1. No category

chapters 13

IP
(IPSec)
13
Network Security, Principles and
Practice,2nd Ed.
# $
!" :
http://www.fata.ir
http://mehr.sharif.edu/~shahriari
IPSec
IPSec
(SA)
AH
ESP
SA ! " #
$"
TCP/IP &
' -
IPV4
Sharif Network Security Center
(+, " #)(
.
(
, &
"
) *
.
/
: PGP S/MIME
) 12 "- " 0
: Kerberos
4 (0
" 3 ( : SSL
IP 56
IP
* 2 *
&
3 "
;,
(
&
,7 8
9
:
< # ).# / 3
" " = 9 $" ,> >
.( " ?
IPSec D ,# * : = 9
( *( (
.$
E
"*
( $" 0
)
( A#) $"
7
,
IPSec
< ,8
@ A# +B
<
:
8
,
7
IPSec
J
(
" ,
F G & + & 3 H$ I
A:
VPN (
F G & .A:
" :+
"0
(
+ &
> 0 0 @ A# + .
# )' ) 8 (
( "
J K +( B (,E
(3 .
IPSec
Sharif Network Security Center
IPSec & *( L
2 . J ,N ( LAN M K )K ( 0 ,?
( Firewall) O L
(
< @
(
81
1
0 #
<
P ;
+
" Q & 9 L:
#R
R ( "
( & 9 L:
)K ( M K & + & + " " 0 0 @ A# (
< 2S :IPSec
< 2S
).T A H N,#
(
K IPv6 ( 1
: &( , 09 2 (
(Header) B
( IPSec ).# /
(,:
&
IPv4 (
*( / IP $N
:
B
* :
&
9
,#
( & J ,N
*(, =
IPSec J
Architecture
8 1 : (ESP) Encapsulating Security Payload
(
K J ,N
, & )
, U IT# : (AH) Authentication Header
$" 0 ( A# : $"
: ,
81
= ,8
:IPSec
<
<
V
+ . 0 IPSec : * : V
P&R
$" < ,8 W <$.# / #
"4I
(
"
Connectionless @ A#
( *( (
# 0 X#
(Data Origin) *( ( A
, &
Replay ) < B ( * :
* (
U IT#
(Attack
8 7
39 #+ E 8 7
:IPSec
Sharif Network Security Center
(
&
:IPSec
Association Security
P,<L 3 (Security Association)
:H #
6 3 *(, IP
8 7
, &
<1 . (
$"
. " (
* 2 *
90 9 G 3
TCP ( Connection (
;,
IP ( SA
:IPSec
Association Security
:
:
! " #$
%3
SA
: 3 :(SPI) Security Parameters Index
SA * : *( ( A
SA < Y Z (B : IP Destination Address
AH SA F$ # 8 : Security Protocol Identifier
ESP
:IPSec
Association Security
SA
Sequence Number Counter
Sequence Counter Overflow
Anti Replay Windows
AH Information
ESP Information
SA Lifetime
IPSec Protocol Mode
Maximum Transmission Unit
:IPSec
<
( ESP AH
:( ( (,E
(
(Transport Mode)
IP
B
[# +
W( 2
J ,N
,7
<#J
[#
(Tunnel Mode) ) ,#
+(
9 (Payload+ B )IP
)"
J
E
[# ;
3 +, ;
(
:IPSec
<
9 "/ 12 " )' (end-to-end) <
*( L
Payload (
B
* :4I
K)
<
:
,
(
<
^)
Payload
?
(
" (
(,:
8 1 : ESP
, : AH
:
:IPSec
) ,#
Gateway
$K (
B
U IT#
Gateway @ A#
(?
( *( L
(router) 4
(,
_
Functionality of Modes
Sharif Network Security Center
Authentication Header
(AH)
Authentication Header
IP
MAC & *( L
, &
*( (
#
# 0 X#
0 #
HMAC-SHA-1-96 HMAC-MD5-96
(+
` T
$" 3
F9 ,#
& 09 G
Authentication Header
Sharif Network Security Center
AH
: AH
( (,E,
B b, : ( 8)Next Header
AH ,G 8 : ( 8)PayLoad Length
* B
*( L
* : & : ( 16)Reserved
SA @, SPI 0 #
: ( 32)Sec. Param. Index
*
: : ( 32)Sequence Number
ICV MAC * 2 ( : ( [ )Authentication Data
$9
AH
MAC A 7
(
32 # 3 )
HMAC = ,8
96 e 9 f / ,G
E K
96 0
HMAC-SHA-1 HMAC-MD5
( 2
