IPSec Uses User system with IPSec Public(Internet) or Private Network Networking device with IPSec Networking device with IPSec Payload 復大软件学院
6 IPSec Uses
Benefits of iPsec in a firewall/router provides strong security to all traffic crossing the perimeter in a firewall/router is resistant to by pass is below transport layer, hence transparent to applications can be transparent to end users can provide security for individual users secures routing architecture 復大软件学院
7 Benefits of IPSec • in a firewall/router provides strong security to all traffic crossing the perimeter • in a firewall/router is resistant to bypass • is below transport layer, hence transparent to applications • can be transparent to end users • can provide security for individual users • secures routing architecture
IP Security Architecture specification is quite complex defined in numerous rfcs inc|.RFC2401/2402/2406/2408 many others, grouped by category mandatory in IPv6, optional in IPV4 have two security header extensions Authentication Header(AH) Encapsulating Security Payload(ESP) 復大软件学院
8 IP Security Architecture • specification is quite complex • defined in numerous RFC’s – incl. RFC 2401/2402/2406/2408 – many others, grouped by category • mandatory in IPv6, optional in IPv4 • have two security header extensions: – Authentication Header (AH) – Encapsulating Security Payload (ESP)
IPSec Services ESP (encryption ESP (encryption plus only) authentication) Access control Connectionless integrity Data origin authentication Rejection of replayed packets Confidentiality Limited traffic flow confidentiality 復大软件学院
9 IPSec Services
do Authentication Header(AH provides support for data integrity authentication of IP packets end system/router can authenticate user/app prevents address spoofing /replay attacks by tracking sequence numbers based on use of a mac HMAC-MD5-96 or HMAC-SHA-1-96 parties must share a secret key 復大软件学院
11 Authentication Header (AH) • provides support for data integrity & authentication of IP packets – end system/router can authenticate user/app – prevents address spoofing / replay attacks by tracking sequence numbers • based on use of a MAC – HMAC-MD5-96 or HMAC-SHA-1-96 • parties must share a secret key