ECE-6612 Prof. John A. Copeland 404 894-5177 fax 404 894-0035 Offices: Klaus 3362.
ECE-8843 Prof. John A. Copeland [email protected] 404 894-5177 fax 404 894-0035 Office:...
-
Upload
myrtle-henry -
Category
Documents
-
view
218 -
download
0
Transcript of ECE-8843 Prof. John A. Copeland [email protected] 404 894-5177 fax 404 894-0035 Office:...
ECE-8843 http://www.csc.gatech.edu/copeland/jac/8843-03/
Prof. John A. [email protected]
404 894-5177fax 404 894-0035
Office: GCATT Bldg 579email or call for office visit, or call Kathy Cheek, 404 894-5696
Chapter 6a - IPsec (IP Secure)(note: 06b has PDF copies of slides from Chap. 6 of the text,“Network Security Essentials, Applications and Standards”
by William Stallings)
2
Each LAN Connects to Internet via a Router
The Internet is a Router NetworkIn an Router Network, circuits are defined by entries in theRouting Tables along the way. These may be Static (manuallyset up) or Dynamic (set up according to Algorithm in the
Router).
4E
3A
5
C
D
B
1
7
6
2
Station( on a LAN)
A
1
Local Connection
Trunk or Long-HaulRouter
A to D
3
E’net
Token Ring
IP
Optimal Paths From Router 1
(or To Router 1)
Define Router 1's Sink Tree
4E
3A
5
C
D
B
1
7
6
2
StationA
1
Local Connection
Trunk or Long-HaulRouter
4
5
Application Layer (HTTP)
Transport Layer(TCP,UDP)
Network Layer (IP)
E'net DataLink Layer
Ethernet
Phys. Layer
Network Layer
E'net DataLink Layer
E'net Phys.Layer
Network Layer
Web Server Browser
Router
Buffers Packets thatneed to be forwarded(based on IP address).
Application Layer (HTTP)
Transport Layer(TCP,UDP)
Network Layer (IP)
Token Ring
Data-Link Layer
Token RingPhys. Layer
IP Address130.207.22.5
IP Address24.88.15.22
Port 80 Port 31337
Segment No. Segment No.
Token Ring
Data Link Layer
Token RingPhys. Layer
6
Connecting Over the Internet to “www.cnn.com”Discover the Ethernet address of the Domain Name Server • ARP - “Who has 130.207.244.244” • Reply from Gateway Router “00 0E 36 A9 72 24 has 130.207.244.244” *
Use DNS (BIND) to convert “www.cnn.com” to a 32-bit Internet address (64.236.16.52). • Send UDP DNS-Request Packet to 130.207.244.244 : UDP 53 • Reply www.cnn.com = 64.236.16.52
Discover the Ethernet address of host 64.236.16.52 (or gateway router). • ARP - “Who has 64.236.16.52” • Reply from Gateway Router “00 0E 36 A9 72 24 has 64.236.16.52” *
Start a TCP connection • Send TCP Packet with SYN flag set to 64.236.16.52 / 00 0E 36 A9 72 24 • Reply is TCP Packet with SYN and ACK flag bits set. • Send TCP packet with ACK flag set.
* The gateway router “has” all IP addresses that are not local (on the LAN).
#1 Receive time:71765.605 (0.000) packet length:80 received length:70
UDP Datagrams are exchanged to find the IP address
Ethernet: (08000726b22f -> Sun 75f53a) type: IP(0x800)
Internet: 130.207.8.51 -> 130.207.244.244 hl: 5 ver: 4 tos: 0
len: 66 id 0x01 fragoff:0 flags: 00 ttl:60 prot:UDP(17) xsum: 0x68ce
UDP: 1042 -> domain(53) len: 46 xsum: 0x5315
Domain Name Service: ID: 2984 opcode: Query (0) Flags: <DORECURSE> (0100)
Queries: 1, answers: 0, name servers: 0, Query 0: Name:www.cnn.com
#2 Receive time:71765.653 (0.048) packet length:148 received length:70
Ethernet: ( Sun 75f53a -> 08000726b22f) type: IP(0x800)
Internet: 130.207.244.244 -> 130.207.8.51 hl: 5 ver: 4 tos: 0
len:134 id:xbc77 fragoff 0 flags:00 ttl:60 prot:UDP(17) xsum:0xac13
UDP: domain(53) -> 1042 len: 114 xsum: 0000
Domain Name Service: ID: 2984 opcode: Query (0) Response: No. err (0)
Flags: <RESPONSE><AUTHORITATIVE><DORECURSE><CANRECURSE> (8580)
Queries: 1, answers: 3, name servers: 0, Query 0: Name:www.cnn.com
7
#3 Receive time:71765.711 packet length:60
Ethernet: (08000726b22f -> Cisco 083625) type: IP(0x800)
Internet: 130.207.8.51 -> 64.236.16.52 hl: 5 ver: 4 tos: 0 len: 44 id: 0x02 fragoff: 0 flags: 00 ttl: 60 prot: TCP(6) xsum: 0x9be5
TCP Port: 1076 -> http(80) seq: 28a61070 ack: ---- win: 10241 hl: 6 xsum: 0x5342 urg: 0 flags: <SYN> mss: 536
#4 Receive time:71765.721 packet length:60Ethernet: (Cisco 083625 -> 08000726b22f) type: IP(0x800)
Internet: 64.236.16.52 -> 130.207.8.51 hl: 5 ver: 4 tos: 0 len:44 id:0x7d1f fragoff 0 flags:00 ttl:57 prot:TCP(6) xsum:0x21c8
TCP Port: http(80) -> 1076 seq: 3a28ac00 ack: 28a61071 win: 4096 hl: 6 xsum: 0x816d urg: 0 flags: <ACK><SYN> mss:1460
The first two packets of the IP, TCP & HTTP (port 80) Connection.
The Ethernet address (Cisco ...) is the local router port. The IP Address is used “end to end.” Ethernet addresses are local only.Address Resolution Protocol (ARP) E’net frames are not shown.
8
Internet Layer Security (IPsec)
Rolf Oppliger, "Internet Security: Firewalls and Beyond," p92, Comm. ACM 40, May 1997
The Internet Engineering Task Force (IETF)
• Internet Security Protocol working groupstandardized an IP Security Protocol (IPsec) andan Internet Key Management Protocol (IKMP).
• objective of IPsec is to make available cryptographicsecurity mechanisms to users who desire security.
• mechanisms should work for both the current versionof IP (IPv4) and the new IP (IPv6).
• should be algorithm-independent, in that thecryptographic algorithms can be altered.
• should be useful in enforcing different securitypolicies, but avoid adverse impacts on users who do
not employ them.
9
IPsec Authentication Header (AH)
10
Transport Mode
TransportMode
Tunnel Mode
Encapsulated Secure Payload (ESP)Transport Level Security (TLS)
11
12
IPsec ESP - Tunnel Mode Virtual Private Network (VPN)
Internet Layer Security (IPsec)
13
IPsec Authentication Header (AH) - Transport and Tunnel Modes
Normal Internet Protocol (IP)
IPsec Encapsulated Secure Payload (ESP)
IPsec Encapsulated Secure Payload (ESP) with AH
IP Header, A to B TCP Header Application Header Data
IP Header, A to B AH TCP Header Application Header Data
IP Header, A to Rb ESP Header TCP Header Application Header Data
Encrypted
IP Header, A to Rb AH ESP Header TCP Header Application Hdr Data
Encrypted
IP Hdr, A to Rb AH IP Hdr A to B TCP Hdr Application Header Data
Security Associations
64.236.16.52
14