IP Security v3

Eogogics Legacy Courses Still Available on Request
  • Course:IP Security v3
  • Course ID:IPSECWS Duration:2-3 days Where: Your Office (7+ Persons)
  • Available as a private, customized course for your group at your offices or ours and in some cases as a WebLive(TM) class.

  • Download Course Description (PDF)

Course Outline

  • Introduction
    • The Need for IPSec
    • IPSec Alternatives
    • IPSec Timeline: v1->v2->v3
      • IPSec
      • IPSec v2
      • IPsec v3
  • IPSec RFC Overview
    • RFC 4301 Security Architecture for the Internet Protocol
    • RFC 4302 IP Authentication Header
    • RFC 4303 IP Encapsulating Security Payload
    • RFC 4304 Extended Sequence Number Addendum
    • RFC 4307 Cryptographic Algorithms for IKEv2
    • RFC 4308 Cryptographic Suites for IPSec
    • RFC 4309 Using Advanced Encryption Standard with ESP
    • RFC 4478 Repeated Authentication in IKEv2
    • RFC 4543 GMAC in IPSec ESP and AH
    • RFC 4555 IKEv2 Mobility and Multihoming Protocol (MOBIKE)
    • RFC 4621 Design of the IKEv2 Mobility and Multihoming (MOBIKE) Protocol
    • RFC 4718 IKEv2 Clarifications and Implementation Guidelines
    • RFC 4806 Online Certificate Status Protocol (OCSP) Extensions to IKEv2
    • RFC 4809 Requirements for an IPSec Certificate Management Profile
    • RFC 4945 PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX
  • IPSec v3: Security Architecture for the Internet Protocol
    • Security Policy Database (SPD)
    • Security Association Database (SAD)
    • Peer Authorization Database (PAD)
    • Security Associations
      • Key Management
      • Multicast
    • IP Traffic Processing
    • ICMP Processing
    • Other Issues
    • Differences from RFC 2401
  • Authentication Header (AH)
    • Format and Structure
    • Fields
    • Galois Message Authentication Code (GMAC)
    • GMAC Lab: 
      • Study operation of Message Authentication Codes in general and attributes and operation of GMAC code used in IPSecv3 specifically
      • LAB debrief/group discussion
    • IP Packet Processing
    • Differences from RFC 2402
    • AH Lab
      • View call traces of traffic that uses the Authentication Header with and without Encapsulating Security Payload. Lab includes hacks against and countermeasures to ESP and AH security vulnerabilities.
      • LAB debrief/group discussion
  • Encapsulating Security Payload (ESP)
    • Format and Structure
    • Fields
    • Advanced Encryption Standard (AES) with ESP
    • AES Lab
      • Step through AES encryption procedure as a paper exercise and review possible attacks and countermeasures
      • LAB debrief/group discussion
    • IP Packet Processing
    • Differences from RFC 2406
    • ESP Lab
      • View call traces of encrypted network traffic using the Encapsulated Security Payload
      • Lab debrief/group discussion
  • IKEv2 and ISAKMP
    • Extended Sequence Number Addendum
    • Cryptographic Algorithms for IKEv2
    • Repeated Authentication in IKEv2
    • IKEv2 Mobility and Multihoming Protocol (MOBIKE)
    • Design of the IKEv2 Mobility and Multihoming (MOBIKE) Protocol
    • MOBIKE Lab
      • Sample design and security specification exercise with implementation checklist for MOBIKE system
      • Lab debrief and group  discussions
    • IKEv2 Clarifications and Implementation Guidelines
    • Online Certificate Status Protocol (OCSP) Extensions to IKEv2
    • Requirements for an IPsec Certificate Management Profile
    • PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX
    • IKEv1 and v2/ISAKMP Lab
      • View call traces of  completed and aborted tunnel establishment and key exchange using IKE v1 and v2 and ISAKMP
      • Lab debrief and discussion
  • Cryptographic Suites for IPSec
    • Suite “VPN-A”
      • ESP – RFC2406
      • TripleDES in CBC mode [RFC2451]
      • HMAC-SHA1-96 [RFC2404]
      • IKE and IKEv2:
      • Diffie-Hellman 1024-bit Modular Exponential (MODP) [RFC2409]
    • Suite “VPN-B”
      • ESP [RFC2406]
      • AES with 128-bit Keys in CBC mode [AES-CBC]
      • AES-XCBC-MAC-96 [AES-XCBC-MAC]
      • AES-XCBC-MAC-96 [AES-XCBC-MAC]
      • IKE and IKEv2
      • Diffie-Hellman 2048-bit MODP [RFC3526]
    • Cryptographic Suite Exercise
      • This exercise is a group exercise covering the pros, cons and trade-offs of standard and non-standard cryptographic suites and issues of security vs vulnerability that come with the large number of possible combinations of IPSec protocol options, ESP encryption and integrity and IKE and IKEv2 encryption, pseudo-random functions, integrity and Diffie-Hellman groups
      • Lab debrief/group discussion
  • Conclusion
    •     IPSec v4? and Future of IPSec

 

Course Overview

Course in a Nutshell

This is a hands-on workshop, about two-thirds of which is labs.  It builds on your understanding of IPSecv2, IPv4, and IPv6 to emphasize the enhancements and improvements that IPSec v3 brings to securing IPv4 and IPv6 networks.  The IPSec v1-v2-v3 timeline and suitability of IPSecv3 with both IPv4 and IPv6 will be considered, as will a variety of technical topics that will be reinforced with individual hands-on lab exercises and group debrief discussions.

 

Customize It!

Customize this course to your group’s requirements at little-to-no added cost.  We can add or omit topics or labs, vary emphasis, and make the course more or less technical as required.

 

 

Audience / Prerequisites

Aimed At

Security and networking professionals who need a deep understanding of IPSec v3, its implementation, vulnerabilities, countermeasures, and similarities to and differences from IP Sec v2.

 

Prerequisites

You should have background in IPv4 and IPv6 and have taken the above course or possess equivalent knowledge/experience to fully benefit from this course.