ECE-8843 http://www.csc.gatech.edu/copeland/jac/8843-03/

Prof. John A. Copelandjohn.copeland@ece.gatech.edu

404 894-5177fax 404 894-0035

Office: GCATT Bldg 579email or call for office visit, or call Kathy Cheek, 404 894-5696

Chapter 6a - IPsec (IP Secure)(note: 06b has PDF copies of slides from Chap. 6 of the text,“Network Security Essentials, Applications and Standards”

by William Stallings)

2

Each LAN Connects to Internet via a Router

The Internet is a Router NetworkIn an Router Network, circuits are defined by entries in theRouting Tables along the way. These may be Static (manuallyset up) or Dynamic (set up according to Algorithm in the

Router).

4E

3A

5

C

D

B

1

7

6

2

Station( on a LAN)

A

1

Local Connection

Trunk or Long-HaulRouter

A to D

3

E’net

Token Ring

IP

Optimal Paths From Router 1

(or To Router 1)

Define Router 1's Sink Tree

4E

3A

5

C

D

B

1

7

6

2

StationA

1

Local Connection

Trunk or Long-HaulRouter

4

5

Application Layer (HTTP)

Transport Layer(TCP,UDP)

Network Layer (IP)

E'net DataLink Layer

Ethernet

Phys. Layer

Network Layer

E'net DataLink Layer

E'net Phys.Layer

Network Layer

Web Server Browser

Router

Buffers Packets thatneed to be forwarded(based on IP address).

Application Layer (HTTP)

Transport Layer(TCP,UDP)

Network Layer (IP)

Token Ring

Data-Link Layer

Token RingPhys. Layer

IP Address130.207.22.5

IP Address24.88.15.22

Port 80 Port 31337

Segment No. Segment No.

Token Ring

Data Link Layer

Token RingPhys. Layer

6

Connecting Over the Internet to “www.cnn.com”Discover the Ethernet address of the Domain Name Server • ARP - “Who has 130.207.244.244” • Reply from Gateway Router “00 0E 36 A9 72 24 has 130.207.244.244” *

Use DNS (BIND) to convert “www.cnn.com” to a 32-bit Internet address (64.236.16.52). • Send UDP DNS-Request Packet to 130.207.244.244 : UDP 53 • Reply www.cnn.com = 64.236.16.52

Discover the Ethernet address of host 64.236.16.52 (or gateway router). • ARP - “Who has 64.236.16.52” • Reply from Gateway Router “00 0E 36 A9 72 24 has 64.236.16.52” *

Start a TCP connection • Send TCP Packet with SYN flag set to 64.236.16.52 / 00 0E 36 A9 72 24 • Reply is TCP Packet with SYN and ACK flag bits set. • Send TCP packet with ACK flag set.

* The gateway router “has” all IP addresses that are not local (on the LAN).

#1 Receive time:71765.605 (0.000) packet length:80 received length:70

UDP Datagrams are exchanged to find the IP address

Ethernet: (08000726b22f -> Sun 75f53a) type: IP(0x800)

Internet: 130.207.8.51 -> 130.207.244.244 hl: 5 ver: 4 tos: 0

len: 66 id 0x01 fragoff:0 flags: 00 ttl:60 prot:UDP(17) xsum: 0x68ce

UDP: 1042 -> domain(53) len: 46 xsum: 0x5315

Domain Name Service: ID: 2984 opcode: Query (0) Flags: <DORECURSE> (0100)

Queries: 1, answers: 0, name servers: 0, Query 0: Name:www.cnn.com

#2 Receive time:71765.653 (0.048) packet length:148 received length:70

Ethernet: ( Sun 75f53a -> 08000726b22f) type: IP(0x800)

Internet: 130.207.244.244 -> 130.207.8.51 hl: 5 ver: 4 tos: 0

len:134 id:xbc77 fragoff 0 flags:00 ttl:60 prot:UDP(17) xsum:0xac13

UDP: domain(53) -> 1042 len: 114 xsum: 0000

Domain Name Service: ID: 2984 opcode: Query (0) Response: No. err (0)

Flags: <RESPONSE><AUTHORITATIVE><DORECURSE><CANRECURSE> (8580)

Queries: 1, answers: 3, name servers: 0, Query 0: Name:www.cnn.com

7

#3 Receive time:71765.711 packet length:60

Ethernet: (08000726b22f -> Cisco 083625) type: IP(0x800)

Internet: 130.207.8.51 -> 64.236.16.52 hl: 5 ver: 4 tos: 0 len: 44 id: 0x02 fragoff: 0 flags: 00 ttl: 60 prot: TCP(6) xsum: 0x9be5

TCP Port: 1076 -> http(80) seq: 28a61070 ack: ---- win: 10241 hl: 6 xsum: 0x5342 urg: 0 flags: <SYN> mss: 536

#4 Receive time:71765.721 packet length:60Ethernet: (Cisco 083625 -> 08000726b22f) type: IP(0x800)

Internet: 64.236.16.52 -> 130.207.8.51 hl: 5 ver: 4 tos: 0 len:44 id:0x7d1f fragoff 0 flags:00 ttl:57 prot:TCP(6) xsum:0x21c8

TCP Port: http(80) -> 1076 seq: 3a28ac00 ack: 28a61071 win: 4096 hl: 6 xsum: 0x816d urg: 0 flags: <ACK><SYN> mss:1460

The first two packets of the IP, TCP & HTTP (port 80) Connection.

The Ethernet address (Cisco ...) is the local router port. The IP Address is used “end to end.” Ethernet addresses are local only.Address Resolution Protocol (ARP) E’net frames are not shown.

8

Internet Layer Security (IPsec)

Rolf Oppliger, "Internet Security: Firewalls and Beyond," p92, Comm. ACM 40, May 1997

The Internet Engineering Task Force (IETF)

• Internet Security Protocol working groupstandardized an IP Security Protocol (IPsec) andan Internet Key Management Protocol (IKMP).

• objective of IPsec is to make available cryptographicsecurity mechanisms to users who desire security.

• mechanisms should work for both the current versionof IP (IPv4) and the new IP (IPv6).

• should be algorithm-independent, in that thecryptographic algorithms can be altered.

• should be useful in enforcing different securitypolicies, but avoid adverse impacts on users who do

not employ them.

9

IPsec Authentication Header (AH)

10

Transport Mode

TransportMode

Tunnel Mode

Encapsulated Secure Payload (ESP)Transport Level Security (TLS)

11

12

IPsec ESP - Tunnel Mode Virtual Private Network (VPN)

Internet Layer Security (IPsec)

13

IPsec Authentication Header (AH) - Transport and Tunnel Modes

Normal Internet Protocol (IP)

IPsec Encapsulated Secure Payload (ESP)

IPsec Encapsulated Secure Payload (ESP) with AH

IP Header, A to B TCP Header Application Header Data

IP Header, A to B AH TCP Header Application Header Data

IP Header, A to Rb ESP Header TCP Header Application Header Data

Encrypted

IP Header, A to Rb AH ESP Header TCP Header Application Hdr Data

Encrypted

IP Hdr, A to Rb AH IP Hdr A to B TCP Hdr Application Header Data

Security Associations

64.236.16.52

14