CCNA-SEC Lec#7 | All about IPSec

What’s the IPsec?
The IPsec (Internet Protocol Security) Protocol Suite is a set of network security protocols, developed to secure the network traffic by establishing encrypted tunnels between two or more end points  across the public network.
IPsec provides the core benefits of confidentiality through encryption, data integrity through hashing and HMAC, and authentication using digital signatures or using a pre-shared key (PSK).
IPsec Goals
The goals can be described as follows:
Confidentiality: provided through encryption changing clear text into cipher text.
Data integrity: provided through hashing and/or through Hashed Message Authentication Code (HMAC) to verify that data has not been manipulated during its transit across the network.
Authentication: provided through authenticating the VPN peers near the beginning of a VPN session using pre-shared keys (PSK) or digital signatures (leveraging digital certificates). Authentication can also be done continuously through the use of an HMAC, which includes a secret known only to two ends of the VPN.
Antireplay protection: when VPNs are established, the peers can sequentially number the packets, and if a packet is attempted to be replayed again (perhaps by an attacker), the packet will not be accepted because the VPN device believes it has already processed that packet.
Internet Key Exchange (IKE) Protocol

IPsec uses the Internet Key Exchange (IKE) protocol to negotiate and establish secured site-to-site or remote access VPN tunnels.
Internet Key Exchange (IKE) is a protocol used to set up a IPSec Security Associations (SAs) by define security attributes like encryption key, encryption algorithm, and mode, between IPSec peers.
Security Association (SA) is an one-way virtual tunnel between the two endpoints peers. Thus, for full communication to occur, two SA’s must be established, one for each direction.

The establishment of an IPsec connection takes place in two phases, called IKE phases:
■ IKE Phase 1: The two endpoints authenticate one another and negotiate keying material. This results in an encrypted tunnel used by Phase 2 for negotiating the ESP security associations.
■ IKE Phase 2: The two endpoints use the secure tunnel created in Phase 1 to establishes the IPsec tunnel (IPsec SA), which used to secure the actual user data that is passed between the two endpoints.
IKE relies on ISAKMP to establish an initial secure channel over which the IPsec tunnel can be negotiated. An IKE policy determines the attributes of the ISAKMP session (typically called an IKE SA), including the encryption type and hashing methods.
At IKE Phase 1, There are  five basic items need to be agreed upon between the two VPN endpoints peers as below:
■ Encryption algorithm:  This could be AES, DES or 3DES.
■ Hash algorithm: This could be  MD5 or SHA.
■ Diffie-Hellman (DH) group to use: for creating and sharing keys.
■ Authentication method: This could be pre-shared key (PSK) or  RSA signatures.
■ The SA Lifetime: How long until this IKE Phase 1 tunnel should be torn down.
IKE Phase 1 negotiation can happen in two modes,either using Main Mode which be slower, but more secure or using Aggressive Mode which  faster, but less secure.
There are a  two primary methods for implementing the encapsulation of IPsec header as below:
■ Authentication Header (AH)
■ Encapsulating Security Payload (ESP)
Authentication Header (AH)
– While IPsec uses Authentication Header (AH) to provide Data Integrity, Authentication, and Anti-Replay functions for IPsec VPN. Authentication Header (AH) DOES NOT provide any Data Encryption at all.
– AH uses a hash algorithm to compute a hash value on both the payload and header of a packet which cause AH is incompatible with NAT which 
changes the IP header of a packet during translation which reflect on the receiving device will believe the packet has been altered in transit, and reject the packet.
Encapsulation Security Payload (ESP)
– While IPsec uses ESP (Encapsulating Security Payload) to provide Data Integrity, Encryption, Authentication, and Anti-Replay functions for IPsec VPN.
– ESP uses a hash algorithm to compute a hash value on the payload only and not include the header of a packet which enable it to be compatible with NAT.

ESP is more widely deployed than AH, because ESP provides all the benefits of IPsec, that is, Confidentiality, Integrity, Authentication and Re-Play attack protection….
IPsec Modes
IPsec uses two methods for encryption tunnel and transport mode.
– If IPsec tunnel mode is used, the both of IP header and payload are encrypted in addition a new header be injected.
– But When transport mode is used, only the packet payload is encrypted and the original IP header is left intact.
First let’s have a look at AH and ESP and how they tread original IP packetScreen Shot 2013-11-12 at 11.52.30 AM.png
And now about how those IP protocols fit in the two modes.

Screen Shot 2013-11-12 at 11.52.17 AM.png

In the next lecture we will go deeply into the IPsec configuration and troubleshooting, See you !
By: Hatem Farag | CCIE#54446

CCNA-SEC Lec#5 | Fundamentals of VPN and Cryptography

As mentioned before at our previous lectures, the main objective for any security model to achieve the three essential targets of confidentiality, data integrity &  authentication.
So, Virtual private network “VPN” is considered as a security deployment framework.
What is a VPN?
VPN allows  a logical connection between two devices over a wide-area network “WAN” connection using the Internet as a transport mechanism.
Types of VPNs :
There are two major categories into which VPNs could be placed :-
 ■ Remote-access VPNs: Some users might need to build a VPN connection from their individual computer to the corporate headquarters,  Remote-access VPNs can use IPsec or Secure Shell (SSL) technologies for their VPN.
■ Site-to-site VPNs: The other main VPN implementation is by companies that may have two or more sites that they want to connect securely together, so that each site can communicate with the other site or sites. This implementation is called a site-to-site VPN. Site-to-site VPNs traditionally use a collection of VPN technologies called IPsec.
 There are a two technology types to implement a VPN with its security features.
IPsec: Implements security of IP packets at Layer 3 of the OSI model, and can be used for site-to-site VPNs and remote-access VPNs.

