Network Security - honorcup.ruhonorcup.ru/upload/iblock/830/830d681c11e722e125648831a2295c0f.pdf ·...
Transcript of Network Security - honorcup.ruhonorcup.ru/upload/iblock/830/830d681c11e722e125648831a2295c0f.pdf ·...
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 2
Objectives
ACL
NAT
AAA
RADIUS + DIAMETER
Tunneling (GRE+IPSec)
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 3
Ethernet Access List
Main function: ensure the distributed access
security over the whole network.
Intranet Department A
Department B
Server
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 4
Filtering
The ACL classifies packets according to series matching conditions.
The ACL is applied to a switch port to determine whether a packet
should be forwarded or discarded.
The matching rules defined by the ACL can also be quoted in other
occasions needing traffic differentiation, such as, definition of traffic
classification rule in QoS.
An access control rule can be composed of multiple sub-rules.
Time segment control can be defined.
Layer 2
header IP header TCP header
Application-level
header Data
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved
ACL Example
Page 5
202.1.5.1 192.168.1.10
acl number 3001
rule 10 permit tcp source 192.168.1.0 0.0.0.255
destination 202.1.5.1 0.0.0.0 source-port any
destination-port 80
rule 20 deny ip source any destination any
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 6
Features of ACL Application
Traffic Filtering
Routes Filtering
QoS
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 7
Objectives
ACL
NAT
AAA
RADIUS + DIAMETER
Tunneling (GRE+IPSec)
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 8
Private Addresses and Public
Address
Internet
192.168.0.0/24
192.168.1.0/24
192.168.0.0/24
LAN1
LAN2
LAN3
The range of private address:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 9
Why NAT?
NAT (Network Address Translation)
Why do we use NAT?
● Increasingly insufficient IP address resources.
Multiple hosts in a LAN to access Internet by a public IP address,
address translation can be used.
● Network security protection: Address translation technology
can effectively hide the hosts of the internal LAN.
● To provide such services as FTP, WWW and Telnet of the
internal network to external network
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 10
Principle of Address Translation
Internet
LAN
PC2
PC1
IP packet
3000 80
192.168.1.1 195.210.5.31 4000 80
202.1.1.5 195.210.5.31
3000 80
192.168.1.2 195.210.5.31
4001 80
202.1.1.5 195.210.5.31
Local Source Destination Outside Source
192.168.1.1:3000 195.210.5.31:80 202.1.1.5:4000
192.168.1.2:3000 195.210.5.31:80 202.1.1.5:4001
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 11
Address Pool
Address Pool is the collection of some continuous public IP addresses,
identified by a number.
NAT process will select an address from the address pool as the source
address after the translation.
Address pools enable more LAN users to access Internet simultaneously.
Internet
LAN PC2
PC1 202.38.160.1
202.38.160.2
202.38.160.3
202.38.160.4
Address Pool
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 12
Application of Internal Server
Internet
R
Internal server
extranet user
E0 Serial 0
private address:10.0.1.1
port:80
public address:202.38.160.1
port:80
IP:202.39.2.3
map on router:
address:
10.0.1.1←→202.38.160.1
port:
80←→80 Access the server
referring to the map
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 13
Disadvantages of NAT
Since the IP address translation is needed for data
packets, the header of the data packet related to IP
address cannot be encrypted, nor to use encrypted
FTP connection in the application protocol. Otherwise,
FTP port command cannot be correctly translated.
Network debugging becomes more difficult. For
instance, while a router in internal network host
attempts to attack other networks, it is hard to point
out which computer is malicious, for the host IP
address is shielded.
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 14
Objectives
ACL
NAT
AAA
RADIUS + DIAMETER
Tunneling (GRE+IPSec)
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 15
Network Architecture and Position of
BRAS
Core
Network
Convergence Layer
Core Layer
Access Layer
NAS (BRAS)
LAN Switch AP DSLAM
Ethernet WLAN ADSL
User User User
NMS AAA
Platform
Service
Platform
Access
Network
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved
AAA
Authentication
Authorization
Accounting
Page 16
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 17
Architecture of NAS(BRAS) device
AAA Server
BRAS
User Packet AAA&UM
Service Control
Policy Server
Connection
Management
Address
Management
User
Identification
DHCP Server
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 18
User Identification – Access types
PPP User
NAS
802.1x User
Web User
Bind User
Web Server
EAPoL packet
PPP packet
IP/ARP/DHCP packet
Portal Protocol Packet
HTTP packet
IP/ARP/DHCP packet
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 19
PPP overview
Network Protocol
Physical Layer
Network
Layer
Data Link
Layer
Physical
Layer
IP IPX
Network Control Protocol IPCP IPXCP BCP
Authentication Protocol PAP CHAP EAP
Link Control Protocol LCP
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 22
PPP phase diagram
Dead Establish Authenticate
Network Terminate
Up Opened
Fail Fail
Closing Down
LCP PAP/CHAP
IPCP
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 24
PAP & CHAP Authentication Process
Authentication_Req
(username, password)
Accept/Reject
PAP
Authentication_Req
(username, ChallengePwd)
Accept/Reject
CHAP
Challenge
Client BRAS
Passwords
comparing
Challenge
generation
ChallengePwd
generation
ChallengePwds
comparing
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 26
Why we need PPPoE?
