310 likes | 329 Views
Protocol Basics. IPSec. Provides two modes of protection Tunnel Mode Transport Mode Authentication and Integrity Confidentiality Replay Protection. Tunnel Mode. Encapsulates the entire IP packet within IPSec protection Tunnels can be created between several different node types
E N D
IPSec • Provides two modes of protection • Tunnel Mode • Transport Mode • Authentication and Integrity • Confidentiality • Replay Protection
Tunnel Mode • Encapsulates the entire IP packet within IPSec protection • Tunnels can be created between several different node types • Gateway to gateway • Host to gateway • Host to host
Three Types of Tunnels Gateway to Gateway Host to Gateway Host to Host
Transport Mode • Encapsulates only the transport layer information within IPSec protection • Can only be created between host nodes
Authentication and Integrity • Verification of the origin of data • Assurance that data sent is the data received • Assurance that the network headers have not changed since the data was sent
Confidentiality • Encrypts data to protect against eavesdropping • Can hide data source when encryption is used over a tunnel
Replay Prevention • Causes retransmitted packets to be dropped.
IPSec Protection Protocols • Authentication Header • Authenticates payload data • Authenticates network header • Gives anti-replay protection • Encapsulated Security Payload • Encrypts payload data • Authenticates payload data • Gives anti-replay protection
Orig IP Hdr AH Hdr IPSec AH in Transport Mode Orig IP Hdr TCP Hdr Data Insert TCP Hdr Data Integrity hash coverage (except for mutable fields in IP hdr) © 2000 Microsoft Corporation
Orig IP Hdr Orig IP Hdr TCP Hdr TCP Hdr Data Data IPSec AH in Tunnel Mode IP Hdr AH Hdr Integrity hash coverage (except for mutable new IP hdr fields) New IP header with source & destination IP address © 2000 Microsoft Corporation
Orig IP Hdr Orig IP Hdr ESP Auth IPSec ESP in Transport Mode TCP Hdr Data Insert Append Data ESP Hdr TCP Hdr ESP Trailer Usually encrypted integrity hash coverage © 2000 Microsoft Corporation
Orig IP Hdr TCP Hdr Data ESP Auth Data IPHdr ESP Hdr IP Hdr TCP Hdr IPSec ESP Tunnel Mode ESP Trailer Usually encrypted integrity hash coverage New IP header with source & destination IP address © 2000 Microsoft Corporation
IPSec Basic Architecture • IPSec Driver • Policy Agent • Internet Key Exchange (IKE) Policy Agent IKE IPSec Driver TCP/IP Driver
IPSec Driver • Monitors and Secures IP traffic • Encryption and Authentication of outbound packets • Decryption and Authentication of inbound packets • Prompts IKE to negotiate secure channels as needed • Maintains secure channel state information
Policy Agent • Maintains IPSec policy and state information • Distributes filter rule sets to the IPSec Driver • Distributes authentication and security settings to IKE
IKE • Negotiates secure channels based on settings received from the Policy Agent • Distributes secure channel information to the IPSec driver
How It All Fits Together Transport Tunnel
Sending in Transport Mode Application Transport IP IPSec Physical Physical IP IPSec TCP Application Data
Sending in Tunnel Mode IPSec IP IP IPSec Physical Physical Physical IP IPSec TCP Application Data IP IPSec TCP Application Data Physical Outer IP IPSec Inner IP IPSec TCP Application Data
Receiving in Tunnel Mode IPSec IP IP IPSec Physical Physical Physical Outer IP IPSec Inner IP IPSec TCP Application Data IP IPSec TCP Application Data Physical IP IPSec TCP Application Data
Receiving in Transport Mode Application Transport IPSec IP Physical Physical IP IPSec TCP Application Data
Layer Two Tunneling Protocol (L2TP) • Provides • Provides PPP encapsulation over IP • VPN services • Doesn’t Provide • A method of encryption for it’s traffic • Protection against injection of packets into an open L2TP session
2 1 5 4 control How L2TP Works L2TP/IPSec Application IKE Service TCP, UDP IP 3 IPSec Driver Layer NIC L2TP PPP
Kerberos • Provides authentication of network server and client
What Kerberos Provides • Mutual authentication of parties
How Kerberos Works KDC AS TGS Ticket Request Authorization Request Ticket Granting Ticket Ticket Client Application Server Ticket