■ SSL: Secure Sockets Layer implements security of TCP sessions over encrypted SSL tunnels of the OSI model, and it can be used for remote-access VPNs (as well as being used to securely visit a web server that supports it via HTTPS).
 Cryptography Basic Components

We are about to have a look about the three essential targets for any security model “confidentiality, data integrity &  authentication” before going to discuss the cryptography components.

■ Confidentiality
it means that only the intended parties can understand the data that is sent,  using encryption Algorithms to prevent the theft of data.
■ Data Integrity
It is about ensure that data is not tampered or altered while transmission, using a hashing algorithm to make sure the sent data is accurate from end to end.
■ Authentication
It confirms the identity of the host sending data, using bother pre-shared keys or RSA Digital signatures to can authenticate the peer at the other end of the VPN tunnel.

All of us now know that confidentiality is a function of encryption, data integrity is a function of hashing, and authentication is the process of proving the identity of the other side of the tunnel. Now it is time to take a look at how those methods are implemented and the choices you have for each.

Encryption Algorithms
Encryption is the process of converting a plain-text message into cipher-text which can be decoded back into the original message,  An encryption algorithm along with a key is used in the encryption and decryption of data.
The type and length of the keys depend upon the encryption algorithm and the amount of security needed. In the symmetric encryption a single key is used to encrypt the data and decrypt the data.
In the asymmetric encryption the encryption key and the decryption key are different. One is a public key by which the sender can encrypt the message and the other is a private key by which a recipient can decrypt the message.
 Symmetric encryption Algorithms
Symmetric encryption algorithms can be divided into stream ciphers and block ciphers. Stream ciphers encrypt a single bit of plaintext at a time, whereas block ciphers take a number of bits (typically 64 bits in modern ciphers), and encrypt them as a single unit.
 Common examples of symmetric encryption algorithms include the following:
  Advanced Encryption Standard (AES) : It is also known as Rijndael, and it is a block cipher.

Digital Encryption Standard (DES) : It is a block cipher with 64-bit block size that uses using a 56-bit key.
Triple Digital Encryption Standard (3DES) : It uses a 64-bit key, the idea behind Triple DES is to improve the security of DES by applying DES encryption three times using three different keys.
Blowfish : Blowfish has a 64-bit block size and a variable key length – from 32 bits to 448 bits.
International Data Encryption Algorithm (IDEA) : it uses a 128 bit key. This key length makes it impossible to break by simply trying every key.
Asymmetric encryption Algorithms
Asymmetric algorithms (public key algorithms) use different keys for encryption and decryption,  Instead of using the same key for encryption and decryption, we use two different keys that mathematically work together as a pair. Let’s call these keys the public key and private key.
Examples of asymmetrical algorithms include the following:

• RSARivest-Shamir-Adleman is the most commonly used public key encryption algorithm,  The key length may be from 512 to 2048, and a minimum size for good security is at least 1024.
• Diffie-Hellman (DH) :  DH is an asymmetrical algorithm that allows two devices to negotiate and establish shared secret keying material (keys) over an untrusted network,  The interesting thing about DH is that although the algorithm itself is asymmetrical, the keys generated by the exchange are symmetrical keys that can then be
used with symmetrical algorithms.

• Digital Signature Algorithm (DSA)

Finally, Asymmetrical algorithms require more CPU processing power than a symmetrical algorithm, while Asymmetrical algorithms are more secure than symmetrical ones.
We will continue at our next lecture the rest of Cryptography Basic Components, such as the Hashing Algorithm and the used techniques to achieve the authentication also.
By: Hatem Farag | CCIE#54446

Introduction to Carrier Supporting Carrier (CSC)

I’m going to discuss with you today, the carrier supporting carrier “CSC” as in the previous post, we talked about how to connect VPN in two different locations from two different service providers with a clarification to the different inter-AS options.
Carrier Supporting Carrier solution enables small service providers to use the cloud of another large service provider in order to connect parts of their own networks; Actually, CSC takes inter-AS L3 VPN to the next level.

Carrier Supporting Carrier

CSC is a technology used to expand the reach of a SP by using another SP as transport, The service provider that provides connectivity over its cloud to the other providers is called the Backbone carrier and the service provider that uses the cloud is called the Customer carrier.

Backbone carrier which gives service to another carrier which is called customer carrier.

Customer carrier might be Provider or Enterprise Company which has its own VPNs.


The CSC-CE is the device located in the customer carriers network, connecting to the backbone carrier. The CSC-PE is the device located in the backbone carriers network connecting to the customer carrier.

The backbone carrier routers “CSC-PE” shouldn’t do any routing lookup, and thus should be substituted with label switching.

The backbone carrier carries the internal addresses of customer carrier. These addresses are loopback interfaces of PEs, RR loopbacks; But backbone carrier is not aware of the customer prefixes of customer carrier.

MPLS is always enabled for the CSC case but LDP is not must for assigning a label.

If IGP protocol runs between customer and backbone carrier then LDP is used. The rule is ”If prefix is learned from IGP, label should be assigned by LDP”.

If BGP protocol runs between customer and backbone carrier, like normal MPLS VPN PE-CE eBGP under the address-family ipv4 vrf on the CSC-PE side but adding the neighbor x.x.x.x send-label command and the mpls bgp forwarding interface command on both sides – When using eBGP for label exchange using the send-label option, mpls bgp forwarding is automatically configured under the interface.

Using BGP for CSC is the recommended solution, due to the following facts:

BGP takes the place of an IGP and LDP since we can use BGP to distribute routes with their MPLS labels, and certainly using a single protocol instead of two expedites the configuration and troubleshooting.

BGP is the preferred routing protocol for connecting two ISPs, mainly because of its wide scale routing policies and ability to scale.

By: Hatem Farag | CCIE#54446