06a-IP Networks
Download
Report
Transcript 06a-IP Networks
ECE-8843
http://www.csc.gatech.edu/copeland/jac/8843-03/
Prof. John A. Copeland
[email protected]
404 894-5177
fax 404 894-0035
Office: GCATT Bldg 579
email or call for office visit, or call Kathy Cheek, 404 894-5696
Chapter 6a - IPsec (IP Secure)
(note: 06b has PDF copies of slides from Chap. 6 of the text,
“Network Security Essentials, Applications and Standards”
by William Stallings)
Each LAN Connects to Internet via a Router
2
The Internet is a Router Network
In an Router Network, circuits are defined by entries in the
Routing Tables along the way. These may be Static (manually
set up) or Dynamic (set up according to Algorithm in the
Router).
IP
A
1
E’net
E
B
A to D
C
2
3
6
4
5
7
A
1
Station
( on a LAN)
Router
D
Token Ring
Local Connection
Trunk or Long-Haul
3
Optimal Paths From Router 1
(or To Router 1)
Define Router 1's Sink Tree
B
A
E
1
2
3
C
6
4
5
7
D
A
Station
Local Connection
1
Router
Trunk or Long-Haul
4
Browser
Web Server
Application
Layer
(HTTP)
Port 80
Transport
Layer
(TCP,UDP)
Segment No.
Network
Layer (IP)
IP Address
130.207.22.5
E'net Data
Link Layer
Ethernet
Phys. Layer
Router
Buffers Packets that
need to be forwarded
(based on IP address).
Network
Layer
Network
Layer
Token Ring
E'net Data
Link Layer Data Link Layer
E'net Phys.
Layer
Token Ring
Phys. Layer
Application
Layer
(HTTP)
Port 31337
Transport
Layer
(TCP,UDP)
Segment No.
Network
Layer (IP)
IP Address
24.88.15.22
Token Ring
Data-Link Layer
Token Ring
Phys. Layer
5
Connecting Over the Internet to “www.cnn.com”
Discover the Ethernet address of the Domain Name Server
• ARP - “Who has 130.207.244.244”
• Reply from Gateway Router “00 0E 36 A9 72 24 has 130.207.244.244” *
Use DNS (BIND) to convert “www.cnn.com” to a 32-bit Internet address
(64.236.16.52).
• Send UDP DNS-Request Packet to 130.207.244.244 : UDP 53
• Reply www.cnn.com = 64.236.16.52
Discover the Ethernet address of host 64.236.16.52 (or gateway router).
• ARP - “Who has 64.236.16.52”
• Reply from Gateway Router “00 0E 36 A9 72 24 has 64.236.16.52” *
Start a TCP connection
• Send TCP Packet with SYN flag set to 64.236.16.52 / 00 0E 36 A9 72 24
• Reply is TCP Packet with SYN and ACK flag bits set.
• Send TCP packet with ACK flag set.
* The gateway router “has” all IP addresses that are not local (on the LAN).
6
UDP Datagrams are exchanged to find the IP address
#1
Receive time:71765.605 (0.000) packet length:80 received length:70
Ethernet: (08000726b22f -> Sun 75f53a) type: IP(0x800)
Internet:
130.207.8.51 -> 130.207.244.244
hl: 5 ver: 4 tos: 0
len: 66 id 0x01 fragoff:0 flags: 00 ttl:60 prot:UDP(17) xsum: 0x68ce
UDP: 1042 -> domain(53) len: 46 xsum: 0x5315
Domain Name Service: ID: 2984 opcode: Query (0) Flags: <DORECURSE> (0100)
Queries: 1, answers: 0, name servers: 0, Query 0: Name:www.cnn.com
#2
Receive time:71765.653 (0.048) packet length:148 received length:70
Ethernet: ( Sun 75f53a -> 08000726b22f) type: IP(0x800)
Internet:
130.207.244.244 -> 130.207.8.51
hl: 5 ver: 4 tos: 0
len:134 id:xbc77 fragoff 0 flags:00 ttl:60 prot:UDP(17) xsum:0xac13
UDP: domain(53) -> 1042 len: 114 xsum: 0000
Domain Name Service: ID: 2984 opcode: Query (0) Response: No. err (0)
Flags: <RESPONSE><AUTHORITATIVE><DORECURSE><CANRECURSE> (8580)
Queries: 1, answers: 3, name servers: 0, Query 0: Name:www.cnn.com
7
The first two packets of the IP, TCP & HTTP (port 80) Connection.
#3
Receive time:71765.711 packet length:60
Ethernet: (08000726b22f -> Cisco 083625) type: IP(0x800)
Internet: 130.207.8.51 -> 64.236.16.52 hl: 5 ver: 4 tos: 0
len: 44 id: 0x02 fragoff: 0 flags: 00 ttl: 60 prot: TCP(6) xsum: 0x9be5
TCP Port:
1076 -> http(80)
seq: 28a61070 ack: ---win: 10241 hl: 6 xsum: 0x5342 urg: 0
flags: <SYN> mss: 536
#4
Receive time:71765.721 packet length:60
Ethernet: (Cisco 083625 -> 08000726b22f) type: IP(0x800)
Internet: 64.236.16.52 -> 130.207.8.51 hl: 5 ver: 4 tos: 0
len:44 id:0x7d1f fragoff 0 flags:00 ttl:57 prot:TCP(6) xsum:0x21c8
TCP Port:
http(80) -> 1076
seq: 3a28ac00 ack: 28a61071
win: 4096 hl: 6 xsum: 0x816d urg: 0 flags: <ACK><SYN> mss:1460
The Ethernet address (Cisco ...) is the local router port. The IP
Address is used “end to end.” Ethernet addresses are local only.
Address Resolution Protocol (ARP) E’net frames are not shown.
8
Internet Layer Security (IPsec)
The Internet Engineering Task Force (IETF)
• Internet Security Protocol working group
standardized an IP Security Protocol (IPsec) and
an Internet Key Management Protocol (IKMP).
•
objective of IPsec is to make available cryptographic
security mechanisms to users who desire security.
•
mechanisms should work for both the current version
of IP (IPv4) and the new IP (IPv6).
•
should be algorithm-independent, in that the
cryptographic algorithms can be altered.
•
should be useful in enforcing different security
policies, but avoid adverse impacts on users who do
not employ them.
Rolf Oppliger, "Internet Security: Firewalls and Beyond," p92, Comm. ACM 40, May 1997
9
IPsec Authentication Header (AH)
Transport Mode
Transport
Mode
Tunnel Mode
10
Encapsulated Secure Payload (ESP)
Transport Level Security (TLS)
11
IPsec ESP - Tunnel Mode
Virtual Private Network (VPN)
12
Internet Layer Security (IPsec)
Normal Internet Protocol (IP)
IP Header, A to B
TCP Header Application Header Data
IPsec Authentication Header (AH) - Transport and Tunnel Modes
IP Header, A to B
AH
TCP Header Application Header Data
IP Hdr, A to Rb AH IP Hdr A to B TCP Hdr Application Header Data
IPsec Encapsulated Secure Payload (ESP)
IP Header, A to Rb ESP Header
TCP Header Application Header Data
Encrypted
IPsec Encapsulated Secure Payload (ESP) with AH
IP Header, A to Rb AH ESP Header TCP Header Application Hdr Data
Encrypted
13
Security Associations
64.236.16.52
14