Access
Network
ETH IP DATA
ETH IP DATA PPP
Subscriber
Subscriber
Can identify device, not user
Can identify subscriber
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 27
Discovery and Session Stages
Discovery stage
● Discover the AC (Access Concentrator) and acquiring AC’s
MAC
● Allocate Session ID
Session stage
● PPP parameters negotiation
● Data transmission
● Maintain session
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 28
PPPoE Discovery phase diagram Client AC
PADI
(Service-Name, Session-ID=0x0000)
PADO
(Service-Name, AC-Name, Session-ID=0x0000)
PADR
(Service-Name, AC-Name, Session-ID=0x0000)
PADS
(Service-Name, AC-Name, Session-ID=0x055A)
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 29
DHCP Address allocation modes
Automatic allocation
● DHCP server assign a permanent address to a client
Dynamic allocation
● DHCP server assign an IP address to a client for a limited
period of time (or until the client explicitly relinquishes the
address)
Manual allocation
● a client's IP address is assigned by the network administrator,
and DHCP is used simply to convey the assigned address to
the client
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 30
DHCP Working Flow
DHCP Server (selected) DHCP Client
DHCPDICOVER
DHCPOFFER
DHCPREQUEST
DHCPACK or NAK
DHCPRELEASE
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 31
Packet format
op (1) htype (1) hlen (1) hops (1)
xid (4)
secs (2) flags (2)
ciaddr (4)
yiaddr (4)
siaddr (4)
giaddr (4)
chaddr (16)
sname (64)
file (128)
options (variable)
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 32
Option 82
Preventing IP address from exhausting by DHCP
requests
Realizing static allocation of IP address by DHCP
Preventing static IP address cheating
Option 82:
● Agent Circuit ID
{atm|eth} frame/slot/subslot/port[:vpi.vci|outer_vlan.inner_vlan]
● Agent Remote ID
AccessNodeIdentifier
Example: Quidway Eth 0/1/0/1:0.0
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 33
Option 82
PC DSLAM NAS DHCP Server
DISCOVER DISCOVER
Option 82 DISCOVER
Option 82
OFFER
Option 82 OFFER
Option 82 OFFER
REQUEST REQUEST
Option 82 REQUEST
Option 82
ACK
Option 82 ACK
Option 82 ACK
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 34
Objectives
ACL
NAT
AAA
RADIUS + DIAMETER
Tunneling (GRE+IPSec)
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 35
Core Network
(Internet)
Networking Application of RADIUS
AAA
Server
DSLAM LAN Switch
User User
NAS NAS
Access Networks
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 36
Architecture of NAS device
AAA Server
NAS
User Packet AAA&UM
Service Control
Policy Server
Connection
Management
Address
Management
User
Identification
DHCP Server
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 37
Client-Server Model
User NAS
(RADIUS Client)
RADIUS
Server
AAA
Server
RADIUS = Remote Authentication Dial-In User Service
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 38
Key features
Network security
● Shared secret
Flexible Authentication Mechanism
● PAP
● CHAP
Extensible Protocol
● Attribute-Length-Value format
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 39
Radius Packet Format
Packet : 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Code | Identifier | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Authenticator | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+-
Attribute : 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- | Type | Length | Value ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 40
Authentication and Accounting Procedure
User NAS RADIUS Server
User request
access Access-Request
Access-Accept
Access-Reject Configure user
Authentication
Accounting-Request
(start) Accounting-Response
Accounting
start
Accounting-Request
(Interim update) Accounting-Response
Accounting-Request
(stop) Accounting-Response
Interim
Accounting
Accounting
stop
User request
termination
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 41
PAP and CHAP Interoperation
User NAS RADIUS
Server
Username
Password
Access-Request
Username, Password Check Access-Accept
Access-Reject Configure user
PAP
CHAP
Challenge
Username
Encrypted challenge Access-Request
Username, Challenge,
Encrypted Challenge
Access-Accept
Access-Reject Configure user
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 42
Why UDP?
1. If the request to a primary Authentication server fails,
a secondary server must be queried
2. The timing requirements of this particular protocol
are significantly different than TCP provides
3. The stateless nature of this protocol simplifies the
use of UDP
4. UDP simplifies the server implementation
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page43
PPP
What’s Diameter?
