Scribd
Upload
138 views

IPsec PDF

IPsec provides security for communications over IP networks by authenticating and encrypting each IP packet of a data stream. It has two main modes: Transport mode protects only the packet's payload, while Tunnel mode protects the entire packet. IPsec uses Security Associations to define encryption and authentication algorithms and security parameters for each connection. The Security Policy Database stores security policies that determine whether to discard, allow, or encrypt/authenticate packets based on their attributes.

Uploaded by

milesgelidus
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
138 views

IPsec PDF

IPsec provides security for communications over IP networks by authenticating and encrypting each IP packet of a data stream. It has two main modes: Transport mode protects only the packet's payload, while Tunnel mode protects the entire packet. IPsec uses Security Associations to define encryption and authentication algorithms and security parameters for each connection. The Security Policy Database stores security policies that determine whether to discard, allow, or encrypt/authenticate packets based on their attributes.

Uploaded by

milesgelidus
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

IPsec IP

IP

"
!

IP security IPsec
!
"

!
IP

"
IPsec
IPsec

"

#
$
!

!"

MAC
!
#
MAC
!" " !

"
%

!
replay attack !

$IPsec
!
!
gateways !

"
&
'

#
!

IPsec

# !
Transport Mode
IPsec
Tunnel Mode

$#
IPsec
Encapsulating Security Payload ESP
!
!
Authentication Header AH
!

" IPsec
!"

#
IPsec
IKE #

$#
IPsec
Security Association Database SAD
'
(
Security Policy Database SPD
#
IPsec
IPsec

"

IPsec IP

%"

IPsec
! header
!
IP
ESP/AH Header "
!

!
%"

Tunnel Mode

" IPsec #
ESP IPsec
#

AH

!
IPsec

"

'

Transport Mode $IPsec

IPsec

Transport Mode
y
y

x
y

' !

" #
y

'

'

#
A
#

Network A

Transport Mode
x
!
IPsec
x
y
B A
'
Network B

Internet

"

'
$

! "

Application
TCP/UDP
IP
MAC
TCP/UDP Header

IP Header

IPsec
$'

"

Transport Mode
x

Application
TCP/UDP
IPsec
IP: x
y
MAC

IPsec IP

Tunnel Mode * *
!

"

'

IPsec

(
#

#
IPsec
GWB

#
A

security gateways

#
'
#
x !

A
#
y
x#
security gateways #
GWB GWA
y
x
IPsec
GWA GWA
GWB GWB

Network A

!
%"

Network B

Internet

GWA

GWB

GWB

GWA

! '
GWA GWB !
#
% " GWA ' '
y !
GWA % " %"
GWB
! GWA
!
$'

!
IP
GWB

IPsec
GWA !

#
GWB
! IP Header

Application
TCP/UDP
IP: x
y
IPsec
IP: GWA GWB
MAC
IP
IP

' "

GWB GWB

GWB
!
Next Protocol ! ' "
!
IP Header
IP
GWB
GWB
IPsec
IPsec
GWB '
y
!
%" IP Header
IPsec
y
#!
IP
x
!
!
y
%"

header

IPsec IP

$'
Network A

Internet

GWA

GWB

"

'

"

Network B

GWA-GWB Tunnel
Application
TCP/UDP
IP: x
y
MAC

Application
TCP/UDP
IP: x
y
IPsec
IP: GWA GWB
MAC

IPsec

!
#

%
#

$Transport Mode
#
'
#
security gateways

IPsec

IPsec
IPsec

#
# !

'

"
ESP
'

Application
TCP/UDP
IP: x
y
MAC

Transport Mode

Tunnel Mode
'
"
!
#
#
!

!
Tunnel Mode

IPsec IP

*
"
"

Tunnel Mode
#

"

#
#

! -*

Virtual Private Network VPN


" "
"
#
# "
#

"
"

IPsec !
% "
gateway
gateways
% "
# "

$Tunnel Mode

% "
% "
'

IPsec

"

GWE
Europe branch

Europe-Asia Tunnel
Internet

GWA

Europe-USA Tunnel

Asia branch
USA-Asia Tunnel

GWU
USA branch
'
!

!
% "

#
!

% "
#

"
GWM
$

!
#
GWA

% "

tunnels "
M#
A
#

"

!
Tunnel in Tunnel
# #
#
'
A#
#

Network A

m
Subnet M

Network B

GWM
GWA

Internet

+,

GWB

IPsec IP

%"
GWA
M
GWA
B

$
!

