Presentation is loading. Please wait.

Presentation is loading. Please wait.

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.

Similar presentations


Presentation on theme: "IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication."— Presentation transcript:

1 IPSec In Depth

2 Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication is applied to data in the IPSec header as well as the data contained as payload

3 IPSec Encapsulating Security Payload (ESP) in Transport Mode Data TCP Hdr Orig IP Hdr Data TCP Hdr ESP Hdr Orig IP Hdr ESP Trailer ESP Auth Usually encrypted integrity hash coverage SecParamIndex Padding PaddingPadLengthNextHdr Seq# Keyed Hash bytes total InitVector ESP is IP protocol 50 Insert Append © 2000 Microsoft Corporation

4 IPSec ESP Tunnel ModeData TCP Hdr Orig IP Hdr ESP Auth Usually encrypted integrity hash coverage Data TCP Hdr ESP Hdr IP Hdr IP HdrIPHdr New IP header with source & destination IP address © 2000 Microsoft Corporation ESP Trailer

5 Authentication Header (AH) Authentication is applied to the entire packet, with the mutable fields in the IP header zeroed out If both ESP and AH are applied to a packet, AH follows ESP

6 IPSec Authentication Header (AH) in Transport Mode Data TCP Hdr Orig IP Hdr Data TCP Hdr AH Hdr Orig IP Hdr Next Hdr Payload Len RsrvSecParamIndex Keyed Hash Integrity hash coverage (except for mutable fields in IP hdr) Seq# 24 bytes total AH is IP protocol 51 Insert © 2000 Microsoft Corporation

7 IPSec AH Tunnel ModeData TCP Hdr Orig IP Hdr Integrity hash coverage (except for mutable new IP hdr fields) IP Hdr AH Hdr AH HdrData TCP Hdr Orig IP Hdr New IP header with source & destination IP address © 2000 Microsoft Corporation

8 Internet Key Exchange (IKE) Phase I –Establish a secure channel(ISAKMP SA) –Authenticate computer identity Phase II –Establishes a secure channel between computers intended for the transmission of data (IPSec SA)

9 Main Mode Main mode negotiates an ISAKMP SA which will be used to create IPSec Sas Three steps –SA negotiation –Diffie-Hellman and nonce exchange –Authentication

10 Main Mode (Kerberos) Initiator Responder Header, SA Proposals Header, Selected SA Proposal Header, D-H Key Exchange, Nonce i, Kerberos Token i Header, D-H Key Exchange, Nonce r, Kerberos Token r Header, Id i, Hash i Header, Id r, Hash r Encrypted

11 Main Mode (Certificate) Initiator Responder Header, D-H Key Exchange, Nonce i Header, Id i, Certificate i, Signature i, Certificate Request Header, D-H Key Exchange, Nonce r,Certificate Request Header, Id r, Certificate r, Signature r Encrypted Header, SA Proposals Header, Selected SA Proposal

12 Main Mode (Pre-shared Key) Initiator Responder Header, D-H Key Exchange, Nonce i Header, Id i, Hash i Header, D-H Key Exchange, Nonce r Header, Id r, Hash r Encrypted Header, SA Proposals Header, Selected SA Proposal

13 Quick Mode All traffic is encrypted using the ISAKMP Security Association Each quick mode negotiation results in two IPSec Security Associations (one inbound, one outbound)

14 Quick Mode Negotiation Header, Hash Header, Connected Notification Encrypted Initiator Responder Header, IPSec Selected SA Header, IPSec Proposed SA


Download ppt "IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication."

Similar presentations


Ads by Google