Beruflich Dokumente
Kultur Dokumente
• Host implementation
– OS integrated, modify the IP code
• Bump-in-the-stack
– Layer between data link and IP
• Bump-in-the-wire
– IPSec outside host, in a router/firewall
– Least intrusive
Encrypted Tunnel
Gateway Gateway
Encrypted Unen
ry pted crypt
ed
A Une
nc B
IP IP IPSec Higher
header options header layer protocol
Real IP ESP
destination
AH
• Discard
– Do not let in or out
• Bypass
– Outbound: do not apply IPSec
– Inbound: do not expect IPSec
• Protect – will point to an SA or SA bundle
– Outbound: apply security
– Inbound: check that security has been applied
IPSec processing
From A
SA Database SPD
SPI & Packet
(Policy)
Use SPI to Was packet properly
index the SAD secured?
Original IP Packet
…
…
• Connectionless integrity
– Flow/error control left to transport layer
– Data integrity
• Authentication
– Can “trust” IP address source
– Use MAC to authenticate
• Anti-replay feature
• Integrity check value
Sequence Number
ICV
• Tunnel
• Transport
• Nested headers
– Multiple SAs applied to same message
– Nested tunnels
Tunnel Mode
Variable Length
• Mandatory
• Useful when IPSec developers are
debugging
• Keys exchanged offline (phone, email, etc.)
• Set up SPI and negotiate parameters
• Not scalable
• Phase I
– Main Mode – flexible, 6 messages
• Checks cookies before DH work
– Aggressive mode – faster, 3 messages
• Open to DoS, doesn’t check cookie before DH work
• Used mostly for remote access
• Phase II – Quick mode
• Designed to
– Leverage advantages of DH
• Fresh keys
• Secret never on the transit
– Counter DH weaknesses
• No information on the Ids of the parties
• Man-in-the-middle attack
• Computationally intensive
• Requirements
– Depend on specific parties
– Only the issuing entity can generate acceptable
cookies – implies issuer using local secret
– Cookie generation and verification must be fast
• Suggested - Hash over IP Src/Dest; UDP
Src/Dest; local secret
NonceI, YI
Exchange items to
NonceR, YR generate secret
Generate SKEYID
IDI, HashI
Send hash digest so peer
can authenticate sender IDR, HashR
Initiator Responder
Negotiate IPSec SA
Parameters, [PFS]
HASH2, SA, NonceR, [New K]
HASH3
‘Liveness’ proof for
Responder