ECE-6612  http://www.csc.gatech.edu/copeland/jac/6612/  Prof. John A. Copeland [email_address] 404 894-5177 fax 404 894-00...
Each LAN Connects to Internet via a Router
The Internet is a Router Network In an Router Network,  circuits are defined by entries in the Routing Tables along the wa...
Optimal Paths From  Router 1  OSPF Defines Router 1's  Sink Tree   Station A 1 Local Connection Trunk or Long-Haul Router ...
Application Layer (HTTP) Transport  Layer (TCP,UDP) Network  Layer (IP) E'net Data Link Layer Ethernet Phys. Layer Network...
Your computer has been configured with  IP addresses  for: 1)  Itself   (143.215.25.3),  2)  Local Router   (143.215.25.1)...
ARP “who has 143.215.25.8 (LAN broadcast) ARP “  143.215.25.8  is at  00:0f:66:c1:0f:ae ” DNS ( UDP:53 ) “ resolve  www.cn...
Address Resolution Protocol (ARP) ARP is a Link-Layer protocol (e.g., Ethernet, WiFi).  It can be used for Network Layer p...
Ethereal (WireShark) Packet Capture - Browsing www.cnn.com Notes: Ethernet Addresses have the first 3 bytes (of 6) transla...
For information on installing "Wireshark" and other Network Utility Programs, go to: www.csc.gatech.edu/copeland...
Internet Layer Security (IPsec) Rolf Oppliger, "Internet Security: Firewalls and Beyond," p92, Comm. ACM 40, May...
IPsec Authentication Header (AH) Transport Mode Transport Mode Tunnel Mode
Encapsulated Secure Payload (ESP) Transport Level Security
IPsec ESP - Tunnel Mode  Virtual Private Network (VPN)
Internet Layer Security (IPsec) IPsec Authentication Header (AH) - Transport and Tunnel Modes Normal Internet Protocol (IP...
Security Associations Transport, Host-Host Tunnel, Gateway-Gateway (Routers)
Upcoming SlideShare
Loading in …5
×

06-IP Networks.ppt

1,860 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,860
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
46
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

