Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Internet Protocol Security (IPsec)

Basics of IPsec

Walter Yang

on 14 April 2011

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Internet Protocol Security (IPsec)

Internet Protocol Security (IPsec) Why Ipsec? when the internet first started there was no
real form of protection for tcp/ip due
to that data on the internet was sent accross
the network as unprotected text, thus the need
for a solution to fixing this problem was needed Ipsec Internet protocol security or
commonly known ipsec is one of
the solutions offered to fix this problem
that tcp/ip faced Purpose Ipsec purpose is to encapsulate and encrypt data
using protocols and aglorithms to protect the user from
malicious attacks for example two people are
exchanging encrypted information
to each other, only they can read the
information because they are only
able to decrypt it, anyone else who
obtains the information will not be able
to decrypt it Example protcol Ipsec protocols are used to sure the ip communication between

client to Server
server to server
network to network Reasons
provides authentication
provides integrity
provices confidentiality
prevents replay attacks
prevents data tampering
integrated with firewalls types of protocols here is a list used for ipsec
security assciation (SA)
Internet key exchange (IKE)
authentication header (AH)
encapsulating security payload (ESP) authentication header (AH) - integrity based used to providing connectionless integrity and
origin authentication and also protects
against replay attacks

appropriate to use when confidentiality is not required

but be aware of that AH does not provide data confidentiality, this means that all of the data is sent in the clear Encapsulation security payload (ESP) offers the same features as AH
but supports encryption

used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service, and traffic flow confidentiality. Security association (SA) group of security parameters

this contains the algorithms used
and the key sizes used

Hosts need common SA to
properly run ipsec

consist of the security protocol (AH or ESP). Internet key exchange (IKE) protocol used to set up security association (SA)

uses X.509 certificates for authentication that are usually pre-shared or distributed using dns
IKE consists of two phases establishes a secure authenticated communication channel by using the Diffie–Hellman key exchange algorithm to generate a shared secret key to encrypt IKE communications uses the secureed channel in Phase 1 to negotiate Security Associations Authentication methods
preshared key kerberos only works on the computer in the domain so it authenticates by verfiying the computer or the computer and user, NOT just the user Certificates trust the certificate authority that is issuing to make the ipsec connection created on trust-relationship used when computer or user is out of domain preshared key "password" method

weak-method, not recommended

used when computer does not support other methods
Modes there are two types of IPsec modes
main mode - ensures each party is valide ( acts as authentication)
quick mode - used to communmicate with the party main mode and quick mode protocol main mode is often used with the AH
while quick mode is the ESP Next header 8 bits
Specifies the next encapsulated protocol.

Length 8 bits
Size of the AH header in 32 bit words

SPI, Security Parameters Index 32 bits
Contains a pseudo random value used to identify. THe Values in the range 1 to 255 are reserved.

Sequence number 32 bits

Authentication Data. Variable length.
This field must contain a multiple of 32 bit words <http://www.networksorcery.com/enp/protocol/ah.htm> SPI, Security Parameters Index. 32 bits.
An arbitrary value that, in combination with the destination IP address and security protocol (ESP)

Sequence number. 32 bits, unsigned.
This field contains an increasing counter value.

Payload data. Variable length.
Contains the data in the next header, this area specifies on what algorithm is used for the esp protocol

Pad length. 8 bits.
size of the Padding field

Next header. 8 bits.
Iprotocol number describing format of the Payload data

Authentication data. Variable length.
Full transcript