Diameter protocol
● An AAA protocol, provide Authentication, Authorization
and Accounting (AAA) function
● Advanced than “radius”, so it is called “diameter”
NAS
Traditional network
Radius
AAA client
DSL
3G
WLAN
Diameter
Future network
AAA server AAA server
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page44
New demands on AAA protocols
Network access requirements for AAA protocols
● Failover
● Transmission-level security
● Reliable transport
● Agent support
● Server-initiated messages
● Capability negotiation
● Peer discovery and configuration
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved
Diameter Framework
The Diameter protocol consists of the Diameter base protocol and
the Diameter application protocol.
● Diameter base protocol: Provides a secure, reliable, and extensible
framework for various authentication, authorization, and accounting
services.
● Diameter application protocol: Defines functional and data units for
particular applications.
Page 45
Diameter base protocol
NASREQ
application
MIP
application EAP
application
SIP
application
… SCTP TCP
Diameter Stack
Diameter Application
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page46
Diameter node type
Diameter node type
● Client
A Diameter Client is a device at the edge of the network that
performs access control. An example of a Diameter client is a
Network Access Server (NAS) or a Foreign Agent (FA).
● Server
A Diameter Server is one that handles authentication,
authorization and accounting requests for a particular realm. By
its very nature, a Diameter Server MUST support Diameter
applications in addition to the base protocol.
● Agent
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page47
Role of Diameter Agents
There are four kinds of Diameter Agents
● Relay Agent or Relay
● Proxy Agent or Proxy
● Redirect Agent
● Translation Agent
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 53
Diameter Message Structure
The Diameter message structure consists of two
parts:
● Diameter message head
● Diameter AVP
version Message Length
command flags
R P E T r r r rCommand-Code
Application-ID
Hop-by-Hop Identifier
End-to-End Identifier
AVPs …
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
0 1 2 3
Message
head
Message body
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page54
Diameter PDU
Command code
Command-Name Abbrev Code
Abort-Session-Request ASR 274
Abort-Session-Answer ASA 274
Accounting-Request ACR 271
Accounting-Answer ACA 271
Capabilities-Exchange-Request CER 257
Capabilities-Exchange- Answer CEA 257
Device-Watchdog-Request DWR 280
Device-Watchdog-Answer DWA 280
Session-Termination- Request STR 275
Session-Termination- Answer STA 275
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 58
Diameter AVP
AVP (attribute-value pair)
● The Diameter message body is composed of Diameter AVPs. Each
AVP carries a specific message parameter value, and contains an
AVP head and data. The AVP carries the authentication information,
authorization information, charging information, routing
information, security information, and the request and response
configuration information.
● AVP structure
AVP Code
AVP flags
V M P r r r r rAVP Length
Vendor-ID (opt)
AVP data…
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
0 1 2 3
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page60
Example
Use Cx message as an example
I-CSCF HSS
Diameter message: UAA
Diameter header AVPs
Command code
UAA
AVP header
603
AVP code
10415
AVP length
AVP data
603: server capabilities
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved
Diameter Link Establishment-
Capability Exchange
CER / CEA (Capabilities-Exchange-Request / Answer)
● When the two Diameter peers creates the connection, they need to
perform capability exchange. CER/CEA capability exchange is used to
notify the capability (such as protocol version, diameter application, and
security mechanism).
● If the peer receives CER from the unknown peer, it will discard the
message or return the result code DIAMETER_UNKNOWN_PEER.
Page61
Client Server
Connection
Establish
CER
CEA
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved
Diameter Link Heartbeat Message
DWR/DWA (Device-Watchdog-Request / Answer)
● DWR command code is 280. It is used to detect link, also called
heartbeat message or shake hand message.
● If the Node sends several DWR messages continuously, but the peer
Node will not return DWA, the status of the link will be set down.
(not release the link).
Page62
Node1 Node2
DWR
DWA
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved
Diameter Link Disconnection
Message
DPR/DPA (Disconnect-Peer-Request / Answer)
● Command code is 282.
● DPR is used to notify the peer Node to disconnect the link, and the
peer Node return the DPA and then the link is disconnected.
Page63
Node1 Node2
Connection
Release
DPR
DPA
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved
Diameter Link Management Process
Page64
PEER DA
SCTP association
establishment
CER
CEA
Capability exchange is successful and link is normal.
Sends heartbeat message periodically to maintain the link status
DWR
DWA
1. Diameter link establishment process 2.Diameter link disconnection
process
PEER DA
SCTP association
disconnect
DPR
DPA DA initiate to disconnect link
The peer initiate to disconnect link
DPR
DPA
SCTP
association
disconnect
Diameter connection is established through the capability exchange with the
peer;
When DA or the peer want to release the diameter link, it need to send the
DPR message initially to disconnect the link.
