IPSec Sub-Protocols

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> Now, last section of IPSec we
00:00
focused in on tunnel mode versus transport mode,
00:00
which addressed what portion of
00:00
the IP packet will be encapsulated.
00:00
But like we said, the encapsulation was just packaging.
00:00
We're just wrapping up
00:00
certain portions of an IPv4 packet.
00:00
We haven't secured them yet.
00:00
The security comes through a couple of
00:00
other protocols that IPSec uses,
00:00
so the encapsulation piece
00:00
sets aside what's to be protected.
00:00
Then these other protocols come in,
00:00
actually provide the security services.
00:00
We're going to talk about the sub-protocols.
00:00
Even though there are
00:00
other protocols that work within IPSec,
00:00
these are the main ones I want us to know.
00:00
I want us to know authentication header,
00:00
I'd like us to know ESP, and then IKE.
00:00
AH, authentication header.
00:00
Now, this is the protocol that we want to
00:00
use if we're trying to enforce
00:00
or trying to attain authenticity.
00:00
Of course, authentication header, authenticity.
00:00
But the way this works is interesting.
00:00
If you think about authenticity issues,
00:00
what's the opposite of authenticity?
00:00
We think about people spoofing, impersonation.
00:00
If somebody were to spoof an IP packet,
00:00
the portion of the packet that they'd
00:00
be manipulating would be the header.
00:00
I'm going to change the source address that's in
00:00
the IP header to make it look like
00:00
this packet comes from somewhere else.
00:00
The authentication header, the way it protects against
00:00
spoofing is it runs an integrity check value.
00:00
An integrity check value is just like a hash.
00:00
You can think of it as hashing the IP header.
00:00
If someone's going to spoof the IP header,
00:00
then authentication header is
00:00
going to notice that there's been
00:00
a modification and it's going to
00:00
>> create an error message.
00:00
>> Basically if someone spoofs,
00:00
they're modifying the header of a packet,
00:00
authentication header hashes the header
00:00
of the packet to make sure that it doesn't get spoofed.
00:00
That's how it detects any modifications.
00:00
Now, here is a problem.
00:00
Can any of you think about a network service or
00:00
even a particular type of server whose job it
00:00
is to modify headers of packets.
00:00
There's a very important network service
00:00
whose only job is to modify packet headers,
00:00
and that service is called NAT
00:00
, network address translation.
00:00
We'll get into NAT in domain 4.
00:00
But just a quick overview,
00:00
what happens with NAT,
00:00
NAT is a service that runs on devices like
00:00
firewalls and routers and proxy servers.
00:00
Let's say that I'm a router that's running NAT,
00:00
and I'm standing between
00:00
my internal network and the Internet.
00:00
All traffic from the inside going
00:00
out comes through me, the NAT device.
00:00
Even though I may have
00:00
200 internal hosts or 2,000 or two,
00:00
however many, all traffic coming through me,
00:00
I strip the true source address and replace it with
00:00
my own IP address so that
00:00
everything leaving my network
00:00
looks like it's coming from me.
00:00
That keeps all my internal hosts protected.
00:00
Nobody on the Internet knows their true IP address.
00:00
They just return all traffic back
00:00
the NAT device who then
00:00
will distribute the workload internally.
00:00
NAT provides a great security services,
00:00
it keeps hidden my internal addressing scheme.
00:00
But NAT really is about spoofing.
00:00
It's spoofing for good and not evil,
00:00
but it's still spoofing.
00:00
The NAT device strips the source address off
00:00
the packet and modifies
00:00
it to look like the packet comes from itself.
00:00
I've got NAT whose job it is to modify packet headers,
00:00
and then I've got AH whose job it
00:00
is to make sure packet headers don't get modified.
00:00
What do you think that tells you
00:00
about their compatibility?
00:00
The two do not get along.
00:00
They don't play nicely together.
00:00
They run with scissors.
00:00
Now for the test,
00:00
AH and NAT do not work together.
00:00
I'm going to hit the pause button
00:00
between real-world and test world.
00:00
In the real-world,
00:00
you can make the two of them work together.
00:00
We have a feature called NAT traversal.
00:00
That's way beyond the scope of
00:00
what we would cover in here but I just
00:00
want you to know in the real world you
00:00
can make them run together.
00:00
But natively speaking, AH and NAT are incompatible.
00:00
If you were to see anything,
00:00
any indication that you're running NAT on a question,
00:00
you would know that they don't want you to use
00:00
AH. Well, what's left?