06-IP Networks.ppt

  1. 1. ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland [email_address] 404 894-5177 fax 404 894-0035 Office: Klaus 3362 email or call for office visit Chapter 6 - IPsec (IP Secure) (note: includes copies of figures from Chap. 6 of “Network Security Essentials, Applications and Standards” by William Stallings)
  2. 2. Each LAN Connects to Internet via a Router
  3. 3. The Internet is a Router Network In an Router Network, circuits are defined by entries in the Routing Tables along the way. These may be Static (manually set up) or Dynamic (set up according to Algorithm in the Router). 4 E 3 A 5 C D B 1 7 6 2 Station ( on a LAN) A 1 Local Connection Trunk or Long-Haul Router A to D E’net Token Ring IP
  4. 4. Optimal Paths From Router 1 OSPF Defines Router 1's Sink Tree Station A 1 Local Connection Trunk or Long-Haul Router 4 E 3 A 5 C D B 1 7 6 2
  5. 5. Application Layer (HTTP) Transport Layer (TCP,UDP) Network Layer (IP) E'net Data Link Layer Ethernet Phys. Layer Network Layer E'net Data Link Layer E'net Phys. Layer Network Layer Web Server Browser Router Buffers Packets that need to be forwarded (based on IP address). Application Layer (HTTP) Transport Layer (TCP,UDP) Network Layer (IP) Token Ring Data-Link Layer Token Ring Phys. Layer IP Address 130.207.22.5 IP Address 64.236.16.52 Port 80 Port 31337 Token Ring Data Link Layer Token Ring Phys. Layer http://www.cnn.com/ Find: IP address, TCP port Router Ethernet Address
  6. 6. Your computer has been configured with IP addresses for: 1) Itself (143.215.25.3), 2) Local Router (143.215.25.1), 3) Domain Name Server (130.207.244.251) and it’s subnet Mask (/24 or 255.255.255.0). The IP Broadcast Address is (IP address) bitwise-OR (~Mask) 143.215.25.1 || 0.0.0.255 = 143.215.25.255 Its Ethernet, or WiFi, MAC Address is built into the adapter. After you type “ http://www.cnn.com” into your browser, your computer has to know or discover (it assigns client port number): 1) IP address of “ www.cnn.com” and TCP port number (80), 2) Ethernet (MAC) address to use for DNS server , 3) Ethernet (MAC) address to use for “ www.cnn.com” Starting a TCP Client-Server Connection
  7. 7. ARP “who has 143.215.25.8 (LAN broadcast) ARP “ 143.215.25.8 is at 00:0f:66:c1:0f:ae ” DNS ( UDP:53 ) “ resolve www.cnn.com ” DNS “ www.cnn.com IP address is 157.166.224.25 ARP “who has 143.215.25.1 ARP “ 143.215.25.1 is at 00:0f:66:c1:0f:ae ” TCP ( SYN ) to 157.166.224.25 port 80 TCP (SYN-ACK) from 157.166.224.25 Your Host 143.215.25.3 00:1f:5b:ef:8a:cc DNS 143.215.25.8 Router 143.215.25.1 “www.cnn.com” TCP port 80 Preparations for a TCP/IP Connection Each type of response might be spoofed or falsified You need MAC address of Router since CNN is off LAN MAC addresses are cached for 30 seconds
  8. 8. Address Resolution Protocol (ARP) ARP is a Link-Layer protocol (e.g., Ethernet, WiFi). It can be used for Network Layer protocols other than IP. When a host needs to find the MAC Address (e.g., Ethernet, WiFi) of corresponding to an IP address, it broadcasts an ARP Request (MAC broadcast address is ff:ff:ff:ff:ff:ff). If the IP address is not local, ARP is used to find the MAC address of the Local Router (aka Gateway Router). MAC addresses found by ARP are cached for 30 seconds, so during an IP connection, there will be ARPs every 30 seconds. ARP Response spoofing can be used to set up a Man-in-the-Middle attack. Critical IP:MAC associations (e.g., Router, DNS) can be “nailed up” by manually putting permanent lines in the ARP table. When a host first comes on line, it issues a Gratuitous ARP for its own IP address to see if there is another host using the same IP address.
  9. 9. Ethereal (WireShark) Packet Capture - Browsing www.cnn.com Notes: Ethernet Addresses have the first 3 bytes (of 6) translated into the interface manufacturer’s name (Apple_Computer is my PowerBook, Cisco_Linksys is the router). 192.168.1.132 in my PowerBook, 192.168.1.1 is the router, 68.87.96.3 if the DNS server, and 64.236.16.52 is www.cnn.com In this case, the Apple PowerBook has code that detects that the DNS IP is outside the local area network, so it ARPs for the Ethernet address of the router (192.168.1.1). It caches this address for 30 seconds, so it does not have to ARP again for the CNN IP address.
  10. 10. For information on installing "Wireshark" and other Network Utility Programs, go to: www.csc.gatech.edu/copeland/jac/6612/tool-links.html http://www.csc.gatech.edu/copeland/jac/6612/tool-links.html You will find information on Wireshark filters, and a input file: capture-example.cap in www.csc.gatech.edu/copeland/jac/6612/info/ http://www.csc.gatech.edu/copeland/jac/6612/info/
  11. 11. Internet Layer Security (IPsec) Rolf Oppliger, "Internet Security: Firewalls and Beyond," p92, Comm. ACM 40, May 1997 The Internet Engineering Task Force (IETF) • Internet Security Protocol working group standardized an IP Security Protocol (IPsec) and an Internet Key Management Protocol (IKMP). • objective of IPsec is to make available cryptographic security mechanisms to users who desire security. • mechanisms should work for both the current version of IP (IPv4) and the new IP (IPv6). • should be algorithm-independent, in that the cryptographic algorithms can be altered. • should be useful in enforcing different security policies, but avoid adverse impacts on users who do not employ them.
  12. 12. IPsec Authentication Header (AH) Transport Mode Transport Mode Tunnel Mode
  13. 13. Encapsulated Secure Payload (ESP) Transport Level Security
  14. 14. IPsec ESP - Tunnel Mode Virtual Private Network (VPN)
  15. 15. Internet Layer Security (IPsec) IPsec Authentication Header (AH) - Transport and Tunnel Modes Normal Internet Protocol (IP) IPsec Encapsulated Secure Payload (ESP) IPsec Encapsulated Secure Payload (ESP) with AH IP Header, A to B TCP Header Application Header Data IP Header, A to B AH TCP Header Application Header Data IP Header, A to R b ESP Header TCP Header Application Header Data Encrypted IP Header, A to R b AH ESP Header TCP Header Application Hdr Data Encrypted IP Hdr, A to R b AH IP Hdr A to B TCP Hdr Application Header Data Authenticated Authenticated R b is the Gateway Router to B
  16. 16. Security Associations Transport, Host-Host Tunnel, Gateway-Gateway (Routers)

×