IPsec PDF

IPsec IP
IP
"
!
IP security IPsec
!
"
!
IP
"
IPsec
IPsec
"
#
$
!
!"
MAC
!
#
MAC
!" " !
"
%
!
replay attack !
$IPsec
!
!
gateways !
"
&
'
#
!
IPsec
# !
Transport Mode
IPsec
Tunnel Mode
$#
IPsec
Encapsulating Security Payload ESP
!
!
Authentication Header AH
!
" IPsec
!"
#
IPsec
IKE #
$#
IPsec
Security Association Database SAD
'
(
Security Policy Database SPD
#
IPsec
IPsec
"
IPsec IP
%"
IPsec
! header
!
IP
ESP/AH Header "
!
!
%"
Tunnel Mode
" IPsec #
ESP IPsec
#
AH
!
IPsec
"
'
Transport Mode $IPsec
IPsec
Transport Mode
y
y
x
y
' !
" #
y
'
'
#
A
#
Network A
Transport Mode
x
!
IPsec
x
y
B A
'
Network B
Internet
"
'
$
! "
Application
TCP/UDP
IP
MAC
TCP/UDP Header
IP Header
IPsec
$'
"
Transport Mode
x
Application
TCP/UDP
IPsec
IP: x
y
MAC
IPsec IP
Tunnel Mode * *
!
"
'
IPsec
(
#
#
IPsec
GWB
#
A
security gateways
#
'
#
x !
A
#
y
x#
security gateways #
GWB GWA
y
x
IPsec
GWA GWA
GWB GWB
Network A
!
%"
Network B
Internet
GWA
GWB
GWB
GWA
! '
GWA GWB !
#
% " GWA ' '
y !
GWA % " %"
GWB
! GWA
!
$'
!
IP
GWB
IPsec
GWA !
#
GWB
! IP Header
Application
TCP/UDP
IP: x
y
IPsec
IP: GWA GWB
MAC
IP
IP
' "
GWB GWB
GWB
!
Next Protocol ! ' "
!
IP Header
IP
GWB
GWB
IPsec
IPsec
GWB '
y
!
%" IP Header
IPsec
y
#!
IP
x
!
!
y
%"
header
IPsec IP
$'
Network A
Internet
GWA
GWB
"
'
"
Network B
GWA-GWB Tunnel
Application
TCP/UDP
IP: x
y
MAC
Application
TCP/UDP
IP: x
y
IPsec
IP: GWA GWB
MAC
IPsec
!
#
%
#
$Transport Mode
#
'
#
security gateways
IPsec
IPsec
IPsec
#
# !
'
"
ESP
'
Application
TCP/UDP
IP: x
y
MAC
Transport Mode
Tunnel Mode
'
"
!
#
#
!
!
Tunnel Mode
IPsec IP
*
"
"
Tunnel Mode
#
"
#
#
! -*
Virtual Private Network VPN

" "
"
#
# "
#
"
"
IPsec !
% "
gateway
gateways
% "
# "
$Tunnel Mode
% "
% "
'
IPsec
"
GWE
Europe branch
Europe-Asia Tunnel
Internet
GWA
Europe-USA Tunnel
Asia branch
USA-Asia Tunnel
GWU
USA branch
'
!
!
% "
#
!
% "
#
"
GWM
$
!
#
GWA
% "
tunnels "
M#
A
#
"
!
Tunnel in Tunnel
# #
#
'
A#
#
Network A
m
Subnet M
Network B
GWM
GWA
Internet
+,
GWB
IPsec IP
%"
GWA
M
GWA
B
$
!
M
tunnel
z
Subnet M
A
'
M#
Network A
GWM
' #
Tunnel Mode
GWM
M-B Tunnel
Application
TCP/UDP
IP: m z
MAC
IPsec
'
gateway
w
gateways
GWB
Network B
Application
TCP/UDP
IP: m z
IPsec
IP: GWM GWB
IPsec
IP: GWA GWB
MAC
gateway
#
!
w
#
w
Tunnel mode
!
#
IPsec
Application
TCP/UDP
IP: m z
MAC
Tunnel Mode
!
m
gateways
gateway
Network A
GWM
GWA
Subnet M
Internet
!
GWB
w
#
!
z#
A-B Tunnel
Application
TCP/UDP
IP: m z
IPsec
IP: GWM GWB
MAC
IPsec
GWM
Tunnel Mode IPsec
tunnel
$
tunnel
m
$'
GWB
Internet
GWA
m
w
IP Headers
IPsec IP
SAD #
SAD
(
!
'
IPsec
Security Association Database

