IPSec and Privacy with IPv6 - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

IPSec and Privacy with IPv6

Description:

Status of IPSEC implementation on Linux & FreeSWAN project ... file containing source and documentation for Linux systems with 2.2.XX and 2.4.XX kernels ... – PowerPoint PPT presentation

Number of Views:82
Avg rating:3.0/5.0
Slides: 31
Provided by: foss
Category:
Tags: ipsec | ipv6 | privacy

less

Transcript and Presenter's Notes

Title: IPSec and Privacy with IPv6


1
IPSec and Privacy with IPv6
  • Jayachandra K, Consultant, Systems Networking,
    Hewlett Packard
  • Gopi Garge, Vice President, IPv6 Forum India
  • Tusar Gupta, Systems Specialist, Network
    Solutions

2
Agenda
  • Security privacy Application/services
    perspective
  • IPSEC with IPv4
  • Security Privacy in IPv6
  • Status of IPSEC implementation on Linux
    FreeSWAN project
  • Impact on Business Applications and services,
    network security infrastructure, network
    management and billing
  • Conclusion

3
Application/services needs..
  • Establish the source IP
  • Spoofing
  • Session replays
  • Data Privacy at the network layer
  • Privacy available for application data
  • Session privacy not available

4
Application/services needs..
  • Data Integrity
  • Only on network layer headers
  • Corrupt data goes up to the transport layer
  • User authentication available
  • Host authentication not available

5
Real World Applications
  • Client-Server Apps (one to many)
  • Web based applications
  • E-business applications
  • E-commerce and M-commerce applications
  • Peer - Peer Apps (many to many)
  • VoIP
  • Video conferencing
  • Network games (Gambling?)

6
Application/services needs..
  • Security Needs
  • Source authentication (user and host based)
  • Session privacy
  • Data confidentiality
  • Data integrity

7
Security in IPv4
  • None, as part of basic protocol
  • IPsec -
  • No integration!

8
Security in IPv4
  • Pre - IPSec (and after too?!)
  • Application layer loaded with security
    responsibility
  • Data confidentiality using
  • SSL, SSH..
  • PGP, S/MIME
  • No Session Privacy
  • No host based authentication

9
Security in IPv4
  • Post - IPSec
  • Largely tunneled traffic
  • VPNs
  • Not popular due to
  • lack of integration into the system
  • applications cannot demand IPSec service

10
Security Privacy in IPv6
  • IPSec mandated!
  • Integrated into the protocol
  • Applications can use IPSec services based on need
  • Session privacy
  • Host based authentication

11
Security Privacy in IPv6
  • Two traffic security protocols
  • 1. Authentication header (AH)

12
Security Privacy in IPv6
Authentication of information using Keyed MD-5 or
any one way hashing algorithm
13
Security Privacy in IPv6
  • Two traffic security protocols
  • 2. Encapsulation security payload (ESP)
  • ESP with Authentication

14
Security Privacy in IPv6
15
Security Privacy in IPv6
16
Security Privacy in IPv6
  • Key repositories
  • DNS
  • LDAP
  • Proprietary databases

17
Security Privacy in IPv6
  • Pros
  • All applications secure
  • Several options/ways to implement security
    privacy requirements
  • Cons
  • Costly(but worth?!)
  • Higher bandwidth requirement
  • Extra processing
  • Export restrictions.

18
IPv6 implementation status
  • Linux kernels 2.2 and above
  • Supported on all variants of BSD
  • Supported by all major commercial OS such as
    HP-UX, AIX, Solaris, Windows 2000/XP etc.
  • Supported by all major network equipment vendors
    such as Cisco, Juniper, 6Wind, Hitachi, Nokia,
    Ericsson etc.
  • Embedded systems vendors like Interpeak support
    IPv6 in their TCP/IP stack.