M
tunnel
z

Subnet M

A
'
M#

Network A

GWM

' #
Tunnel Mode
GWM

M-B Tunnel
Application
TCP/UDP
IP: m z
MAC

IPsec
'

gateway

w
gateways

GWB

Network B

Application
TCP/UDP
IP: m z
IPsec
IP: GWM GWB
IPsec
IP: GWA GWB
MAC

gateway
#
!
w
#
w
Tunnel mode

!
#
IPsec

Application
TCP/UDP
IP: m z
MAC

Tunnel Mode
!
m
gateways
gateway

Network A

GWM
GWA

Subnet M

Internet

!
GWB

w
#

!
z#

A-B Tunnel

Application
TCP/UDP
IP: m z
IPsec
IP: GWM GWB
MAC

IPsec
GWM
Tunnel Mode IPsec
tunnel
$
tunnel
m
$'
GWB

Internet

GWA

m
w

IP Headers

IPsec IP

SAD #
SAD
(
!
'

IPsec

Security Association Database


'
Security Association SA
IPsec
MAC
#
Sequence Number
Lifetime
" !
Security Parameter Index SPI
#

#
$

SA

!
!

SA $ #
# SA

# SA
#
%" SA
# SA
# SA

#
#

"
!
SAD
' !
Outgoing SAD
Incoming SAD

$#
"

session

session

User As SAD

User Bs SAD

Outgoing SAD
SPI User
SA data
1

17
B
, SPI=22

38
Y , SPI=5

Outgoing SAD
SPI User
SA data
1

24
A , SPI=13
25
X , SPI=20

Incoming SAD
SPI User
SA data
1

13
B

44
Y

Incoming SAD
SPI User
SA data
1

22
A

23
X

Outgoing SAD
A
IPsec
A
SA
!
SA
SPI
ESP/AH Header
B
Incoming SAD - SA
" !
SA
'
#
SPI
SA

B#
IPsec

+*

IPsec

A
#

%"
SAD
B
Incoming SAD
IPsec IP

SA
! *.
#

IPsec

$#
IPsec
Encapsulating Security Payload ESP

&

Authentication Header AH

ESP
!

&
$'

ESP
ESP Header

Encrypted

Authenticated

ESP
SPI
Sequence Number
IV

Data
Padding Pad Length Next Protocol
Authentication Data

$ESP Header
!
Ingoing SAD
SA
" !
SPI
&
!
!
!"
"
Sequence Number
#
SA
#
&
Sequence Number
replay attack
#
!
Sequence Number
#
# !!
#
SA
#
"
Initialization Vector IV
'
&
CBC Mode
AES
IV
'
IV
!
!
# " '
!
Padding
#
#
*
!
AES
! '
! '
!
#
#
!
'
" #
" !
!
Padding
"
#
"
Pad Length
#
IPsec
!
ESP
#
Next Protocol
TCP/UDP
#
Tunnel Mode
IP
! '
#
%"
Transport Mode
Next Protocol ! ' "
!
" IPsec
ESP
Data
#
Data
"

+-

IPsec IP

TCP/UDP
Tunnel Mode

ESP Header
'

IPsec

IP

"

%
" IPsec
Authentication Data

MAC

"

#
#!
'"

'

!"

'

'
!
' !

'
$

" #
#
# ESP
Packet Filtering Firewall
" #
TCP
ESP
IP
#
Tunnel Mode # ESP
!
#
"
Packet Filtering Firewall
ESP !
#
default
!
"
Tunnel Mode
ESP
#
'
IP
IPsec
gateway
!
Authentication Data
trailer # ESP Header %"
% " ESP

AH * .
AH

$'
AH
Next Protocol Payload Length Reserved
SPI
Sequence Number
Authentication Data
ESP Header

'

Authentication Data

"

AH #
!
TTL

header
#
# "

:
AH
AH Header

AH Header

!
" #
!

AH Header

!
! gateway
!
Checksum

'

AH
!

'

+.

IP Header
ESP #

IP Header

!
! # "

Header

#
Time To Live
,
!

IPsec IP

ESP
0ESP !
ESP

AH

!
AH

ESP

A
A
#
IP
A

AH

A
!

"
A

AH

!
A

NAT

IP
!

! #
!
"

'
IP

%
%"
!

