IP Security(2)
of 23
description
IP Security(2). Wireless/Mobile Network LAB 박준석. Table of contents. 1. KEY MANAGEMANT 1.1 Manual key management 1.2 Automated Key Management 1.3 KEY MANAGEMENT 2. Oakley key Determination Protocol(cont.) 3. ISAKMP(cont.) 4. DOI(Domain of interpretation) 5. IKE Protocol - PowerPoint PPT Presentation
Transcript of IP Security(2)
-
IP Security(2)Wireless/Mobile Network LAB
-
Table of contents1. KEY MANAGEMANT1.1 Manual key management1.2 Automated Key Management1.3 KEY MANAGEMENT2. Oakley key Determination Protocol(cont.)3. ISAKMP(cont.)4. DOI(Domain of interpretation)5. IKE Protocol5.1 Phases of IKE Protocol5.2 Main Mode with Signatures5.3 Aggressive Mode with Signatures5.4 Quick Mode in Phase II6. Application of ip security feature6.1 VPN(Virtual Private Network)7. FUTURE DIRECTIONS
-
1. KEY MANAGEMANT , , . (ISAKMP) OAKLEY SKEME(Secure key Exchange mechanism for internet) .
-
1.1 Manual key managementSA ,
-
1.2 Automated Key Management SA
-
1.3 KEY MANAGEMENTOakley key Determination ProtocolKey Exchange protocol based on the a modified version of the Diffie-Hellman algorithm ISAKMP(Internet Security Association and Key Management Protocol) Application layer .SA , , , SA .IKE(internet Key Exchange) SA Oakley ISAKMP
-
2. Oakley key Determination Protocol(cont.)DH(Diffie-Hellman) (cookies) Oakley IP, UDP, DH GF[2^N] (EC2N)GF[P] (ECP)
-
NONCE : NONCE .DH : P g a . (Man-in-the-middle-attack) :DH , ,
-
3. ISAKMP(cont.) SA , , SA Network stack (,ipsec,tls,ospf SAs Oakley(RFC2412) Exchange mode 5 . Basic Exchange SA .NONCE Auto payload , , NONCE .
-
Identity Protection Exchange SA , NONCE .
-
Authentication Only Exchange SA
-
Aggressive Exchange . SA ID . Sa . . .Information ExchangeSA .
-
4. DOI(Domain of interpretation)ISAKMP/Oakley IPSec ISAKMP/Oakley . DOI ISAKMP/Oakley .
-
5. IKE ProtocolSA and Key Management ProtocolSA, , Key ,,A Hybrid protocol ofISAKMP: framework, message format, phasesOakley : key exchange modesSKEME: public key encryption
-
5.1 Phases of IKE ProtocolParse 1 (IKE SA) 4 Authentication methodsPreshared keysDigital signaturePublic key encryptionRevised public key encryptionMain and aggressive modesParse 2IPSEC SAQuick mode
-
5.2 Main Mode with SignaturesInitiatorResponder
HDR, SAHDR, SA HDR,KE,NiHDR, KE, NrHDR*, IDii, [CERT,] SIG-I HDR*,IDir,[CERT,]SIG-RHDR: HeaderSA: Security AssociationKE: Key ExchangeN: NonceCERT: CertificateSIG: SignatureID: Identityi: Initiatorr: Responder
-
5.3 Aggressive Mode with SignaturesInitiatorResponder
HDR, SA, KE, Ni, IDii HDR, SA, KE, Nr, IDir, [CERT,] SIG-R HDR, [CERT,] SIG-I HDR: HeaderSA: Security AssociationKE: Key ExchangeN: NonceCERT: CertificateSIG: SignatureID: Identityi: Initiatorr: Responder
-
5.4 Quick Mode in Phase IIInitiatorResponder
HDR*, HASH(1), SA, Ni[, KE] [, IDci, IDcr] HDR*, HASH(2), SA, Nr [, KE] [, IDci, IDcr] HDR*, HASH(3) HDR: HeaderSA: Security AssociationKE: Key ExchangeN: NonceID: Identityi: Initiatorr: Responder
-
6. Application of ip security featureVPN(Virtual Private Network) LAN WAN Network. (private WAN) Application level securityNetwork application IPSec IP stack . .Routing security
-
6.1 VPN(Virtual Private Network)
-
VPN(Virtual Private Network)
-
6.1 VPN(Virtual Private Network) VPN VPN VPN VPN
-
7. FUTURE DIRECTIONS . . IP IKE ISAKMP . Addressing policy . IPSec .
IPSec IKE , IKE ISAKMP(Internet Security Association and Key Management Protocol), Oakley SKEME(Secure Key Exchange Mechanism for Internet) . IKE ISAKMP , (phase) , Oakley . SKEKE . Security association: ipsec Ah esp sa sa ike Sa .Sa ah esp security-protocol-specificSa identifier[security parameter index(spi)+ip destination addres+security protocol)Ah esp 2 sa Sa 2 sa 2 2 gateway 2 SAsDiffie-Hellman(DH) Whitfield Diffie Martin Hellman Diffie-Hellman . Diffie-Hellman . . D-H Diffie-Hellman . 1976 Whitfield Diffie Martin Hellman Diffie-Hellman "" "" . Diffie-Hellman IPSec . OAKLEY RFC2412 Diffie-Hellman . OAKLEY IKE (Internet Key Exchange) (RFC 2401 ) , Internet Security Association Key Management Protocol (ISAKMP, RFC 2408) . Nonce : , , -> 5 . Basic Exchange ,Identity Protection Exchange, Authentication Only ExchangeAggressive ExchangeInformation Exchange
Aggressive ExchangeInformation Exchange
IPSec IKE(Internet Key Exchange) , IKE ISAKMP, Oakley SKEME . IKE ISAKMP , phase , Oakley . , SKEKE .IKE SA(Security Assosiation- ) , , , SA IKE 1(phase1), IPSEC SA IPSEC 2(phase 2) . Phase1 . SA IKE SA , 4 4 ... ... AH ESP . . . .Ipsec . Ipv6 a h esp .. . . .. .( . ..) SA . SA AH . . ip ip . . .. . HW HW . . VPN VPN VPN VPN , . VPNVPN , . . VPN , .LAN .
