Internet Security Chap 7 IPsec
Transcript of Internet Security Chap 7 IPsec
-
IPSec IPSec .
AH ESP :Anti replayConfidentialityData origin authenticationPrivacyAuhentication
Security Association(SA) .
-
IPSec IPSec : AH ESPSA IKE Oakley IKE ISAKMP
IPSec .IPSec ( ) .
-
IPSec IPSec .
: IPSec.:ESP ESP AH: AH : IPSec
-
: IPSec Paddig : IKE Oakley IKE ISAKMP DOI:
-
SASA . (AH ESP) SA .
SA :Security Parameters Index(SPI): SA . SPI SA SA . IP : IP SA . : AH ESP .
-
Security policy database(SPD): IP SA
Security association database(SAD) SA SPI IP IPSec . SPD SAD .
-
SA TCP UDP ICMP( IP Header ) SA Payload AH : Payload header ESP: Payload
-
SA IP SA HEDEAR AH : header ESP:
-
HMACMAC: HMAC: (SHA-1 MD5)
4 .
-
AH
-
Next header (8 bits): payload AHPayload length (8 bits): AH 96 .Reserved (16 bits): SPI (32 bits): SA . 1-255 .Sequence number (32 bits): Replay. anti-replay SA . anti-replay SA .Authentication data (variable): ICV MAC . 32 64 Padding .
-
AH : IPv4: AH IP header (TCP,UDP) . header IPv6:AH hop-to-hop routing fragmentation extension headers header
: IP header IP header ( ) IP header
-
IP AH
-
IP AH
-
ESP
-
SPI (32 bits): 32 SA.Sequence number (32 bits): Replay. anti-replay SA . anti-replay SA . Padding: padding . payload padding header . 32 padding . padding . padding padding .
-
:Pad length pad. 0-255Next header (8 bits): payload Authentication data (variable): ICV ESP . .
-
ESP : IPv4: ESP IP header (TCP,UDP) .ESP trailer padding pad length next header IPv6:ESP hop-to-hop routing fragmentation extension headers
: IP header IP header ( ) IP header
-
IP ESP
-
IP ESP
-
ESP DES IDEA CAST Blowfish . Payload Padding pad header . IV IV payload . replay . . ICV .
-
Payload Padding pad header IV ( payload) .
: IP ip Header ESP payload . :header IP IP ESP payload .
ICV MAC . .
-
SA ICV . : MAC (DES) (SHA-1 MD5) : .
ICV ESP Sequence number .
-
IPSec .IKE SA SA .IKE ISAKMP Oakley
-
Oakley Diffie-Hellman
cookie: clogging (DoS)Cookie nonce replay ISAKMP SA
-
ISAKMPISAKMP SA .
ISAKMP SA
Payload SA
-
ISAKMP Header
-
ISAKMP Header
Initiator Cookie (64 bits): cookie SAResponder Cookie (64 bits): cookie SA Next Payload (8 bits): payloadMajor Version (4 bits): ISAKMP 1Minor Version (4 bits): ISAKMP 0
-
Exchange Type (8 bits): exchange Flags (8 bits): 0: paylaod commit 1: 2 : 0 .Message ID (32 bits): 2 1 0 . Length (32 bits): (header || payload)
-
Payload Header ISAKMP Payload header :
Next Payload (8 bits): payload Payload Reserved (8 bits): 0 Payload Length (16 bits): ( payload )
-
ISAKMP paylaodSecurity Association PayloadProposal PayloadTransform PayloadKey Exchange PayloadIdentification PayloadCertificate PayloadCertificate Request PayloadHash PayloadSignature PayloadNonce PayloadNotification PayloadDelete PayloadVendor ID Payload
-
Security Association Payload payload DOI . 0 DOI 1 ISAKMP 2 1 DOI IPSec .
Next Payload field (8 bits): payload Reserved field (8 bits): Payload Length field (16 bits): Payload Situation field (variable length):
-
Proposal Payload payload( 2) ISAKMP SA .
Next Payload field (8 bits): payload . 0 Proposal payload 2 Proposal payload Reserved field (8 bits): Payload Length field (16 bits): payload generic payload header Proposal Payload Transform payloads ProposalProposal # field (8 bits): proposalProtocol-id field (8 bits): IPsec ESP IPsec AH OSPF TLS SPI Size (8 bits): SPI 0 16 # of Transform (8 bits): Transform Proposal Transform proposal .SPI field (variable) : SPI
-
Transform Payload payload( 3) Security Association transform .
Next Payload field (8 bits): payload . 0 Transform payload 3 Transform payload Reserved field (8 bits): 0Transform # field (8 bits): proposal Transform Transform-id field (8 bits): Transform Proposal
-
Key Exchange Payload payload( 4) Oakley Diffie-Hellman RSA PGP
Next Payload field (8 bits): payload . 0 payload Reserved field (8 bits): 0Payload Length field (16 bits): payload generic payload headerKey Exchange Data field (variable length): DOI
-
Identification Payload payload( 5) DOI . .
