THE USE OF IP ESP TO PROVIDE A MIX OF SECURITY SERVICES IN IP DATAGRAM - PowerPoint PPT Presentation

1 / 20

About This Presentation

Title:

THE USE OF IP ESP TO PROVIDE A MIX OF SECURITY SERVICES IN IP DATAGRAM

Description:

ESP can be used to provide. confidentiality. data origin authentication. connectionless integrity ... mode -- just the original next layer protocol information. ... – PowerPoint PPT presentation

Number of Views:37

Avg rating:3.0/5.0

Slides: 21

Provided by: scie318

Learn more at: http://www.cs.wichita.edu

Category:

more less

Transcript and Presenter's Notes

Title: THE USE OF IP ESP TO PROVIDE A MIX OF SECURITY SERVICES IN IP DATAGRAM

1
THE USE OF IP ESP TO PROVIDE A MIX OF SECURITY
SERVICES IN IP DATAGRAM

SREEJITH SREEDHARAN
CS843 PROJECT PRESENTATION
04/28/03

2
INTRODUCTION

ESP can be used to provide
confidentiality
data origin authentication
connectionless integrity
there are three possible ESP security
service combinations involving these services
- confidentiality-only
- integrity-only
- confidentiality and integrity
anti-replay service
traffic flow confidentiality.

3
ESP PACKET FORMAT

A diagram of a secure IP datagram.
lt-- Unencrypted
--gtlt---- Encrypted ------gt
-----------------------------------------
-------------------------------
IP Header Other IP Headers ESP
Header encrypted data
-----------------------------------------
-------------------------------

4
ESP PACKET FORMAT

The figure illustrates the top-level format of an
ESP packet
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2 3 4 5 6 7 8 9 0 1
----------------------
----- ----------------
Security
Parameters Index (SPI)
Integrity
----------------------
----- Coverage
Sequence
Number
----------------------
----- ---------------
Payload Data
(variable)
Confidentiality
----------------
------- Coverage
Padding
(0-255 bytes)
----
--------------
Pad Length Next Header v
v
----------------------
----- ------------------
Integrity Check
Value-ICV (variable)
----------------------
-----

5
ESP PACKET FORMAT

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
4 5 6 7 8 9 0 1
-----------------------
----
Security
Parameters Index (SPI)
-----------------------
----
Sequence Number
-----------------------
---- ------------
IV (optional
p
-----------------------
---- a
Rest of
Payload Data (variable)
y
l
o
----------------
------- a
TFC Padding
(optional, variable) v
d
---- ------------
------- --------------
Padding (0-255 bytes)
--------
--------------
Pad Length
Next Header
-----------------------
----
Integrity Check
Value-ICV (variable)

6
ESP ALGORITHMIC MODES

Encryption Algorithms
Integrity Algorithms
Combined Mode Algorithms

7
ESP ALGORITHMIC MODES

Separate Encryption and Integrity Algorithms
What What
What
of Requ'd Encrypt
Integ is
bytes 1 Covers
Covers Exempted
------ ------ ------
------ ------
SPI 4
M
Y plain
Seq (low order bits) 4
M Y
plain p
------ a
IV
variable O Y
plain y
IP datagram 2 variable
M or D Y Y
cipher3 -- l
TFC padding 4 variable
O Y Y
cipher3 o
------ a
Padding 0-255
M Y
Y cipher3 d
Pad Length 1
M Y
Y cipher3
Next Header 1
M Y
Y cipher3
Seq (high order bits) 4
Y not xmtd
ICV Padding variable
if need Y
not xmtd
ICV variable
M 5 plain

8
ESP ALGORITHMIC MODES

Combined Mode Algorithms
What What
What
of Requ'd Encrypt
Integ is
bytes 1 Covers
Covers Exempted
------ ------ ------
------ ------
SPI 4
M
plain
Seq (low order bits) 4
M
plain p
------ a
IV
variable O Y
plain y
IP datagram 2 variable
M or D Y Y
cipher -- l
TFC padding 3 variable
O Y Y
cipher o
------ a
Padding 0-255
M Y
Y cipher d
Pad Length 1
M Y
Y cipher
Next Header 1
M Y
Y cipher
Seq (high order bits) 4
Y 4
ICV Padding variable
if need Y
4
ICV omitted
when this mode is employed