19
FreeS/WAN Project
  • Linux FreeS/WAN is an implementation
  • of IPSEC IKE for Linux
  • http//www.freeswan.org

20
Objectives of FreeSWAN project
  • implement the IPsec protocols for Linux
  • extend IPsec to do opportunistic encryption
  • help make IPsec widespread by providing an
    implementation with no restrictions
  • provide a high-quality IPsec implementation for
    Linux

21
Opportunistic Encryption
  • any two systems can secure their communications
    without a pre-arranged connection
  • both systems pick up the authentication
    information they need from the DNS
  • reduces the administrative overhead for IPsec
    enormously
  • secure connections can be the default

22
Things not yet implemented
  • Key management methods
  • authenticate key negotiations via local PKI
    server
  • authenticate key negotiations via secure DNS
  • unauthenticated key management, using
    Diffie-Hellman key agreement protocol
  • Encryption methods
  • Triple DES only supported
  • Authentication methods
  • No optional additional implemented

23
Current releases and distributions
  • Current Release
  • Linux FreeS/WAN 1.99 OE-enabled IPsec released on
    04/11/02
  • 1.99 is a bug fix release
  • Installs on Red Hat 8.0 and 7.x.
  • Linux Distributions
  • Best Linux (Finland) Mandrake (France) Conectiva
    (Brazil) Polish(ed) Linux Distribution (Poland)
    Debian ver 3.0 SuSE Linux (Germany) Redhat
    (Kernel serious 2.2 and 2.4))
  • Firewall Distributions
  • Astaro Security Linux, Linuxwall
  • Devil Linux, Smoothwall ,
  • Gibraltar, Wolverine (Coyote Linux), Linux
    Router Project,
  • Xiloo

24
Compatibility Status Interoperability problems
  • FreeS/WAN does not implement single DES
  • FreeS/WAN does not implement Diffie-Hellman group
    1 (768-bit)
  • FreeS/WAN does not implement aggressive mode for
    IKE negotiations
  • Perfect forward secrecy Yes, by default
  • Optional message/bit in IKE protocol
  • FreeSWAN implementation is compatible with most
    other implementations.
  • FreeS/WAN 1.91 with IPv6 support, version 0.2
  • http//www.ipv6.iabg.de/download/ipsec6_upd.tgz

25
Installation
  • latest stable release is 1.99 - 04/11/2002
  • RPM
  • ftp//ftp.xs4all.nl/pub/crypto/freeswan/binaries/R
    edHat-RPMs
  • Source
  • Tar file containing source and documentation for
    Linux systems with 2.2.XX and 2.4.XX kernels
  • ftp//ftp.xs4all.nl/pub/crypto/freeswan/freeswan-\
  • Patches
  • http//www.freeswan.ca/download.php

26
Configuration
  • Configure Files
  • ipsec.conf - configuration and control
    information for the FreeS/WAN IPsec subsystem
  • ipsec.secrets - holds a table of secrets, used by
    the FreeS/WAN IKE daemon
  • Insert KEY and TXT records in DNS
  • ipsec showhostkey --txt 1.2.3.4
  • RSA 2048 bits node.domain.com Mon Nov 25 135322
    2002 4.3.2.1.in-addr.arpa. IN KEY 0x4200 4 1
    AQOF8tZ2...buFuFn/
  • RSA 2048 bits node.domain.com Mon Nov 25 140922
    2002 IN TXT "X-IPsec-Server(10)1.2.3.4
    " " AQOF8tZ2...buFuFn/"
  • leftid node.domain.com
  • service ipsec start

27
Impact on applications
  • Less security overhead on applications
  • Flexibility to enable/disable Network level
    security
  • Several options/ways to meet security
    requirements.
  • Secure Network management data
  • Billing applications to be modified
  • Largest impact is on business applications!!!

28
Impact on applications
  • VPN/Firewall scenario

29
Conclusion
30
Thank you!
  • Contact Jai_at_india.hp.com
  • Gopi_at_exocore.com
  • Tusar_at_india.hp.com
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "IPSec and Privacy with IPv6" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!