Beruflich Dokumente
Kultur Dokumente
Source spoofing
usually used in
DoS attacks.
Replay packets
No data integrity
and
confidentiality
DoS attacks
Attack
type
Replay attacks
Spying
Goals of IPSec
To verify sources of IP packets
authentication
To prevent replaying of old packets
To protect integrity and/or confidentiality of
packets
data Integrity/Data Encryption
Secure
Insecure
IPSec Architecture
ESP
AH
Encapsulating Security
Authentication Header
Payload
IPSec Security Policy
IKE
The Internet Key Exchange
IPSec Architecture
Transport Mode
Router
Router
Tunnel Mode
Various Packets
TCP
Original IP Header Heade
r
IPSec
Transport
IP
Head
Header
Mode
er
Tunnel
Mode
IP
Header
IPSec
Head
er
Data
TCP
Head
er
IP
Head
er
TCP
Head
er
Data
Data
Authentication Header
Provides source authentication
Reserved
Sequence Number
Old IP header (only in Tunnel mode)
TCP header
Hash of everything
else
Data
Authentication Data
Encapsulated
TCP or IP packet
Payload
length
Reserved
Sequence Number
Initialization vector
TCP header
Data
Pad Pad length
Next
Encrypted TCP
packet
Authentication Data
13
Continue
Transport mode provides the protection of our data, also
known as IP Payload, and consists of TCP/UDP header + Data,
through an AH or ESP header.
The payload is encapsulated by the IPSec headers and
trailers.
The original IP headers remain intact, except that the IP
protocol field is changed to ESP (50) or AH (51), and the
original protocol value is saved in the IPsec trailer to be
restored when the packet is decrypted.
IPSec transport mode is usually used when another tunneling
protocol (like GRE) is used to first encapsulate the IP data
packet, then IPSec is used to protect the GRE tunnel packets.
IPSec protects the GRE tunnel traffic in transport mode.
Continue