No Slide Title
Download
Report
Transcript No Slide Title
ECE-6612
http://www.csc.gatech.edu/copeland/jac/6612/
Prof. John A. Copeland
[email protected]
404 894-5177
Office: Klaus 3362
email or call for office visit
Chapter 6 - IPsec (IP Secure)
(note: includes copies of figures from Chap. 6 of
“Network Security Essentials, Applications and Standards”
by William Stallings)
1/28/15
Each LAN Connects to Internet via a Router
Link
(LAN)
Link Link
(LAN) (P-P)
Link Link
(P-P) (LAN)
Link
(LAN)
2
The Internet is a Router Network
In an Router Network, circuits are defined by entries in the
Routing Tables along the way. These may be Static (manually
set up) or Dynamic (set up according to an Algorithm in the
Router).
IP
A
1
E’net
E
B
A to D
C
2
3
6
4
5
7
A
1
Station
( on a LAN)
Router
D
Token Ring
Local Connection
Trunk or Long-Haul
3
Optimal Paths From Router 1
OSPF Defines Router 1's Sink Tree
B
A
E
1
2
3
C
6
4
5
7
D
A
Host (e.g., PC, Webcam, ...)
Local Connection
1
Router
Backbone Connections
4
Browser
Application
Layer
(HTTP)
Transport
Layer
(TCP,UDP)
Port 31337
Network
Layer (IP)
IP Address
130.207.22.5
E'net Data
Link Layer
Ethernet
Phys. Layer
http://www.cnn.com/
Find: IP address, TCP port
Router Ethernet Address
Router
Buffers Packets that
need to be forwarded
(based on IP address).
Web Server
Application
Layer
(HTTP)
Transport
Layer
(TCP,UDP)
Port 80
Network
Layer
Network
Layer
Token Ring
E'net Data
Link Layer Data Link Layer
E'net Phys.
Layer
Token Ring
Phys. Layer
Network
Layer (IP)
IP Address
64.236.16.52
Token Ring
Data-Link Layer
Token Ring
Phys. Layer
5
Starting a TCP Client-Server Connection
Your computer has been configured with IP addresses for:
1) Itself
(143.215.25.3),
2) Local Router
(143.215.25.1),
3) Domain Name Server (130.207.244.251)
4) it’s subnet Mask
(/24 or 255.255.255.0).
The IP Broadcast Address is (IP address) bitwise-OR (~Mask)
143.215.25.1 |
0.0.0.255
= 143.215.25.255
Its Ethernet, or WiFi, MAC Address is built into the adapter.
After you type “http://www.cnn.com” into your browser, your
computer has to know or discover (it assigns client port number):
1) IP address of “www.cnn.com” and TCP port number (80),
2) Ethernet (MAC) address to use for DNS server,
3) Ethernet (MAC) address to use for “www.cnn.com”
6
Checking, Setting the Network Configuration
~ copeland$ ifconfig en0 # Windows use CMD, “ipconfig”
en0: flags=8963<UP,BROADCAST,SMART,RUNNING,
PROMISC,SIMPLEX,MULTICAST> mtu 1500
ether 00:1f:5b:ef:8a:cc
inet 192.168.1.38 netmask 0xffffff00
broadcast 192.168.1.255
media: autoselect (100baseTX <full-duplex>)
status: active
Preparations for a TCP/IP Connection
ARP “who has 143.215.25.8 (LAN broadcast)
ARP “ 143.215.25.8 is at 00:0f:66:c1:0f:ae”
Red – Ethernet Frame
Black – IP Datagram
DNS (UDP:53) “ resolve www.cnn.com”
DNS “www.cnn.com IP address is 157.166.224.25
ARP “who has 157.166.224.25
You need MAC address of
Router since CNN is off LAN
ARP “143.215.25.1 is at 00:0f:66:c1:0f:ae”
TCP ( SYN ) to 157.166.224.25 port 80
MAC addresses
are cached for
30 seconds
TCP (SYN-ACK) from 157.166.224.25
Your Host
143.215.25.3
00:1f:5b:ef:8a:cc
DNS
Router
“www.cnn.com”
143.215.25.8
143.215.25.1
TCP port 80
Each type of response might be spoofed or falsified
8
Address Resolution Protocol (ARP)
ARP is a Link-Layer protocol (e.g., Ethernet, WiFi). It can be used for
Network Layer protocols other than IP.