'
Security Association SA
IPsec
MAC
#
Sequence Number
Lifetime
" !
Security Parameter Index SPI
#
#
$
SA
!
!
SA $ #
# SA
# SA
#
%" SA
# SA
# SA
#
#
"
!
SAD
' !
Outgoing SAD
Incoming SAD
$#
"
session
session
User As SAD
User Bs SAD
Outgoing SAD
SPI User
SA data
1
17
B
, SPI=22
38
Y , SPI=5
Outgoing SAD
SPI User
SA data
1
24
A , SPI=13
25
X , SPI=20
Incoming SAD
SPI User
SA data
1
13
B
44
Y
Incoming SAD
SPI User
SA data
1
22
A
23
X
Outgoing SAD
A
IPsec
A
SA
!
SA
SPI
ESP/AH Header
B
Incoming SAD - SA
" !
SA
'
#
SPI
SA
B#
IPsec
+*
IPsec
A
#
%"
SAD
B
Incoming SAD
IPsec IP
SA
! *.
#
IPsec
$#
IPsec
Encapsulating Security Payload ESP
&
Authentication Header AH
ESP
!
&
$'
ESP
ESP Header
Encrypted
Authenticated
ESP
SPI
Sequence Number
IV
Data
Padding Pad Length Next Protocol
Authentication Data
$ESP Header
!
Ingoing SAD
SA
" !
SPI
&
!
!
!"
"
Sequence Number
#
SA
#
&
Sequence Number
replay attack
#
!
Sequence Number
#
# !!
#
SA
#
"
Initialization Vector IV
'
&
CBC Mode
AES
IV
'
IV
!
!
# " '
!
Padding
#
#
*
!
AES
! '
! '
!
#
#
!
'
" #
" !
!
Padding
"
#
"
Pad Length
#
IPsec
!
ESP
#
Next Protocol
TCP/UDP
#
Tunnel Mode
IP
! '
#
%"
Transport Mode
Next Protocol ! ' "
!
" IPsec
ESP
Data
#
Data
"
+-
IPsec IP
TCP/UDP
Tunnel Mode
ESP Header
'
IPsec
IP
"
%
" IPsec
Authentication Data
MAC
"
#
#!
'"
'
!"
'
'
!
' !
'
$
" #
#
# ESP
Packet Filtering Firewall
" #
TCP
ESP
IP
#
Tunnel Mode # ESP
!
#
"
ESP !
#
default
!
"
Tunnel Mode
ESP
#
'
IP
IPsec
gateway
!
Authentication Data
trailer # ESP Header %"
% " ESP
AH * .
AH
$'
AH
Next Protocol Payload Length Reserved
SPI
Sequence Number
Authentication Data
ESP Header
'
Authentication Data
"
AH #
!
TTL
header
#
# "
:
AH
AH Header
AH Header
!
" #
!
AH Header
!
! gateway
!
Checksum
'
AH
!
'
+.
IP Header
ESP #
IP Header
!
! # "
Header
#
Time To Live
,
!
IPsec IP
ESP
0ESP !
ESP
AH
!
AH
ESP
A
A
#
IP
A
AH
A
!
"
A
AH
!
A
NAT
IP
!
! #
!
"
'
IP
%
%"
!
#
' #
#
#
AH
Network Address Translation NAT
IP
" # !
!
|A| > N
IP
N
#
|A|
!
IP
A
#
!
'
!
NAT
'
!
!
!
A
IP
#
A
ESP
"
AH
A
#
NAT
A
Network A
x
Internet
NAT
$'
IPA
Network A
IPx
A
y
NAT
#
y
IPx
AH !
" #
A
Internet
NAT Server
Application
TCP/UDP
IP: IPx IPy
MAC
'
x
x
Application
TCP/UDP
IP: IPA IPy
MAC
x
AH
AH
IPx x
#
IPA
IP
"
NAT
' #
IPsec
%
x
y
+/
NAT
IPsec IP
SPD
!
SPDs
!
Firewall
Firewall
% #
!
$
Security Policy Database SPD

