1 / 14

IPSec In Depth

IPSec In Depth. Encapsulated Security Payload (ESP). Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication is applied to data in the IPSec header as well as the data contained as payload. Orig IP Hdr. Orig IP Hdr. ESP Auth.

janeeva
Download Presentation

IPSec In Depth

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IPSec In Depth

  2. Encapsulated Security Payload (ESP) • Must encrypt and/or authenticate in each packet • Encryption occurs before authentication • Authentication is applied to data in the IPSec header as well as the data contained as payload

  3. Orig IP Hdr Orig IP Hdr ESP Auth IPSec Encapsulating Security Payload (ESP) in Transport Mode TCP Hdr Data Insert Append Data ESP Hdr TCP Hdr ESP Trailer Usually encrypted integrity hash coverage SecParamIndex Seq# InitVector Keyed Hash Padding PadLength NextHdr 22-36 bytes total ESP is IP protocol 50 © 2000 Microsoft Corporation

  4. Orig IP Hdr TCP Hdr Data ESP Auth Data IPHdr ESP Hdr IP Hdr TCP Hdr IPSec ESP Tunnel Mode ESP Trailer Usually encrypted integrity hash coverage New IP header with source & destination IP address © 2000 Microsoft Corporation

  5. Authentication Header (AH) • Authentication is applied to the entire packet, with the mutable fields in the IP header zeroed out • If both ESP and AH are applied to a packet, AH follows ESP

  6. Orig IP Hdr AH Hdr IPSec Authentication Header (AH)in Transport Mode Orig IP Hdr TCP Hdr Data Insert TCP Hdr Data Integrity hash coverage (except for mutable fields in IP hdr) Next Hdr Payload Len Rsrv SecParamIndex Seq# Keyed Hash AH is IP protocol 51 24 bytes total © 2000 Microsoft Corporation

  7. Orig IP Hdr Orig IP Hdr TCP Hdr TCP Hdr Data Data IPSec AH Tunnel Mode IP Hdr AH Hdr Integrity hash coverage (except for mutable new IP hdr fields) New IP header with source & destination IP address © 2000 Microsoft Corporation

  8. Internet Key Exchange (IKE) • Phase I • Establish a secure channel(ISAKMP SA) • Authenticate computer identity • Phase II • Establishes a secure channel between computers intended for the transmission of data (IPSec SA)

  9. Main Mode • Main mode negotiates an ISAKMP SA which will be used to create IPSec Sas • Three steps • SA negotiation • Diffie-Hellman and nonce exchange • Authentication

  10. Main Mode (Kerberos) Responder Initiator Header, SA Proposals Header, Selected SA Proposal Header, D-H Key Exchange, Noncei, Kerberos Tokeni Header, D-H Key Exchange, Noncer, Kerberos Tokenr Encrypted Header, Idi, Hashi Header, Idr, Hashr

  11. Main Mode (Certificate) Responder Initiator Header, SA Proposals Header, Selected SA Proposal Header, D-H Key Exchange, Noncei Header, D-H Key Exchange, Noncer,Certificate Request Encrypted Header, Idi, Certificatei, Signaturei, Certificate Request Header, Idr, Certificater, Signaturer

  12. Main Mode (Pre-shared Key) Responder Initiator Header, SA Proposals Header, Selected SA Proposal Header, D-H Key Exchange, Noncei Header, D-H Key Exchange, Noncer Encrypted Header, Idi, Hashi Header, Idr, Hashr

  13. Quick Mode • All traffic is encrypted using the ISAKMP Security Association • Each quick mode negotiation results in two IPSec Security Associations (one inbound, one outbound)

  14. Quick Mode Negotiation Responder Initiator Encrypted Header, IPSec Proposed SA Header, IPSec Selected SA Header, Hash Header, Connected Notification

More Related