00:00
Well, the next protocol you can use this ESP
00:00
, encapsulating security payload.
00:00
This is the protocol that provides encryption.
00:00
It encrypts what's encapsulated.
00:00
Now, you get some authenticity and
00:00
integrity with ESP through MAC,
00:00
we talked about message authentication codes,
00:00
but we also get encryption.
00:00
You get reasonable authenticity and integrity
00:00
and encryption and it's compatible with NAT,
00:00
so you see a lot of people use ESP for the security.
00:00
Its more popular than AH for those reasons.
00:00
But again I want to emphasize AH
00:00
does not give encryption,
00:00
it does not provide encryption.
00:00
If you want encryption for privacy you have to use ESP.
00:00
Now, those are really
00:00
the two main protocols that would be used,
00:00
but we have a third here called
00:00
IKE, Internet key exchange.
00:00
IKE is like that guy at a concert.
00:00
If you go out to see a concert,
00:00
if you get there early,
00:00
there's always this guy that's out there in
00:00
cut-off shorts and a t-shirt regardless of the weather,
00:00
and he's running cables,
00:00
he's checking the lights,
00:00
he's testing the sounds.
00:00
Nobody came to that show to see IKE,
00:00
except maybe his mother.
00:00
Nobody's there to see IKE.
00:00
But if IKE doesn't go out ahead
00:00
of the show, you have no show.
00:00
Internet key exchange,
00:00
IKE's job is to go out ahead of
00:00
the security services and
00:00
>> set up the connection and say,
00:00
>> let's have a secure communication.
00:00
Let's use this encryption algorithm.
00:00
Let's use this key.
00:00
Let's make sure that
00:00
the communication can and traced from party to party.
00:00
Let's make sure that we have
00:00
discrete channel for each secure connection.
00:00
That's IKE's job, Internet key exchange.
00:00
Now, IKE has swallowed up to
00:00
other protocols called Oakley and ISAKMP.
00:00
I think your question would just revolve around IKE,
00:00
because really those two have been deprecated now.
00:00
But the idea is IKE negotiates and establishes keys.
00:00
I'll also mention something called
00:00
security associations and the
00:00
>> security parameters index.
00:00
>> IKE is responsible for all that.
00:00
What is a security association?
00:00
A security association is
00:00
a unique identifier for each secure session.
00:00
Let's say that I set up a secure connection with Bob.
00:00
Bob is good a name as any, we'll choose Bob.
00:00
IKE goes out and establishes that connection,
00:00
and then creates something called
00:00
the security association that
00:00
references my communications with Bob,
00:00
so that we understand what Bob's address is,
00:00
what key we're going to use for communications.
00:00
This is how each communication
00:00
>> with Bob is identified as
00:00
>> unique from every other server
00:00
I might be connecting to our system.
00:00
I will have a unique security association.
00:00
Actually I'll have two security associations
00:00
for each secure connection;
00:00
one for outgoing communication,
00:00
one for incoming communication.
00:00
They're just identifier,
00:00
the way we keep all these different sections unique.
00:00
Now, if you look at what's in
00:00
a security association, the destination address.
00:00
If I've connected to Bob, that's Bob's address.
00:00
Then there's this random value called an SPI,
00:00
a security parameter index.
00:00
Let's say what's here is for
00:00
my first secure connection to Bob.
00:00
But then I decide to open
00:00
up a second secure connection to Bob.
00:00
Maybe I have two applications that are
00:00
connecting to Bob on his end,
00:00
so I have two discrete sessions.
00:00
Will the destination address part of
00:00
the security association is going to be the same
00:00
because I'm connecting to the same host?
00:00
What is it that's going to uniquely
00:00
identify Session 1 with Bob and Session 2 with Bob?
00:00
It's the SPI.
00:00
The SPI is what provides uniqueness in
00:00
a security association because of
00:00
the possibility of having
00:00
multiple secure connections with the same server.
00:00
Because if I have multiple communications
00:00
with the same server without an SPI,
00:00
they'd all have the same destination address,
00:00
how would we keep each session unique?
00:00
That's what the SPI does.
00:00
It provides the uniqueness information
00:00
in the security association.
00:00
We've talked about our three friends
00:00
that are the sub-protocols of IPSec.
00:00
We have AH that gives us strong authentication.
00:00
We have ESP that gives us
00:00
decent authentication but adds encryption.
00:00
Then our friend IKE that provides for
00:00
>> key negotiation and
00:00
>> management and the establishing and
00:00
management of security associations as well.
Up Next