IPSec and TLS

IPSec and the Internet key exchange protocol
Transport layer security protocol

IP spoofing is a common technique in cyber attacks
– bots spoof the an IP address of a victim web site
– then send DNS queries to DNS servers
– the DNS servers respond, sending large amounts of data to the victim
– Result: a denial-of-service attack

Goals of IPSec
– Verify sources of IP packets
Provide authentication that is lacking in IPv4
protect integrity and/or confidentiality of packets
prevent replaying of old packets
provide security automatically for upper layer protocols and applications

IPSec Modes
transport mode
gateway <-> gateway

New IP Header -> AH or ESP Header -> Orig IP Header -> TCP -> Data

ESP(Encapsulating security payload) <-> AH(Authentication Header)

Encapsulated Security Payload(ESP)
– encrypt and authenticate each packet
– encryption is applied to packet payload
– autentication is applied to data in the IPSec header as well as the data contained as payload, after encryption is applied

ESP in Transport Mode
orig IP Hdr -> TCP Hdr -> Data

Authentication is applied to the entire packet, with the mutable fields in the IP header “zeroed out”

If both ESP and AH are applied to a packet, AH follows ESP

Internet Key Exchange
Exchange and negotiate security policies

Establish parameters
security associations
Key exchange

One-way relationship between a sender and a receiver, defined by IPSec parameters
one SA for inbound traffic, another SA for outbound
Security Association Database(SADB)
Security Parameter Index(SPI)
Security Policy Database(SPD)

Anti-Replay
sequence number checking
anti-replay is used only if authentication is selected
window should not be advanced until the packet has been authenticated
Duplicates are rejected!