IPSec In Depth
Encapsulated Security Payload            (ESP)• Must encrypt and/or authenticate in each  packet• Encryption occurs before...
IPSec Encapsulating Security Payload (ESP)            in Transport Mode                Orig IP Hdr TCP Hdr                ...
IPSec ESP Tunnel Mode              Orig IP Hdr TCP Hdr         DataIPHdr   ESP Hdr IP Hdr   TCP Hdr Data          ESP Trai...
Authentication Header (AH)• Authentication is applied to the entire  packet, with the mutable fields in the IP  header zer...
IPSec Authentication Header (AH)            in Transport Mode       Orig IP Hdr TCP Hdr              Data                 ...
IPSec AH Tunnel Mode         Orig IP Hdr TCP Hdr            DataIP Hdr    AH Hdr Orig IP Hdr TCP Hdr                  Data...
Internet Key Exchange (IKE)• Phase I  – Establish a secure channel(ISAKMP SA)  – Authenticate computer identity• Phase II ...
Main Mode• Main mode negotiates an ISAKMP SA  which will be used to create IPSec Sas• Three steps  – SA negotiation  – Dif...
Main Mode (Kerberos)                      Initiator        Responder             Header, SA Proposals                     ...
Main Mode (Certificate)                          Initiator       Responder               Header, SA Proposals             ...
Main Mode (Pre-shared Key)                      Initiator       Responder             Header, SA Proposals                ...
Quick Mode• All traffic is encrypted using the ISAKMP  Security Association• Each quick mode negotiation results in two  I...
Quick Mode Negotiation                    Initiator     ResponderEncrypted      Header, IPSec Proposed SA                 ...
Upcoming SlideShare
Loading in...5
×

Rooster ipsecindepth

165

Published on

IPsecurity

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
165
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Rooster ipsecindepth

  1. 1. IPSec In Depth
  2. 2. Encapsulated Security Payload (ESP)• Must encrypt and/or authenticate in each packet• Encryption occurs before authentication• Authentication is applied to data in the IPSec header as well as the data contained as payload
  3. 3. IPSec Encapsulating Security Payload (ESP) in Transport Mode Orig IP Hdr TCP Hdr Data Insert AppendOrig IP Hdr ESP Hdr TCP Hdr Data ESP Trailer ESP Auth Usually encrypted integrity hash coverage SecParamIndex Seq# InitVector Keyed Hash 22-36 bytes total Padding PadLength NextHdrESP is IP protocol 50 © 2000 Microsoft Corporation
  4. 4. IPSec ESP Tunnel Mode Orig IP Hdr TCP Hdr DataIPHdr ESP Hdr IP Hdr TCP Hdr Data ESP Trailer ESP Auth Usually encrypted integrity hash coverage New IP header with source & destination IP address © 2000 Microsoft Corporation
  5. 5. Authentication Header (AH)• Authentication is applied to the entire packet, with the mutable fields in the IP header zeroed out• If both ESP and AH are applied to a packet, AH follows ESP
  6. 6. IPSec Authentication Header (AH) in Transport Mode Orig IP Hdr TCP Hdr Data Insert Orig IP Hdr AH Hdr TCP Hdr Data Integrity hash coverage (except for mutable fields in IP hdr)Next Hdr Payload Len Rsrv SecParamIndex Seq# Keyed Hash AH is IP protocol 51 24 bytes total © 2000 Microsoft Corporation
  7. 7. IPSec AH Tunnel Mode Orig IP Hdr TCP Hdr DataIP Hdr AH Hdr Orig IP Hdr TCP Hdr Data Integrity hash coverage (except for mutable new IP hdr fields)New IP header with source &destination IP address © 2000 Microsoft Corporation
  8. 8. Internet Key Exchange (IKE)• Phase I – Establish a secure channel(ISAKMP SA) – Authenticate computer identity• Phase II – Establishes a secure channel between computers intended for the transmission of data (IPSec SA)
  9. 9. Main Mode• Main mode negotiates an ISAKMP SA which will be used to create IPSec Sas• Three steps – SA negotiation – Diffie-Hellman and nonce exchange – Authentication
  10. 10. Main Mode (Kerberos) Initiator Responder Header, SA Proposals Header, Selected SA ProposalHeader, D-H Key Exchange, Noncei,Kerberos Tokeni Header, D-H Key Exchange, Noncer, Kerberos Tokenr Encrypted Header, Idi, Hashi Header, Idr, Hashr
  11. 11. Main Mode (Certificate) Initiator Responder Header, SA Proposals Header, Selected SA ProposalHeader, D-H Key Exchange, Noncei Header, D-H Key Exchange, Noncer,Certificate Request Encrypted Header, Idi, Certificatei, Signaturei, Certificate Request Header, Idr, Certificater, Signaturer
  12. 12. Main Mode (Pre-shared Key) Initiator Responder Header, SA Proposals Header, Selected SA ProposalHeader, D-H Key Exchange, Noncei Header, D-H Key Exchange, Noncer Encrypted Header, Idi, Hashi Header, Idr, Hashr
  13. 13. Quick Mode• All traffic is encrypted using the ISAKMP Security Association• Each quick mode negotiation results in two IPSec Security Associations (one inbound, one outbound)
  14. 14. Quick Mode Negotiation Initiator ResponderEncrypted Header, IPSec Proposed SA Header, IPSec Selected SA Header, Hash Header, Connected Notification
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×