#
' #

#
#
AH
Network Address Translation NAT
IP
" # !
!
|A| > N
IP
N
#
|A|
!
IP
A
#
!
'
!
NAT
'
!
!
!
A
IP

#
A

ESP
"

AH

A
#
NAT
A

Network A
x

Internet

NAT

$'

IPA

Network A

IPx
A

y
NAT
#
y

IPx

AH !

" #
A
Internet

NAT Server

Application
TCP/UDP
IP: IPx IPy
MAC
'

x
x

Application
TCP/UDP
IP: IPA IPy
MAC
x

AH
AH
IPx x
#

IPA
IP
"

NAT
' #
IPsec
%
x
y

+/

NAT

IPsec IP

SPD
!

SPDs

!
Firewall
Firewall
% #
!
$

Security Policy Database SPD


IPsec
%"
IPsec
!
! SPD
(Incoming SPD)
"
#
SPD
(Outgoing SPD)
selectors
Packet Filtering Firewalls
#
#
!
SPD
%"
Ack Direction !
username
!
#
Firewalls
!
Firewall !
Action ! SPD
deny permit
Firewalls deny
!
drop
IPsec
'
forward
Firewalls permit
IPsec
secure

AH
ESP
Outgoing SAD SA
"
!

#
#
SPI #
SA

#
#

wildcards

SPD

SPD

#
SPI

secure
# #
'

!
IKE

# Packet Filtering Firewalls


Packet Filtering Firewall

"
SPD

' !

SPD
$Packet Filtering Firewall
forward
SPD
drop
SPD
0
#
secure

drop

IPsec

#
#

!
!

SPD
!
" ! IPsec

# SA
#

SPD

' !
IPsec ' !
IPsec
"
SPD
forward
'
"
IPsec

IPsec IP

SA -

#
#

SA

'
#

IPsec
#
SPD
IPsec
drop
#
forward
#
$ secure
SPI
#
SA #
#
IKE
#
SA #
!
AH ESP SPD
#
#
SPD
!
SPI
# SAD
IPsec
'
#
SA
SAD
'
#
& #
SA
#
IP
$

*
-

.
/

"

Upper Layer
1: packet
4: SPI

SAD

5: SA

2: packet

IPsec

3: SPI
secure

: protected packet

SPD
drop

forward

IP Layer

*
$
IP
!
SPIpacket
SPIpacket
#
#
#
Next Protocol !

+)

IPsec
SPI
# SAD
IPsec
!
SPI
"
SA
SAD
& #
SA
# SPD #
SPI
SPD
SPISPD
"
#
#
SPI packet SPI SPD
#
IPsec IP

*
.
/

"

Upper Level
SPI packet

SPI SPD

6: packet

SPI packet

2: SPIpacket

SAD

SPISPD

4: packet

IPsec

3: SA

SPD

5: SPISPD
secure

1: protected packet
IP Layer

SPIpacket
#
SA
SPISPD
'
SPD
#
SPI
SPD
#
#
TCP/UDP Header

#
#
#

&
#
"

SPI packet

'

"

"
#
#

#
Tunnel Mode

SPI SPD

#
!

!
!

IP spoofing
%"
x

%"

SPI
$'

x y
%

x
x

IP
SA
%

SA
SPIx-w

telnet
y
x
w
!
/ .#
w
IP spoofing
x
y
#
SPI
IPsec
#
w
x %
SPI
" #

Internet

telnet data
TCP
IPsec: SPI = SPIx-w
IP: y w
MAC

IPsec IP

SPIx-w
y
w

0
SPI
SPIx-w SPIy-w

SA

#
TCP

x
!

!
SPD
.
SPIy-w

"

#
x

%
w

x
%
$'

!
http
SA
w

/
.#
telnet
/ .#
# SPD
w
y
#
SA
x

$#
w
w telnet
w http
w

SPD
http

SPItelnet

Internet

w#

SPD
x
" x
w#

.#

w #
SPI
x

!
w
SPI

" #

x
telnet

http data
TCP: destination port = 80
IPsec: SPI = SPItelnet
IP: x w
MAC
w

TCP

http
SPD

' !
SPD
w

w
TCP

#
,
.

http

"

.#

#
1. Security Architecture for the Internet Protocol, RFC 2401
Available at: http://www.ietf.org/rfc/rfc2401.txt
2. IP Authentication Header, RFC 2402
Available at: http://www.ietf.org/rfc/rfc2402.txt
3. IP Encapsulating Security Payload (ESP), RFC 2406
Available at: http://www.ietf.org/rfc/rfc2406.txt

++

IPsec IP

You might also like