IPSec and the Internet key exchange protocol
Transport layer security protocol
IP spoofing is a common technique in cyber attacks
– bots spoof the an IP address of a victim web site
– then send DNS queries to DNS servers
– the DNS servers respond, sending large amounts of data to the victim
– Result: a denial-of-service attack
Goals of IPSec
– Verify sources of IP packets
Provide authentication that is lacking in IPv4
protect integrity and/or confidentiality of packets
prevent replaying of old packets
provide security automatically for upper layer protocols and applications
IPSec Modes
transport mode
gateway <-> gateway
New IP Header -> AH or ESP Header -> Orig IP Header -> TCP -> Data
ESP(Encapsulating security payload) <-> AH(Authentication Header)
Encapsulated Security Payload(ESP)
– encrypt and authenticate each packet
– encryption is applied to packet payload
– autentication is applied to data in the IPSec header as well as the data contained as payload, after encryption is applied
ESP in Transport Mode
orig IP Hdr -> TCP Hdr -> Data
Authentication is applied to the entire packet, with the mutable fields in the IP header “zeroed out”
If both ESP and AH are applied to a packet, AH follows ESP
Internet Key Exchange
Exchange and negotiate security policies
Establish parameters
security associations
Key exchange
One-way relationship between a sender and a receiver, defined by IPSec parameters
one SA for inbound traffic, another SA for outbound
Security Association Database(SADB)
Security Parameter Index(SPI)
Security Policy Database(SPD)
Anti-Replay
sequence number checking
anti-replay is used only if authentication is selected
window should not be advanced until the packet has been authenticated
Duplicates are rejected!
