Post on 24-Dec-2015
transcript
Protocol Basics
IPSec
• Provides two modes of protection– Tunnel Mode– Transport Mode
• Authentication and Integrity
• Confidentiality
• Replay Protection
Tunnel Mode
• Encapsulates the entire IP packet within IPSec protection
• Tunnels can be created between several different node types– Gateway to gateway– Host to gateway– Host to host
Three Types of Tunnels
Host to Host
Host to Gateway
Gateway to Gateway
Transport Mode
• Encapsulates only the transport layer information within IPSec protection
• Can only be created between host nodes
Authentication and Integrity
• Verification of the origin of data
• Assurance that data sent is the data received
• Assurance that the network headers have not changed since the data was sent
Confidentiality
• Encrypts data to protect against eavesdropping
• Can hide data source when encryption is used over a tunnel
Replay Prevention
• Causes retransmitted packets to be dropped.
IPSec Protection Protocols
• Authentication Header– Authenticates payload data– Authenticates network header– Gives anti-replay protection
• Encapsulated Security Payload– Encrypts payload data– Authenticates payload data– Gives anti-replay protection
IPSec AH in Transport Mode
DataDataTCP HdrTCP HdrOrig IP HdrOrig IP Hdr
DataDataTCP HdrTCP HdrAH HdrAH HdrOrig IP HdrOrig IP Hdr
Integrity hash coverage (except for mutable fields in IP hdr)Integrity hash coverage (except for mutable fields in IP hdr)
Insert
© 2000 Microsoft Corporation
IPSec AH in Tunnel Mode
DataDataTCP HdrTCP HdrOrig IP HdrOrig IP Hdr
Integrity hash coverage (except for mutable new IP hdr fields)Integrity hash coverage (except for mutable new IP hdr fields)
IP HdrIP Hdr AH HdrAH Hdr DataDataTCP HdrTCP HdrOrig IP HdrOrig IP Hdr
New IP header with source & destination IP address
© 2000 Microsoft Corporation
IPSec ESP in Transport Mode
DataDataTCP HdrTCP HdrOrig IP HdrOrig IP Hdr
DataDataTCP HdrTCP HdrESP HdrESP HdrOrig IP HdrOrig IP Hdr ESP TrailerESP Trailer ESP AuthESP Auth
Usually encryptedUsually encrypted
integrity hash coverageintegrity hash coverage
Insert Append
© 2000 Microsoft Corporation
IPSec ESP Tunnel Mode
DataDataTCP HdrTCP HdrOrig IP HdrOrig IP Hdr
ESP TrailerESP Trailer ESP AuthESP Auth
Usually encryptedUsually encrypted
integrity hash coverageintegrity hash coverage
DataDataTCP HdrTCP HdrESP HdrESP Hdr IP HdrIP HdrIPHdrIPHdr
New IP header with source & destination IP address
© 2000 Microsoft Corporation
IPSec Basic Architecture
• IPSec Driver
• Policy Agent
• Internet Key Exchange (IKE)
Policy Agent
IKE
IPSec DriverTCP/IP Driver
IPSec Driver
• Monitors and Secures IP traffic– Encryption and Authentication of outbound
packets– Decryption and Authentication of inbound
packets– Prompts IKE to negotiate secure channels as
needed
• Maintains secure channel state information
Policy Agent
• Maintains IPSec policy and state information
• Distributes filter rule sets to the IPSec Driver
• Distributes authentication and security settings to IKE
IKE
• Negotiates secure channels based on settings received from the Policy Agent
• Distributes secure channel information to the IPSec driver
How It All Fits TogetherTunnel
TransportTransport
Sending in Transport ModeApplicationApplication
TransportTransport
IPIP
PhysicalPhysical
IPSecIPSec
PhysicalPhysical IPIP IPSecIPSec TCPTCPApplicationApplication
DataData
Sending in Tunnel Mode
PhysicalPhysical IPIP IPSecIPSec TCPTCPApplicationApplication
DataData
IPIP IPSecIPSec TCPTCPApplicationApplication
DataData
InnerInnerIPIP
IPSecIPSec TCPTCPApplicationApplication
DataDataIPSecIPSec
OuterOuterIPIP
PhysicalPhysical
IPIP
PhysicalPhysical
IPSecIPSec IPIP
PhysicalPhysical
IPSecIPSec
Receiving in Tunnel Mode
PhysicalPhysical IPIP IPSecIPSec TCPTCPApplicationApplication
DataData
IPIP IPSecIPSec TCPTCPApplicationApplication
DataData
InnerInnerIPIP
IPSecIPSec TCPTCPApplicationApplication
DataDataIPSecIPSec
OuterOuterIPIP
PhysicalPhysical
IPIP
PhysicalPhysical
IPSecIPSec IPIP
PhysicalPhysical
IPSecIPSec
Receiving in Transport ModeApplicationApplication
TransportTransport
IPIP
PhysicalPhysical
IPSecIPSec
PhysicalPhysical IPIP IPSecIPSec TCPTCPApplicationApplication
DataData
Layer Two Tunneling Protocol (L2TP)
• Provides– Provides PPP encapsulation over IP– VPN services
• Doesn’t Provide– A method of encryption for it’s traffic– Protection against injection of packets into an
open L2TP session
How L2TP Works
ApplicationApplication
L2TPL2TP
PPPPPP
Driver LayerDriver Layer
TCP, UDPTCP, UDP
NICNIC
IPSecIPSec
IPIP
L2TP/IPSecL2TP/IPSec
44
33
55
IKE ServiceIKE Service22
11
controlcontrol
Kerberos
• Provides authentication of network server and client
What Kerberos Provides
• Mutual authentication of parties
How Kerberos WorksKDCKDC
ClientClientApplicationApplication
ServerServer
ASAS TGSTGS
Authorization Authorization RequestRequest
Ticket Ticket Granting Granting TicketTicket
Ticket Ticket RequestRequest
TicketTicket
TicketTicket
Public Key Infrastructure Basics
How Public Keys Are Used for Authentication
What’s In a Certificate?
How PKI Works