140 likes | 286 Vues
ECE-8843 http://www.csc.gatech.edu/copeland/jac/8843-03/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 fax 404 894-0035 Office: GCATT Bldg 579 email or call for office visit, or call Kathy Cheek, 404 894-5696 Chapter 6a - IPsec (IP Secure)
E N D
ECE-8843 http://www.csc.gatech.edu/copeland/jac/8843-03/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 fax 404 894-0035 Office: GCATT Bldg 579 email or call for office visit, or call Kathy Cheek, 404 894-5696 Chapter 6a - IPsec (IP Secure) (note: 06b has PDF copies of slides from Chap. 6 of the text, “Network Security Essentials, Applications and Standards” by William Stallings)
The Internet is a Router Network In an Router Network, circuits are defined by entries in the Routing Tables along the way. These may be Static (manually set up) or Dynamic (set up according to Algorithm in the Router). B IP A to D C A 1 2 3 E’net 6 E 4 5 D 7 Token Ring Station ( on a LAN) A Local Connection 1 Router Trunk or Long-Haul 3
Optimal Paths From Router 1 (or To Router 1) Define Router 1's Sink Tree B C A 1 2 3 6 E 4 5 D 7 A Station Local Connection Trunk or Long-Haul 1 Router Station Station 4
Browser Web Server Application Application Router Layer Layer (HTTP) (HTTP) Port 31337 Port 80 Buffers Packets that Transport Transport need to be forwarded (based on IP address). Layer Layer (TCP,UDP) (TCP,UDP) Segment No. Segment No. Network Network Layer (IP) Layer (IP) IP Address 130.207.22.5 IP Address 24.88.15.22 Network Network Layer Layer Token Ring E'net Data Token Ring E'net Data Link Layer Link Layer Data-Link Layer Data Link Layer Token Ring Ethernet Token Ring E'net Phys. Phys. Layer Phys. Layer Layer Phys. Layer 5
Connecting Over the Internet to “www.cnn.com” Discover the Ethernet address of the Domain Name Server • ARP - “Who has 130.207.244.244” • Reply from Gateway Router “00 0E 36 A9 72 24 has 130.207.244.244” * Use DNS (BIND) to convert “www.cnn.com” to a 32-bit Internet address (64.236.16.52). • Send UDP DNS-Request Packet to 130.207.244.244 : UDP 53 • Reply www.cnn.com = 64.236.16.52 Discover the Ethernet address of host 64.236.16.52 (or gateway router). • ARP - “Who has 64.236.16.52” • Reply from Gateway Router “00 0E 36 A9 72 24 has 64.236.16.52” * Start a TCP connection • Send TCP Packet with SYN flag set to 64.236.16.52 / 00 0E 36 A9 72 24 • Reply is TCP Packet with SYN and ACK flag bits set. • Send TCP packet with ACK flag set. * The gateway router “has” all IP addresses that are not local (on the LAN). 6
UDP Datagrams are exchanged to find the IP address #1 Receive time:71765.605 (0.000) packet length:80 received length:70 Ethernet: (08000726b22f -> Sun 75f53a) type: IP(0x800) Internet: 130.207.8.51 -> 130.207.244.244 hl: 5 ver: 4 tos: 0 len: 66 id 0x01 fragoff:0 flags: 00 ttl:60 prot:UDP(17) xsum: 0x68ce UDP: 1042 -> domain(53) len: 46 xsum: 0x5315 Domain Name Service: ID: 2984 opcode: Query (0) Flags: <DORECURSE> (0100) Queries: 1, answers: 0, name servers: 0, Query 0: Name:www.cnn.com #2 Receive time:71765.653 (0.048) packet length:148 received length:70 Ethernet: ( Sun 75f53a -> 08000726b22f) type: IP(0x800) Internet: 130.207.244.244 -> 130.207.8.51 hl: 5 ver: 4 tos: 0 len:134 id:xbc77 fragoff 0 flags:00 ttl:60 prot:UDP(17) xsum:0xac13 UDP: domain(53) -> 1042 len: 114 xsum: 0000 Domain Name Service: ID: 2984 opcode: Query (0) Response: No. err (0) Flags: <RESPONSE><AUTHORITATIVE><DORECURSE><CANRECURSE> (8580) Queries: 1, answers: 3, name servers: 0, Query 0: Name:www.cnn.com 7
#4 Receive time:71765.721 packet length:60 Ethernet: (Cisco 083625 -> 08000726b22f) type: IP(0x800) Internet: 64.236.16.52-> 130.207.8.51 hl: 5 ver: 4 tos: 0 len:44 id:0x7d1f fragoff 0 flags:00 ttl:57 prot:TCP(6) xsum:0x21c8 TCP Port: http(80) -> 1076 seq: 3a28ac00 ack: 28a61071 win: 4096 hl: 6 xsum: 0x816d urg: 0 flags: <ACK><SYN> mss:1460 The first two packets of the IP, TCP & HTTP (port 80) Connection. #3 Receive time:71765.711 packet length:60 Ethernet: (08000726b22f -> Cisco 083625) type: IP(0x800) Internet: 130.207.8.51 -> 64.236.16.52hl: 5 ver: 4 tos: 0 len: 44 id: 0x02 fragoff: 0 flags: 00 ttl: 60 prot: TCP(6) xsum: 0x9be5 TCP Port: 1076 -> http(80) seq: 28a61070 ack: ---- win: 10241 hl: 6 xsum: 0x5342 urg: 0 flags: <SYN> mss: 536 The Ethernet address (Cisco ...) is the local router port. The IP Address is used “end to end.” Ethernet addresses are local only. Address Resolution Protocol (ARP) E’net frames are not shown. 8
The Internet Engineering Task Force (IETF) • Internet Security Protocol working group standardized an IP Security Protocol (IPsec) and an Internet Key Management Protocol (IKMP). • objective of IPsec is to make available cryptographic security mechanisms to users who desire security. • mechanisms should work for both the current version of IP (IPv4) and the new IP (IPv6). • should be algorithm-independent, in that the cryptographic algorithms can be altered. • should be useful in enforcing different security policies, but avoid adverse impacts on users who do not employ them. Internet Layer Security (IPsec) 9 Rolf Oppliger, "Internet Security: Firewalls and Beyond," p92, Comm. ACM 40, May 1997
IPsec Authentication Header (AH) Transport Mode Transport Mode Tunnel Mode 10
Encapsulated Secure Payload (ESP) Transport Level Security (TLS) 11
IPsec ESP - Tunnel Mode Virtual Private Network (VPN) 12
Internet Layer Security (IPsec) Normal Internet Protocol (IP) IP Header, A to B TCP Header Application Header Data IPsec Authentication Header (AH) - Transport and Tunnel Modes IP Header, A to B AH TCP Header Application Header Data IP Hdr, A toRb AH IP Hdr A to B TCP Hdr Application Header Data IPsec Encapsulated Secure Payload (ESP) IP Header, A to RbESP HeaderTCP Header Application Header Data Encrypted IPsec Encapsulated Secure Payload (ESP) with AH IP Header, A to RbAHESP Header TCP Header Application Hdr Data Encrypted 13
Security Associations 64.236.16.52 14