Академический Документы
Профессиональный Документы
Культура Документы
An Overview of IPSec
Outline:
Internet Threats
Data integrity
The contents of a packet can be accidentally or deliberately modified.
Identity spoofing
The origin of an IP packet can be forged.
Anti-reply attacks
Unauthorized data can be retransmitted.
Loss of privacy
The contents of a packet can be examined in transit.
Understanding TCP/IP
OSI Reference Model
Application Layer
NFS
SNMP
FTP
DNS
FTP
SMTP
Session Layer
HTTP
Presentation Layer
Application
Transport Layer
TCP, UDP
Network Layer
IP
Device Driver
Physical Layer
Network Adapter
Understanding TCP/IP
Encapsulation of Data for Network Delivery
Application Layer
Original
Message
Understanding TCP/IP
Encapsulation of Data for Network Delivery
Application Layer
Transport Layer
(TCP, UDP)
Original
Message
Data 3
Understanding TCP/IP
Encapsulation of Data for Network Delivery
Application Layer
Transport Layer
(TCP, UDP)
Original
Message
Header 3 Data 3
Understanding TCP/IP
Encapsulation of Data for Network Delivery
Application Layer
Transport Layer
(TCP, UDP)
Network Layer
(IP)
Original
Message
Header 3 Data 3
Data 2
Understanding TCP/IP
Encapsulation of Data for Network Delivery
Application Layer
Transport Layer
(TCP, UDP)
Network Layer
(IP)
Header 2
Original
Message
Header 3 Data 3
Data 2
Understanding TCP/IP
Encapsulation of Data for Network Delivery
Application Layer
Transport Layer
(TCP, UDP)
Network Layer
(IP)
Data Link
Layer
Header 2
Original
Message
Header 3 Data 3
Data 2
Data 1
Understanding TCP/IP
Encapsulation of Data for Network Delivery
Application Layer
Transport Layer
(TCP, UDP)
Network Layer
(IP)
Data Link Header 1
Layer
Header 2
Original
Message
Header 3 Data 3
Data 2
Data 1
Understanding TCP/IP
Packet Sent by Host A
Packet
Data 1
Understanding TCP/IP
Packet Received by intermediary Router
Network Layer
Understanding TCP/IP
Packet Received by Host B
Packet
Data 1
Understanding TCP/IP
De-capsulation of Data from Network Delivery
Data 1
Understanding TCP/IP
De-capsulation of Data from Network Delivery
Data Link
Layer
Data 1
Understanding TCP/IP
De-capsulation of Data from Network Delivery
Network Layer
(IP)
Header 2
Data 2
Understanding TCP/IP
De-capsulation of Data from Network Delivery
Network Layer
(IP)
Data 2
Understanding TCP/IP
De-capsulation of Data from Network Delivery
Transport Layer
(TCP, UDP)
Header 3 Data 3
Understanding TCP/IP
De-capsulation of Data from Network Delivery
Transport Layer
(TCP, UDP)
Data 3
Understanding TCP/IP
De-capsulation of Data from Network Delivery
Application Layer
Original
Message
Understanding TCP/IP
De-capsulation of Data from Network Delivery
Application Layer
Original
Message
Transport Layer
Network Layer
IP Security
Hardware encryption
Disadvantages
-
Advantages
-
Disadvantages
-
Protocol specific
Disadvantages
-
Disadvantages
-
Not scalable.
Need dedicated links.
IP Security (IPSec)
IPSec is a framework of open standards
Confidentiality (encryption)
Assurance that users traffic is not examined by nonauthorized parties.
Access control
Prevention of unauthorized use of a resource.
IP
Header
TCP
Header
Transport Mode
protected packet
IP
Header
IPSec
Header
Data
TCP
Header
Data
protected
New IP
Header
IPSec
Header
Original IP
Header
protected
TCP
Header
Data
Tunnel Mode
Host-to-Network, Network-to-Network
Application
Layer
Transport
Layer
Application
Layer
Protected
Data
Protected
Data
Internet
IP
Layer
Host A
Transport
Layer
IP
Layer
IPSec
IPSec
IP Layer
IP Layer
SG
SG = Security Gateway
SG
Host B
Transport Mode
Host-to-Host
Application Layer
Application Layer
Transport Layer
Transport Layer
IPSec
IPSec
IP Layer
IP Layer
Host A
Host B
Outbound/Inbound IPSec
Processing
The inbound and the outbound IPSec
Packet
Packet
SAD
SAout
Case 1:
If IPSec headers exists
1.
2.
SPD
IPSec policies
Case 2:
If IPSec headers are absent
1.
2.
SPD is consulted to
determine the type of
service to afford this packet.
If certain traffic is required
to be IPSec protected and its
not it must be dropped.
SPD
IPSec policies
Encrypted / Authenticated
Internet
SG
Wireless
Internet
Conclusion
Questions?