MAC A 7 ( W(TTL
$
&
2,$E
<E)
P
,7
AH [
) "
[#
& (
B
WIP [
(R
" B
. ,:
2 *
) K( MAC A 7 ( 1 *
MAC A 7
B
&
< ?
,Q LN
9 < (B
(IP ) E
AH
: AH ( ) ,#
#, i " 0 =
OL
: (Transport)
12 "
, &
"0
, &
<
"
: (Tunnel)) ,#
firewall)
End-to-end versus End-toIntermediate Authentication
Sharif Network Security Center
Scope of AH Authentication
Before Application
IP payload is TCP segment (data unit)
Sharif Network Security Center
Scope of AH Authentication
Transport Mode
IPv6: AH is end-to-end payload
Sharif Network Security Center
Scope of AH Authentication
Tunnel Mode
Sharif Network Security Center
AH
(Replay) .# $
SA
LN
*
9 SA 0
" E
&
32
E SA 3 &
W
2 -1
(,: *(
E $"
Q & * :
W (=64) 1
* :0 2 1
# *
*
*
$
j
:3 kYK
*
: f 19
*
: 2
( " *( L
/3 09 2 Q (
/
A
:
E
AH
*
,
K "
# J ,N ( *
,G
/ ( m
W
*
+B
, &
/ (
E
( ,K P1 .
* / *( 7 )K (
E
K +(& n; MAC A 7
(
)* /( 7 & M K
/ L:
,
# W MAC A 7
(+T * / A
m
P ; * / *( 7 & M K E
!(,:
K
(
ESP
< 2S
39 # 8
7
# *( ( 8 7 & A T/
(AH T )
: , & *( L + .
,3-DES & *( L + . )CBC
( DES = ,8 & *( L
(,E 1 Blowfish CAST ,3-IDEA ,IDEA ,RC5
(( (
ESP
ESP
SA
: : SPI
: : Sequence Number
AH
(,: 1 "
, 7 : Payload
9 ^ < : Padding
R $ 9 ,G : Pad Length
Payload Data ( (,E, *( ( b, : Next Header
Q ( + ) * : A 7 MAC
: Authentication Data
( $ 9 (,K 0 9 2
T
.# $
&
2,$E
$9
*
Encapsulating Security Payload
Sharif Network Security Center
ESP
host 0 8 7 0 X#
J ,N ( MAC + : 9 ^ ESP A ( W*( (
81
q A D ,#
: , 4I
B & *( L
Router D ,#
0 #
( * T 1 ") $N
P[/*
? 1
T2
Y D ,# IP B +( " 3>
39 #1 B+.
Transport Mode ESP
used for communication between hosts
scope
Sharif Network Security Center
ESP
) ,#
*
9 E K
( MAC @,
*& ( Y
q A Z (B + : 9 ^
? ESP A ( ESP B W* 2
(
: ,
)& J ,N
E
Z (B
&
Router (
P
IP Z (B
&
Y .A:
9
+
< * 2 # $A?
VPN (
<: & . IPSec ) ,#
Tunnel Mode ESP
Sharif Network Security Center
SA ! " #
ESP AH
& . < # SA
.
E,#
& *( L
W
*( " & *( /
( "!" #=
<B
<
(
H$ I
m
<A " #
host D ,# IPSec & *( /
gateway D ,# IPSec & *( /
R
(!" #
Sharif Network Security Center
Sharif Network Security Center
Sharif Network Security Center
Sharif Network Security Center
$"
ESP
3
# ( AH
# (W
$" 4
, ;
$" 0 &,#
,#
.= & ( <E ( ()
.= &
$"
P1 .
$"
) ? 3>,"
=
( <#:
( $"
*( L
: "(,K
IPSec $" &,#
.(,: *
e 9 f / 3 # ,# ).# /
ISAKMP/Oakley n6N
Internet Security Association
and Key Management Protocol
$"
() :
r
ISAKMP/Oakley P
Diffie- ).# / 9
r G
$
"(,K $"
,# P 9 : Oakley $" 0 # ).# /
*( " r G
+B <L ^ " Hellman
.(,: H$#
?
:Clogging Attack
0 ).T Cookie + , ; 7# ,<L H # & *( L
"
. "
$
(ISAKMP)
SA rs
[# W* " s W
Man-In-The-Middle-Attack
Replay Attack
.#
$
Nonce & *( L
( SA
?
$"
! ?
).# /
H #
&9

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz