received packet and a sliding window on destination host)
data integrity
authentication
replay detection (by comparing sequence number of received packet and a sliding window on destination host)
IPsec include a protocol for exchanging keys, Internet Key Exchange (IKE) and two IPsec IP protocols, Encapsulating Security Payload (ESP) and Authentication Header (AH)
IPsec uses 3 main protocols to create a security framework:
IKE
provides framework for negotiation of security parameters
establishment of authenticated keys
establishment of authenticated keys
ESP
encryption, authentication and integrity check
AHprovides authentication and integrity check on packets
IPsec header
original frame L2 - IP - L4 payload
transport mode L2 - IP - ESP/AH - L4 payload
tunnel mode L2 - New IP - ESP/AH - IP - L4 payload
transport mode L2 - IP - ESP/AH - L4 payload
tunnel mode L2 - New IP - ESP/AH - IP - L4 payload
IPsec provides
authentication and data integrity (md5 or sha-1 hmac) with AH and ESP
confidentiality (des, 3des, or aes) only with ESP
confidentiality (des, 3des, or aes) only with ESP
Authentication - packet was definitely sent by apparent sender
Integrity - packet was not changed
IKE
solves problem of manual and unscalable implementation of ipsec by automating entire key exchange process:
negotiation of SA characteristics
automatic key generation
automatic key refresh
manageable manual configuration
automatic key generation
automatic key refresh
manageable manual configuration
IKE uses mathematical routine called Diffie-Hellamnd exchange to generate symmetrical keys to be used by two IPsec peers. manage negotiation of other security parameters,
SA - an agreement b/w two peers engaging in an ipec exchange and consiss of theese required parameters necessary to establish summessful communication:
Oakley: a key exchange protocol that defines how to acquire authenticated keying material diffie-hellman key exchange algorithm - basic mechanism for oakley
ISAKMP: protocol framework that defines mechaniics of implementing a key exchange protocol and negotiation of security policy
Skme: a key exchange protocol that define how to derive authenticated keying material with rapid key refreshment
IKE automatically negotiate IPsec SA and enables IPsec secure communication w/o costly manual preconfiguration
IKE feature:
eliminates need to manually specify all of ipsec security paramenters at both peers
allow specificatoin for a lifetime for ipsec sa
allow encryption key to change during ipsec session
allow ipsec to provide anti-replay service
CA support
allow dynamic authentication of peers
allow specificatoin for a lifetime for ipsec sa
allow encryption key to change during ipsec session
allow ipsec to provide anti-replay service
CA support
allow dynamic authentication of peers
IKE phases
phase 1
authenticate peer
negotiate a bidirectional SA
main mode or aggressive mode
phase 1.5negotiate a bidirectional SA
main mode or aggressive mode
xauth
mode config
phase 2mode config
ipsec sa (negotiated by IKE process (ISAKMP) on behalf of ipsec, which need key material for operation)
quick mode
*two peers already agreed upon transform set, hash method, and otehr parameters during phase 1 negotiation
quick mode
*two peers already agreed upon transform set, hash method, and otehr parameters during phase 1 negotiation
main mode
1st exchange - establish basic security policy (select proposal)
2nd exchange - pass DH pub key and other data.
all further negotiation is encryped within IKE SA
3rd exchange - authenticate ISAKMP session
2nd exchange - pass DH pub key and other data.
all further negotiation is encryped within IKE SA
3rd exchange - authenticate ISAKMP session
quick mode
negotiation is protected within IKE SA
similar to aggressive mode
negotiate SA for data encryption and manages key exchange for IPsec SA
similar to aggressive mode
negotiate SA for data encryption and manages key exchange for IPsec SA
IKE- other function
dead peer detection
nat traversal (encrypt ipsec packet in udp packet)
mode config (push config) and xauth (user authentication)
nat traversal (encrypt ipsec packet in udp packet)
mode config (push config) and xauth (user authentication)
DH key agreement is a public key encryption method that provides a way for 2 peers to establish a shred secret key that only they know, although they are communicting over an insecure channel
public key - exchanged bw end users
private key - kept secret by original owner
DH public key algothrim states that if user A and user B exchange public keys and a calculation is performed on their individual private key and on the public key of the other peer, the end result of the process is an identical shared key.
shared key is used to encrypt and decrypt data
security is not an issue with DH key exchange. although someone may know a user's public key, shared secret cannot be generated because private key never becomes public knowledge
group2 - DH group2 is used for secure exchange of shared key
crypto isakmp key - set shared key to .... when communicating with other router
crypto isakmp key - set shared key to .... when communicating with other router
* IKE p2 tunnel (ipsec tunnel) is negotiated and set up within the protection of an IKE p1 (ISAKMP tunnel).
*HASH
provide data integrity
one way mathematical function
in practice data of arbitrary length is input into hash function and then is processed through, resulting in fixed-length hash
the resultant fixed-length hash is called digest"
댓글 없음:
댓글 쓰기