Next Payload field (8 bits): payload . 0 payload Reserved field (8 bits): 0ID type field (8 bits): identification .DOI specific ID Data field (24 bits) : DOI 0 Transform-id field (8 bits): Transform ProposalIdentification Data field (variable length):
-
Certificate Payload payload( 6) ISAKMP . .
Next Payload field (8 bits): payload . 0 payload Reserved field (8 bits): 0Payload Length field (16 bits): payload generic payload headerCertificate Encoding field (8 bits): Certificate Data field (variable length): encoding
-
Certificate Request Payload payload( 7) ISAKMP . . . payload .Next Payload field (8 bits): payload . 0 payload Reserved field (8 bits): 0Payload Length field (16 bits): payload generic payload headerCertificate Type field (8 bits) : encoding Certificate Authority field (variable length): encoding CA
-
Hash Payload payload( 8) / ISAKMP ISAKMP .
Next Payload field (8 bits): payload . 0 payload Reserved field (8 bits): 0Payload Length field (16 bits): payload generic payload headerHash Data field (variable length) : ISAKMP
-
Signature Payload payload( 9) / ISAKMP / ISAKMP .
Next Payload field (8 bits): payload . 0 payload Reserved field (8 bits): 0Payload Length field (16 bits): payload generic payload headerSignature Data field (variable length) : ISAKMP
-
Nonce Payload payload( 10) replay . nonce payload .
Next Payload field (8 bits): payload . 0 payload Reserved field (8 bits): 0Payload Length field (16 bits): payload generic payload headerNonce Data field (variable length) :
-
Notification Payload payload( 11) ISAKMP DOI . Notification Payloads ISAKMP . payload cookie .
Next Payload field (8 bits): payload . 0 payload Reserved field (8 bits): 0Payload Length field (16 bits): payload generic payload headerDomain of Interpretation field (32 bits): DOI Notification Protocol-id field (8 bits): Notification ISAKMP IPSec ESP IPSec Ah SPI Size field (8 bits): SPI protocol_idNotify Message Type field (16 bits): notificationSecurity Parameter Index (SPI) field (variable length) :Notification Data field (variable length):
-
Delete Payload payload ( 12) SA . SPI payload .
Next Payload field (8 bits): payload . 0 payload Reserved field (8 bits): 0Payload Length field (16 bits): payload generic payload headerDomain of Interpretation field (32 bits): DOI Protocol-id field (8 bits) : ISAKMP SA .SPI Size field (8 bits): SPI protocol_id# of SPIs field (16 bits): SPI Delete PayloadSecurity Parameter Indexes field (variable length): SA
-
Vendor ID Payload payload ( 12) .
Next Payload field (8 bits): payload . 0 payload Reserved field (8 bits): 0Payload Length field (16 bits): payload generic payload headerVendor ID field (variable length): vendor-id .
-
ISAKMP ISAKMP . payload .
Base Exchange: Identity Protection Exchange: 2 .
-
Authentication Only Exchange: . ISAKMP SA .Aggressive Exchange: payload security association key exchange .Informational Exchange: SA . 1 ISAKMP SA .
-
ISAKMP PayloadISAKMP Header Processing: cookie ISAKMP header : cookie Next Payload Exchange Type flags Message ID
-
Generic Payload Header Processing: payload Next Payload 0 Reserved Payload Length
: Next Payload Reserved
-
Security Association Payload Processing: DOI DOI poposal transform Security Association payload: DOI payload (Proposal Transform) Proposal . Information Exchange Notification payload No-Proposal-Chosen .
-
Proposal Paylaod Processing: proposal proposal transform proposal SPI Proposal payload
: proposal Protocol-ID SPI proposal Proposal payload trasnform payload Next Payload
-
Transform Payload Processing: Transform Transform Transform payload: Transform . Transform-ID transform payload . Transforms Transform Payload SA . Proposal payload trasnform payload Next Payload
-
Key Exchange Payload Processing: DOI Key Exchange Data field Key Exchange payload
: Key Exchange . .Informational Exchange Notification payload Invalid-Key-Information .
-
Identification Payload Processing: DOI . Identification Data DOI . Identification payload: Identification payload . Informational Exchange Notification payload Invalid-ID-Information .
-
Certificate Payload Processing: Certificate Encoding DOI Certificate Encoding : Certificate Encoding . payload Certificate Data payload
-
Certificate Request Payload Processing: Certificate Encoding CA Certificate Request payload: Certificate Encoding . payload CA Certificate Encoding . CA payload . Certificate Data payload Certificate Request Certificate Request CA payload
-
Hash Payload Processing: DOI Hash payload: . . DOI . ..
Signature Payload Processing: DOI Signature payload: . . DOI . ..
-
Nonce Payload Processing: nonce Nonce payload: nonce DOI .
Notification Payload Processing: Notify Payload .: DOI Notification Protocol-ID SPI Notification Data Notification Payload: Informational Exchange ( header) DOI . SPI Notify Notification payload
-
Delete Payload Processing: SA SA .: DOI Protocol-ID SPI Protocol-id SPI SPI Delete payload
: DOI Protocol-ID . SPI Delete payload Delete payload