ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland [email_address] 404 894-5177 fax 404 894-0035 Office: Klaus 3362 email or call for office visit Chapter 6 - IPsec (IP Secure) (note: includes copies of figures from Chap. 6 of “Network Security Essentials, Applications and Standards” by William Stallings)
The Internet is a Router Network In an Router Network, circuits are defined by entries in the Routing Tables along the way. These may be Static (manually set up) or Dynamic (set up according to Algorithm in the Router). 4 E 3 A 5 C D B 1 7 6 2 Station ( on a LAN) A 1 Local Connection Trunk or Long-Haul Router A to D E’net Token Ring IP
Optimal Paths From Router 1 OSPF Defines Router 1's Sink Tree Station A 1 Local Connection Trunk or Long-Haul Router 4 E 3 A 5 C D B 1 7 6 2
Application Layer (HTTP) Transport Layer (TCP,UDP) Network Layer (IP) E'net Data Link Layer Ethernet Phys. Layer Network Layer E'net Data Link Layer E'net Phys. Layer Network Layer Web Server Browser Router Buffers Packets that need to be forwarded (based on IP address). Application Layer (HTTP) Transport Layer (TCP,UDP) Network Layer (IP) Token Ring Data-Link Layer Token Ring Phys. Layer IP Address 188.8.131.52 IP Address 184.108.40.206 Port 80 Port 31337 Token Ring Data Link Layer Token Ring Phys. Layer http://www.cnn.com/ Find: IP address, TCP port Router Ethernet Address
Your computer has been configured with IP addresses for: 1) Itself (220.127.116.11), 2) Local Router (18.104.22.168), 3) Domain Name Server (22.214.171.124) and it’s subnet Mask (/24 or 255.255.255.0). The IP Broadcast Address is (IP address) bitwise-OR (~Mask) 126.96.36.199 || 0.0.0.255 = 188.8.131.52 Its Ethernet, or WiFi, MAC Address is built into the adapter. After you type “ http://www.cnn.com” into your browser, your computer has to know or discover (it assigns client port number): 1) IP address of “ www.cnn.com” and TCP port number (80), 2) Ethernet (MAC) address to use for DNS server , 3) Ethernet (MAC) address to use for “ www.cnn.com” Starting a TCP Client-Server Connection
ARP “who has 184.108.40.206 (LAN broadcast) ARP “ 220.127.116.11 is at 00:0f:66:c1:0f:ae ” DNS ( UDP:53 ) “ resolve www.cnn.com ” DNS “ www.cnn.com IP address is 18.104.22.168 ARP “who has 22.214.171.124 ARP “ 126.96.36.199 is at 00:0f:66:c1:0f:ae ” TCP ( SYN ) to 188.8.131.52 port 80 TCP (SYN-ACK) from 184.108.40.206 Your Host 220.127.116.11 00:1f:5b:ef:8a:cc DNS 18.104.22.168 Router 22.214.171.124 “www.cnn.com” TCP port 80 Preparations for a TCP/IP Connection Each type of response might be spoofed or falsified You need MAC address of Router since CNN is off LAN MAC addresses are cached for 30 seconds
Address Resolution Protocol (ARP) ARP is a Link-Layer protocol (e.g., Ethernet, WiFi). It can be used for Network Layer protocols other than IP. When a host needs to find the MAC Address (e.g., Ethernet, WiFi) of corresponding to an IP address, it broadcasts an ARP Request (MAC broadcast address is ff:ff:ff:ff:ff:ff). If the IP address is not local, ARP is used to find the MAC address of the Local Router (aka Gateway Router). MAC addresses found by ARP are cached for 30 seconds, so during an IP connection, there will be ARPs every 30 seconds. ARP Response spoofing can be used to set up a Man-in-the-Middle attack. Critical IP:MAC associations (e.g., Router, DNS) can be “nailed up” by manually putting permanent lines in the ARP table. When a host first comes on line, it issues a Gratuitous ARP for its own IP address to see if there is another host using the same IP address.
Ethereal (WireShark) Packet Capture - Browsing www.cnn.com Notes: Ethernet Addresses have the first 3 bytes (of 6) translated into the interface manufacturer’s name (Apple_Computer is my PowerBook, Cisco_Linksys is the router). 192.168.1.132 in my PowerBook, 192.168.1.1 is the router, 126.96.36.199 if the DNS server, and 188.8.131.52 is www.cnn.com In this case, the Apple PowerBook has code that detects that the DNS IP is outside the local area network, so it ARPs for the Ethernet address of the router (192.168.1.1). It caches this address for 30 seconds, so it does not have to ARP again for the CNN IP address.
For information on installing "Wireshark" and other Network Utility Programs, go to: www.csc.gatech.edu/copeland/jac/6612/tool-links.html http://www.csc.gatech.edu/copeland/jac/6612/tool-links.html You will find information on Wireshark filters, and a input file: capture-example.cap in www.csc.gatech.edu/copeland/jac/6612/info/ http://www.csc.gatech.edu/copeland/jac/6612/info/
Internet Layer Security (IPsec) Rolf Oppliger, "Internet Security: Firewalls and Beyond," p92, Comm. ACM 40, May 1997 The Internet Engineering Task Force (IETF) • Internet Security Protocol working group standardized an IP Security Protocol (IPsec) and an Internet Key Management Protocol (IKMP). • objective of IPsec is to make available cryptographic security mechanisms to users who desire security. • mechanisms should work for both the current version of IP (IPv4) and the new IP (IPv6). • should be algorithm-independent, in that the cryptographic algorithms can be altered. • should be useful in enforcing different security policies, but avoid adverse impacts on users who do not employ them.
IPsec Authentication Header (AH) Transport Mode Transport Mode Tunnel Mode
Encapsulated Secure Payload (ESP) Transport Level Security
Internet Layer Security (IPsec) IPsec Authentication Header (AH) - Transport and Tunnel Modes Normal Internet Protocol (IP) IPsec Encapsulated Secure Payload (ESP) IPsec Encapsulated Secure Payload (ESP) with AH IP Header, A to B TCP Header Application Header Data IP Header, A to B AH TCP Header Application Header Data IP Header, A to R b ESP Header TCP Header Application Header Data Encrypted IP Header, A to R b AH ESP Header TCP Header Application Hdr Data Encrypted IP Hdr, A to R b AH IP Hdr A to B TCP Hdr Application Header Data Authenticated Authenticated R b is the Gateway Router to B