When a host needs to find the MAC Address (e.g., Ethernet, WiFi) of
corresponding to an IP address, it broadcasts an ARP Request (MAC
broadcast address is ff:ff:ff:ff:ff:ff).
If the IP address is not local, ARP is used to find the MAC address of the
Local Router (aka Gateway Router).
MAC addresses found by ARP are cached for 30 seconds, so during an IP
connection, there will be ARPs every 30 seconds.
ARP Response spoofing can be used to set up a Man-in-the-Middle attack.
Critical IP:MAC associations (e.g., Router, DNS) can be “nailed up” by
manually putting permanent lines in the ARP table.
When a host first comes on line, it issues a Gratuitous ARP for its own IP
address to see if there is another host using the same IP address.
9
WireShark Packet Capture - Browsing www.cnn.com
Notes: Ethernet Addresses have the first 3 bytes (of 6) translated into the interface
manufacturer’s name (Apple_Computer is my PowerBook, Cisco_Linksys is the router).
192.168.1.132 in my PowerBook,
192.168.1.1 is the router,
68.87.96.3 if the DNS server, and
64.236.16.52 is www.cnn.com
In this case, the Apple PowerBook has code that detects
that the DNS IP is outside the local area network, so it
ARPs for the Ethernet address of the router
(192.168.1.1). It caches this address for 30 seconds, so
it does not have to ARP again for the CNN IP address.
10
For information on installing "Wireshark" and other Network
Utility Programs, go to:
www.csc.gatech.edu/copeland/jac/6612/info-links.html
http://www.csc.gatech.edu/copeland/jac/6612/tool-links.html
You will find information on Wireshark filters, and a input
file:
capture-example.cap
in
www.csc.gatech.edu/copeland/jac/6612/info/
http://www.csc.gatech.edu/copeland/jac/6612/info/
11
Internet Layer Security (IPsec)
The Internet Engineering Task Force (IETF)
• Internet Security Protocol working group
standardized an IP Security Protocol (IPsec) and
an Internet Key Management Protocol (IKMP).
•
objective of IPsec is to make available cryptographic
security mechanisms to users who desire security.
•
mechanisms should work for both the current version
of IP (IPv4) and the new IP (IPv6).
•
should be algorithm-independent, in that the
cryptographic algorithms can be altered.
•
should be useful in enforcing different security
policies, but avoid adverse impacts on users who do
not employ them.
Rolf Oppliger, "Internet Security: Firewalls and Beyond," p92, Comm. ACM 40, May 1997
12
IPsec Authentication Header (AH)
Transport Mode
Transport
Mode
B - Bob
Rb
Tunnel Mode
A - Alice
13
Encapsulated Secure Payload (ESP)
Transport Level Security
(not TLS = Transport Layer Sec.)
14
IPsec ESP - Tunnel Mode
Virtual Private Network (VPN)
15
Security Associations
Transport, Host-Host
Tunnel, Gateway-Gateway (Routers)
16
Internet Layer Security (IPsec)
Normal Internet Protocol (IP)
IP Header, A to B
TCP Header Application Header Data
IPsec Authentication Header (AH) - Transport and Tunnel Modes
IP Header, A to B
AH
TCP Header
IP Hdr, A to Rb AH IP Hdr A to B
Application Header Data
TCP Hdr Application Header Data
Authenticated
IPsec Encapsulated Secure Payload (ESP)
IP Header, A to Rb ESP Header
TCP Header Application Header Data
Encrypted
IPsec Encapsulated Secure Payload (ESP) with AH
IP Header, A to Rb AH ESP Header TCP Header Application Hdr Data
Authenticated
Rb is the Gateway Router to B
Encrypted
17