of 3
7/28/2019 IMPLEMENTATION OF INTERNET PROTOCOL SECURITY IN VIDEO CONFERENCING OVER IPV4N6 ON THE LINUX PLAT
1/3
Student Conference on Research and Development (SCOReD) 2003 Proceedings, Putrajaya, Malaysia
IMPLEMENTATION OF INTERNET PROTOCOL SECURITY INVIDEO CONFERENCING OVER IPV4N6 ON THE LINUXPLATFORMLee Ling Chuan,Kasmiran Jumari, Mahamod ismail and Khairil Anuar
Faculty Engineering, Universiti Kebangsaan Malaysia43600 UKM Bangi, Selangor, MALA YSIAe-mail: Iin~chu an@m aiIcitv.coq kbi@,pkrisc.cc.ukm.mv, [email protected], khairil@,ena.ukm.myTeI :+603-89296318. Fax: +603-89296I4 6
Abstract- This paper outlines the architecturalprinciples of secured video canferencing using InternetProtocol Security (IPSec) over IPv4 and IPv6. In the non-secured video conferencing, an attacker can sniffed,eavesdropped unauthorized interception -and spoofed thepacket senderheceiver address. A secured videoconferencing test-bed consisting two PC's withIPv4flPv6 stack has been implemented on the Linuxplatform using IPSec protocol. The security test includesFTP and PINGPMGC behveen two PC's. The resultshows that the sniffer cannot sniff the packets transferbetween two PC's.I. INTRODUCTION
Video conferencing over Internet Protocol israpidly becoming a mature technology an d not onlyinvolves face-to-face conversations but some confidentialinformation also being exchanged which is no t meant forother eyes and ears. For this reason, video conferencingsystems must guarantee that the information is totallysecure against evety type of undesired access. Securevideo conferencing by IPSec [ l ] fulfils this requirementwith the utmost reliability.
There are many general network security issuessuch as eavesdropping for unauthorized interception anddecoding of messages, packet spoofing in packet-basedprotocols that can easily impersonate a sending address,and message integrity ensuring that the message receivedis the same as the message sent.Th e best method to provide the appropriatelevels of protection is the use o f Virtual Private Network
(VF") topotogy with the IPSec that providesinteroperability. IPSec allows IF packets to be encrypted,a mode known as Encapsutated Security Payload (ESP)[21. PSec also assures the integrity o f the message bycreating a MAC of the IPSec packets, known asAuthentication Header (AH) [3]. The eavesdroppingthreat identified earlier can be countered using ESPencryption, whiLe packet spoofing, replay and message
integrity can all be countered, to a large extent, by AHauthentication and, to a lesser extent, by ES P encryption.Thus, the use of IPSec over VI" can successfully protectagainst many of the network threats. However, theimplementation of VPN technology involves otherfactors that need to be taken into account, in particularthe performance issues associated with encrypting dataand bandwidth restrictions retevant to video conferencingsuch as video quality, frame rate, transmission rate andlatency.11. IMPLEMENTATION OF IPSECAs for today, IPSec functionality is deployed ona number of operating systems. For instance,FreeS/WAN is an open-source IPSec implementation fo rLinux. IPSec can be connected in two modes; tunnelmode and transport mode in IPv4 and IPv6 as shown inFig. 1 and Fig.2 respectively. Transport mode is a host-to-host connection involving only twomachines, while intunnel mode the IPSec machines act as gateways andtraffic for any number of client machines may be carried.The IPSec implementation actually involves building an
encrypted tunnel across the local area network so the tw onetworks can talk securely.
w i pPC I 202181.454 GalemyPC 2: 202 185.45 573
Fig, I (a) Tunnel mode and (b) Transport mode for IPv4 network
3380-7803-8173-4/03/$17.0002003 IEEE.
7/28/2019 IMPLEMENTATION OF INTERNET PROTOCOL SECURITY IN VIDEO CONFERENCING OVER IPV4N6 ON THE LINUX PLAT
2/3
. . . . .
