Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Rooster ipsecindepth

299 views

Published on

IPsecurity

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

Rooster ipsecindepth

  1. 1. IPSec In Depth
  2. 2. Encapsulated Security Payload (ESP)• Must encrypt and/or authenticate in each packet• Encryption occurs before authentication• Authentication is applied to data in the IPSec header as well as the data contained as payload
  3. 3. IPSec Encapsulating Security Payload (ESP) in Transport Mode Orig IP Hdr TCP Hdr Data Insert AppendOrig IP Hdr ESP Hdr TCP Hdr Data ESP Trailer ESP Auth Usually encrypted integrity hash coverage SecParamIndex Seq# InitVector Keyed Hash 22-36 bytes total Padding PadLength NextHdrESP is IP protocol 50 © 2000 Microsoft Corporation
  4. 4. IPSec ESP Tunnel Mode Orig IP Hdr TCP Hdr DataIPHdr ESP Hdr IP Hdr TCP Hdr Data ESP Trailer ESP Auth Usually encrypted integrity hash coverage New IP header with source & destination IP address © 2000 Microsoft Corporation
  5. 5. Authentication Header (AH)• Authentication is applied to the entire packet, with the mutable fields in the IP header zeroed out• If both ESP and AH are applied to a packet, AH follows ESP
  6. 6. IPSec Authentication Header (AH) in Transport Mode Orig IP Hdr TCP Hdr Data Insert Orig IP Hdr AH Hdr TCP Hdr Data Integrity hash coverage (except for mutable fields in IP hdr)Next Hdr Payload Len Rsrv SecParamIndex Seq# Keyed Hash AH is IP protocol 51 24 bytes total © 2000 Microsoft Corporation
  7. 7. IPSec AH Tunnel Mode Orig IP Hdr TCP Hdr DataIP Hdr AH Hdr Orig IP Hdr TCP Hdr Data Integrity hash coverage (except for mutable new IP hdr fields)New IP header with source &destination IP address © 2000 Microsoft Corporation
  8. 8. Internet Key Exchange (IKE)• Phase I – Establish a secure channel(ISAKMP SA) – Authenticate computer identity• Phase II – Establishes a secure channel between computers intended for the transmission of data (IPSec SA)
  9. 9. Main Mode• Main mode negotiates an ISAKMP SA which will be used to create IPSec Sas• Three steps – SA negotiation – Diffie-Hellman and nonce exchange – Authentication
  10. 10. Main Mode (Kerberos) Initiator Responder Header, SA Proposals Header, Selected SA ProposalHeader, D-H Key Exchange, Noncei,Kerberos Tokeni Header, D-H Key Exchange, Noncer, Kerberos Tokenr Encrypted Header, Idi, Hashi Header, Idr, Hashr
  11. 11. Main Mode (Certificate) Initiator Responder Header, SA Proposals Header, Selected SA ProposalHeader, D-H Key Exchange, Noncei Header, D-H Key Exchange, Noncer,Certificate Request Encrypted Header, Idi, Certificatei, Signaturei, Certificate Request Header, Idr, Certificater, Signaturer
  12. 12. Main Mode (Pre-shared Key) Initiator Responder Header, SA Proposals Header, Selected SA ProposalHeader, D-H Key Exchange, Noncei Header, D-H Key Exchange, Noncer Encrypted Header, Idi, Hashi Header, Idr, Hashr
  13. 13. Quick Mode• All traffic is encrypted using the ISAKMP Security Association• Each quick mode negotiation results in two IPSec Security Associations (one inbound, one outbound)
  14. 14. Quick Mode Negotiation Initiator ResponderEncrypted Header, IPSec Proposed SA Header, IPSec Selected SA Header, Hash Header, Connected Notification

×