9
ESP PROCESSING MODES

Transport Mode Processing
Tunnel Mode Processing

10
Transport Mode Processing

BEFORE APPLYING ESP (IPv4)
-------------------------------------
--------------------
orig IP hdr (any options)
TCP Data
-------------------------------------
--------------------
AFTER APPLYING ESP
-------------------------------------
--------------------------------------------------
------------
orig IP hdr (any options) ESP
Hdr TCP Data ESP Trailer ESP ICV
-------------------------------------
--------------------------------------------------
------------

lt---- encryption ----gt
lt--------
integrity -------gt
BEFORE APPLYING ESP (IPv6)
------------------------------------
-------------------------
orig IP hdr ext hdrs if
present TCP Data
------------------------------------
-------------------------
AFTER APPLYING ESP
------------------------------------
--------------------------------------------------
-----
orig hop-by-hop,dest,
dest ESP
ESP
IP hdr routing,fragment
ESP opt TCP Data Trailer ICV
------------------------------------
--------------------------------------------------
-----
lt--- encryption
----gt
lt------
integrity ------gt

11
Tunnel Mode Processing

BEFORE APPLYING ESP (IPv4)
-----------------------------------------
----------------
orig IP hdr (any options) TCP
Data
-----------------------------------------
----------------
AFTER APPLYING ESP
-----------------------------------------
----------------------------------------------
new IP hdr orig
IP hdr ESP
ESP
(any options) ESP (any
options) TCP Data Trailer ICV
-----------------------------------------
----------------------------------------------

lt--------- encryption
---------gt
lt-------------
integrity ------------gt
BEFORE APPLYING ESP (IPv6)
-----------------------------------------
--------------------
orig IP hdr ext hdrs if present
TCP Data
-----------------------------------------
--------------------
AFTER APPLYING ESP
----------------------------------------
--------------------------------------------------
------
new new ext
orig orig ext
ESP ESP
IP hdr hdrs ESP IP
hdr hdrs TCP Data Trailer
ICV

12
Outbound Packet Processing

Security Association Lookup
Packet Encryption and Integrity Check Value (ICV)
Calculation
1. Separate Confidentiality and Integrity
Algorithms
the Sender proceeds as
1. Encapsulate (into the ESP Payload field)
- for transport mode -- just the original next
layer protocol information.
- for tunnel mode -- the entire original IP
datagram.
2. Add any necessary padding
3. Encrypt the result
4. Compute the ICV over the ESP packet minus the
ICV field
2. Combined Confidentiality and Integrity
Algorithms
1. Encapsulate into the ESP Payload Data field
- for transport mode -- just the original next
layer protocol information.
- for tunnel mode -- the entire original IP
datagram.
2. Add any necessary padding
3. Encrypt and integrity protect the result
Sequence Number Generation
Fragmentation

13
Inbound Packet Processing

Reassembly
Security Association Lookup
Sequence Number Verification
ESP permits two-stage verification of packet
sequence numbers
The preliminary Sequence Number check
the integrity of the Sequence Number
Integrity Check Value Verification
Separate Confidentiality and Integrity Algorithms
1. If integrity has been selected, the receiver
computes the ICV
2. The receiver decrypts the ESP Payload Data,
Padding, Pad Length, and Next Header
3. The receiver processes any Padding
4. The receiver checks the Next Header field.
5. The receiver reconstructs the original IP
datagram from
- for transport mode -- outer IP header plus
the original next layer protocol information in
the ESP Payload field
- for tunnel mode -- the entire IP datagram in
the ESP Payload field.

14
Inbound Packet Processing

Combined Confidentiality and Integrity
Algorithms
1. Decrypts and integrity checks the ESP Payload
Data, Padding, Pad Length, and Next
Header
2. If the integrity check performed by the
combined mode algorithm fails, the receiver must
discard the received IP datagram as invalid
3. Process any Padding
4. The receiver checks the Next Header field
5. Extract the original IP datagram (tunnel
mode) or transport-layer frame (transport mode)
from the ESP Payload Data field.

15
AUDITING