IPsec
%"
IPsec
!
! SPD
(Incoming SPD)
"
#
SPD
(Outgoing SPD)
selectors
Packet Filtering Firewalls
#
#
!
SPD
%"
Ack Direction !
username
!
#
Firewalls
!
Firewall !
Action ! SPD
deny permit
Firewalls deny
!
drop
IPsec
'
forward
Firewalls permit
IPsec
secure
AH
ESP
Outgoing SAD SA
"
!
#
#
SPI #
SA
#
#
wildcards
SPD
SPD
#
SPI
secure
# #
'
!
IKE
# Packet Filtering Firewalls

"
SPD
' !
SPD
$Packet Filtering Firewall
forward
SPD
drop
SPD
0
#
secure
drop
IPsec
#
#
!
!
SPD
!
" ! IPsec
# SA
#
SPD
' !
IPsec ' !
IPsec
"
SPD
forward
'
"
IPsec
IPsec IP
SA -
#
#
SA
'
#
IPsec
#
SPD
IPsec
drop
#
forward
#
$ secure
SPI
#
SA #
#
IKE
#
SA #
!
AH ESP SPD
#
#
SPD
!
SPI
# SAD
IPsec
'
#
SA
SAD
'
#
& #
SA
#
IP
$
*
-
.
/
"
Upper Layer
1: packet
4: SPI
SAD
5: SA
2: packet
IPsec
3: SPI
secure
: protected packet
SPD
drop
forward
IP Layer
*
$
IP
!
SPIpacket
SPIpacket
#
#
#
Next Protocol !
+)
IPsec
SPI
# SAD
IPsec
!
SPI
"
SA
SAD
& #
SA
# SPD #
SPI
SPD
SPISPD
"
#
#
SPI packet SPI SPD
#
IPsec IP
*
.
/
"
Upper Level
SPI packet
SPI SPD
6: packet
SPI packet
2: SPIpacket
SAD
SPISPD
4: packet
IPsec
3: SA
SPD
5: SPISPD
secure
1: protected packet
IP Layer
SPIpacket
#
SA
SPISPD
'
SPD
#
SPI
SPD
#
#
TCP/UDP Header
#
#
#
&
#
"
SPI packet
'
"
"
#
#
#
Tunnel Mode
SPI SPD
#
!
!
!
IP spoofing
%"
x
%"
SPI
$'
x y
%
x
x
IP
SA
%
SA
SPIx-w
telnet
y
x
w
!
/ .#
w
IP spoofing
x
y
#
SPI
IPsec
#
w
x %
SPI
" #
Internet
telnet data
TCP
IPsec: SPI = SPIx-w
IP: y w
MAC
IPsec IP
SPIx-w
y
w
0
SPI
SPIx-w SPIy-w
SA
#
TCP
x
!
!
SPD
.
SPIy-w
"
#
x
%
w
x
%
$'
!
http
SA
w
/
.#
telnet
/ .#
# SPD
w
y
#
SA
x
$#
w
w telnet
w http
w
SPD
http
SPItelnet
Internet
w#
SPD
x
" x
w#
.#
w #
SPI
x
!
w
SPI
" #
x
telnet
http data
TCP: destination port = 80
IPsec: SPI = SPItelnet
IP: x w
MAC
w
TCP
http
SPD
' !
SPD
w
w
TCP
#
,
.
http
"
.#
#
1. Security Architecture for the Internet Protocol, RFC 2401
Available at: http://www.ietf.org/rfc/rfc2401.txt
2. IP Authentication Header, RFC 2402
3. IP Encapsulating Security Payload (ESP), RFC 2406
++
IPsec IP

IPsec PDF

Uploaded by

Copyright:

Available Formats

IPsec PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IPsec PDF

Uploaded by

Copyright:

Available Formats

IPsec IP

Transport Mode $IPsec

Virtual Private Network VPN

Security Association Database

Security Policy Database SPD

# Packet Filtering Firewalls

You might also like