Segurança Em Redes De Comunicações

IPSec

A framework of security protocols and algorithms used to secure data at the network layer.

Authentication Header (AH):

  • Ensures data integrity.

  • Does not provide confidentiality.

  • Provides origin authentication.

  • Uses Keyed-hash mechanisms.

Encapsulating Security Payload (ESP):

  • Provides data confidentiality (encryption).

  • Data Integrity.

  • Does not protect IP header.

AH and ESP uses symmetric secret key algorithms, although public key algorithms are feasible.

Modes

Tunnel.

  • IPSec gateways provide IPSec services to other hosts in peer-to-peer tunnels.

  • End-hosts are not aware of IPSec being used to protect their traffic.

  • IPSec gateways provide transparent protection over untrusted networks.

Transport.

  • Each end host does IPSec encapsulation of its own data, host-to-host.

  • IPSec has to be implemented on end-hosts.

  • The application endpoint must also be the IPSec endpoint.

Header placement

AH

Transport mode
Tunnel mode

ESP

Transport mode
Tunnel mode

AH Header

Contains five mandatory fields:

  • The Next Header field is an 8-bit field that identifies the type of the next payload after the AH.

  • The Payload Length is an 8-bit field specifying the length of the header (excluding the first 8 bytes) in 4-byte units.

  • The SPI field contains the negotiated outbound IPsec SPI and is used by the remote peer to identify the SA to which the packet belongs.

  • The Sequence Number field is a 32-bit field that contains a counter value that increases by one for each sent packet (using the same outbound IPsec SA).

  • The ICV field has a variable length (multiple of 32 bits) that contains the output of the authentication hash function (or HMAC based on symmetric encryption algorithms) applied to data/headers under protection.

    • May include padding to ensure that the overall length of the AH header is a multiple of 32 bits in IPv4 or 64 bits in IPv6.

ESP Header and Trailer

Contain five mandatory fields:

  • The SPI field contains the negotiated outbound IPsec SPI and is used by the remote peer to identify the SA to which the packet belongs.

  • The Sequence Number field is a 32-bit field that contains a counter value that increases by one for each sent packet (using the same outbound IPsec SA).

  • The Padding field may contain 0 to 255 zero-bytes to guarantee: (i) a specific payload size imposed by the encryption algorithm (e.g., size multiple of the block cipher size), and (ii) that the Pad Length and Next header fields are right aligned within a 4-byte word.

  • The Pad Length is an 8-bit field that indicates the number of padding bytes in the Padding field.

  • The Next Header is an 8-bit field that identifies the type of data contained in the payload data.

May contain two optional fields:

  • When the encryption algorithm requires an explicit Initialization Vector (IV), this value is sent using the IV field.

    • Some algorithm modes combine encryption and integrity into a single operation.

  • The ICV field has a variable length that contains the output of the authentication hash function (or HMAC based on symmetric encryption algorithms) applied to the ESP header, Payload Data, and ESP trailer fields.

    • The ICV field may include padding.

Security Associations

SAs represent a policy contract between two peers or hosts.

Describe how the peers will use IPSec security services to protect network traffic.

An SA contains the following security parameters:

  • Authentication/encryption algorithm, key length, and other encryption parameters (e.g. key lifetime, ...).

  • Session keys for authentication, or HMACs, and encryption, which can be entered manually or negotiated automatically.

  • A specification of network traffic to which the SA will be applied (e.g. IP traffic or only TELNET sessions).

  • IPSec AH or ESP encapsulation protocol and tunnel or transport mode.

PreviousHub-Spoke vs. Spoke-SpokeNextEstablishing SA and Cryptographic Keys

Last updated