' .C ' -?*-,* ;& ____+__.---...i:*~..,p 1 1 1 1 /I".-. 1.I. 1? I- cs-i**' kll*tW I d b l uI*.- I**:"%* *-.-.1 m h l . *Y rrm*-.:2 -.r*;*l m Lr-" I-..#.?*m".** - a*,D I-- IIDnCh* R d *.-L L m I-9 *rh..b* m4 k r ,c:.c , m.a=sI;c.l*.e.r L N cl ln 'I
I I
TPv6
. .Fig. 2 (a) Tunnel Mode and@) Transport Mode for IPv6 network. . .A prerequisite for secure conferencing is theability to encrypt the streams produced by the multimediatools, VIdeo Conferenciiig Tool (UC) [4]. Dataauthentication in IPSec uses a secret key shared betweenparticipants. While this will allow a group member to' besure dad caine frbm. another"member of the group, itdoes notidentify which one. . '
. .' ! . .: . . ' 1 - . .o * I.. " Without site-to-sitesor site-to-client encryption,video,o ver-JP packets' are .vulnerable to nehvork securityissues. ' This. -project -# , i s . r highly. 'scalable, high-perfor&".- VPN - solution "designed using the IPSecprotocol and the Triple-DES cryptographic algorithm toprovide th e level of security necessary to counter manyof the transport level threats related to videoconferencing over'IPv4 and IPv6. With IPSec, traffic isencryped and tunnelled through the internet fice fromsniffmg and eavesdropping.' .* * . ' . 'Before . Mplbmenting ..video conferencing , thetw o PC's (PCI and PC2) must be configured with IPSecprotocol and Linux based IPv4.and-IPv6-stack [SI.BothPC's used Linux (Redhat '7. with. he 2.4.6 kernelversion). Table' -1 shows 'specification for the networktestbed [6].
. .
. ,. +,i. . I < * ' '. . .' *Table 1. Specification for IPv4/IPv6 network
t
I IPv4 Address : 'IPvG AddressPC 1 I 202.185.45.44 1 3ffe:SOdO:ffDO:2::44
MANISMANIS-UKM
PC 2Gateway I 202.185.45.254 1 -1 202.185.45:57 -1 3ffe:8OdO:M)0:2::50
- 3ffe:80dO:fEe:10::1
IPv4 I IGatewav I - I 3ffe:80dO:ffI)O:2::253
Figure 3 shows an example of VIC frame forIPSec in video conferencing over IPv6 that consist ofvIc display. .* U -.< .: , - . . 1 .
........................... r:m ........ ,.Ad,-*-h.. Jam --- ---"-I."" -I--_--J..- - -11 --_,I_ICI_IFig. Packet Dump Without IPSec
When IPSec was initialized on both computers and sniffthe connection the same way as before, then the screenoutput for ethereal as shows in Fig.5 was captured.Notice that the packet is labeled as an ES P and that thecontents are gibberish.
339
7/28/2019 IMPLEMENTATION OF INTERNET PROTOCOL SECURITY IN VIDEO CONFERENCING OVER IPV4N6 ON THE LINUX PLAT
3/3
Another useful troubleshooting tool is FilcTransfer Protocol (FTP). Since FT P is an unencryptcdprotocol, the attacker can watch usernames andpasswords and a11 keystrokes between one host andanother in clear text. Similarly, a sniffer is runningduring the FTF' session both with and without llic IPSccenable. Without the IPSec, the a!tackcr shou!d be cble topick out a username and pussrvord in the data portion oft h e packet, while with the IPScc, the attacker CBII iiotdecipher anything as show in Fig.6 and Fig.7respectively.
-
- - - 3 l r - . : I n"U-- I.
I\'. CONCLUSIONA secured vidco conferencing test-bedconsizting two PC's with IPvMPv6 stack has beeniniplemented on the Linux platform using IPSec protocol.
The security test includes FTP and PINGRING6betwcen two PC's in the tunncl mode and transport modeovcr IPv4 and IPvG. The results show that the packetstranskr betwecn two PC's was secured using sniffer andspoofing. ?-Iowevcr, the denial of service sometime canr*-l .n...___I ' p ystcm cmsh. .
V. REFERENCES[ I ] m / /w w w . he sw a n . o r g , access on Friday,[2] h t t o : / / ~ ~ ~ . i ~ t f . 0 ~ g / r ~ ~ / ~ f ~ 2406 . t x t ,ccess on[3] hl!l)://.-nvw.i.~F.orc/rfc/rfc2402.txt, access on[4] I ~ : ~ ~ ~ : / / ~ ~ ~ ~ w - c ~ i c e . c s . u c l . a c . u W m u l t i[SI l~ltu://v~vw.bicrinr?er.delLinux/IPv6, access on
!5/2/2002S;!urday, 17/2/2001Shturday, 17/2/2001k, ccess on Monday, 12/2/2001Friday, 15/6/2001[6j htttr://~VW\v.menis.nrt.mv, access on Friday,29/6/2001[71 h tta :/ /w .e th er ea l. com, access on Monday,29/10/2001
340
http://m//www.heswan.orghttp://m//www.heswan.org
