IPsec

!!!
 What is IPsec ?

“IPsec is a Standard for real-time

communication security”
Overview

BACCHAN
 Overview
…There must be some way for BACCHAN
to know which cryptographic key and
which algorithm to use to process the
packet.

IPsec comes to rescue…

 Overview
IPsec headers embedded into the IP packet
tell BACCHAN to which security
association the packet belongs.

<Security associations>: what is that?

IPsec Security associations(SA)
• It’s a cryptographically protected
connection.

Consists of:
Cryptographic key
Sequence number currently being used
Cryptographic services being used (e.g.: integrity
only / integrity+encryption / algo to be used)
IPsec Security associations(SA)
• It’s a unidirectional.

So talk between AISHWARYA & BACCHAN

will consist of two SA s ; one in each
direction.

 A field SPI (security parameter index)

identifies the security association
 Security Associations Database
• It’s maintained by systems implementing IPsec

DEST SPI KEY ALGO S

EQ.
CAT ## ## ## no
##

BACCHAN DOG ## ## ## ##
ASH
ASH ## ## ## ##
 Security policy database
• database that can tell,
• - which packets to drop
• - which to forward
• - which to accept without security

….Remember FIREWALLS !!!

 AH ESP

authentication Encapsulating
header security
payload
Provides Integrity Provides Integrity
protection only protection and
Encryption too.
Keeps important
fields visible to
firewalls & Routers
Applying IPsec to a packet
 IP headerRest of the packet

IP header IP sec Rest packet

Transport
mode
New IP header IP sec IP header Rest packet

Tunnel
Mode
 IPV4
• It’s a Network layer protocol, uses 32 bit
address.
• In IPV4 … the “4” is version number field.
• 32 bits wont be enough! So migration to
IPV6 is necessary some or other day
4 bit Version
4 bit Header lengths
1 octet Type of service
2 octet Header lengths + data
2 octet Packet identification

IPV4 Header
3 bit Flags
13 bit Fragment offset
1 octet TTL
1 octet Protocols
2 octet Header checksum
4 octet Source address
4 octet Destination address
variable Options
 IPV6
• Uses 16 octets i.e. 128 bit address.

• Where is IPV5 then ???

:p
 4 octet Version
2 octet Payload length

IPV6 Header
1 octet Next header
1 octet Hops remaining
16 octet Source address
16 octet Destination Address
NEXT HEADER FIELD Equivalent to IPV4’s PROTOCOL field

1 octet Next header

1 octet Length of this header
variable Data of this header
HEADER or HEADACHE ???
AH (Authentications header)
 AH (Authentications header)
4 octet Next header … (protocol field)

2 octet Payload length

1 octet Unused

1 octet SPI

16 octet Sequence number

16 octet Authentication Data

 TRICK !!!!
NEXT
PAYment
UN available…
POLICE << PSI >>
se <say>
<“Aur De”>
 ESP
(Encapsulating security payload)
 ESP
(Encapsulating security payload)
4 octet SPI (security parameter index)
4 octet Sequence number
variable IV (initialization vector)
variable Data
variable Padding
1 octet Padding length
1 octet Next header
variable Authentication data
POLICE << PSI >>
se <say>
IV <invitation>

TRICK !!!!
DA <DHA>
Pa <PANA>
Palega <PADEGA>
Nahito
<“Aur De”>
????????????????????????????
????????????????????????????
????????????????????????????
????????????????????????????
????????????????????????????
????????????????????????????
????????????????????????????
????????????????????????????
????????????????????????????
 ARIGATO
*_*
… You just learned to say THANK YOU in
Japanese !