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved
Diameter Message Routing Function
Page67
Dia
mete
r basic p
roto
co
l layer
M
s
g
D-Host=×× D-Realm=××
Whether
carry the
D-Host?
Check the
adjacent peer
device based
on the D-Host?
Y
Choose
the route
and
forward
N
Check the
routing table
based on the
D-Realm and
forward the
mesage
Y
N
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved
Diameter Message Routing Function (Cont.)
Routing:message routing based on
the Realm-Based Routing Table.
Forwarding:message forwarding
based on the peer device table.
The response message does not carry
the target address information, it is
returned according to the path of the
corresponding request message.
RealmB
DA2 Server
Hostname=Server.RealmB
3.Forwarding
Request (…)
RealmA
DA1 Client
Hostname=Client.RealmA
1.Routing
Request (…)
2.Routing
Request (…)
5.Response(…)
6.Respons
e (…)
Request (ApplicationID,
DestRealm= RealmB,
DestHost=Server.RealmB
4.Response
(…)
IETF RFC3588 Diameter Base Protocol
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved
Switchover
Client DA1
DA2
Server
1.Request
6.Response
2.R
eq
uest
5.R
esp
on
se
Request
Queue
Request
Queue
Request
Queue
Diameter cache for each
request message, its
purpose is to retransmit
the message when the
link is fault, to ensure
that the message can be
sent to the destination as
soon as possible, to
reduce delay.。
T bit is set to 1,
the message is
a retransmission
message
Due to link failure,
Request message is not
sent to the peer or did not
receive the response
message
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 72
Objectives
ACL
NAT
Access Methods (PPP, PPPoE, DHCP)
AAA
RADIUS + DIAMETER
Tunneling (GRE+IPSec)
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 73
Internet
VPN Definition
VPN ——Virtual Private Network
Employees in
business trips
Tunnel
Leased line
Office
Headquarter
Branch
Partner
Remote office
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 74
Classification of VPN
Based on the applications:
● Access VPN
● Intranet VPN
● Extranet VPN
Based on Realization Layer :
● Layer 2 VPN
● Layer 3 VPN
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 75
Access VPN
Dial network expansion:
● Employees on errands
● Remote small office
POP
POP
Originated by user
POP
Originated by ISP
HQ
Tunnel
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 76
Intranet VPN
Internet/ ISP IP
ATM/FR
Tunnel
HQ
Research Institute
Office
Branch
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 77
Extranet VPN
Internet/ ISP IP
ATM/FR
Branch
Partner
HQ
Remote Office
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 78
Classification Based on Realization
Layer Layer 2 VPN
● L2TP: Layer 2 Tunnel Protocol (RFC 2661)
● PPTP: Point To Point Tunnel Protocol
● L2F: Layer 2 Forwarding
Layer 3 VPN
● GRE : General Routing Encapsulation
● IPSEC : IP Security Protocol
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 79
Principle of VPN Design
Security
● Tunnel and Encryption
● Data Authentication
● User Authentication
● Fire Wall and Attack Examination
Reliability
Economical Efficiency
Expansibility
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 80
GRE Overview
GRE is generic routing encapsulation protocol. It will
encapsulate datagram of some network layer protocol
(e.g. IP, IPX, AppleTalk, etc.) and enable these
datagram to transmit on IP network
GRE is the layer 3 tunnel protocol of VPN (Virtual
Private Network), that is, a technique called as Tunnel
is adopted between protocol layers
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 81
GRE Protocol Stack
IP/IPX
GRE
IP
Link Layer
Passenger Protocol
Encapsulation Protocol
Transmission Protocol
GRE Protocol Stack
Tunnel Interface Message Format
Data Link Layer GRE IP/IPX IP Payload
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 82
GRE Build VPN
Original Data Packet Transfer Protocol Header GRE Header
Internet
Tunnel
HQ Branch
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 83
IPSec Overview
IPSec(IP Security) is a framework of open
standards developed by the Internet Engineering Task
Force (IETF)
IPSec include two protocol: AH (Authentication
Header ) protocol and ESP (Encapsulating Security
Payload ) protocol
IPSec provides security services at the IP layer, there
are two types of work mode: tunnel mode and
transport mode
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 84
Compose of IPSec Protocol
IPSec provides two security protocols
● AH (Authentication Header)
MD5(Message Digest 5)
SHA1(Secure Hash Algorithm)
● ESP (Encapsulation Security Payload)
DES (Data Encryption Standard)
3DES
The other algorithm: Blowfish, cast ...
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 85
Security Feature of IPSec
Confidentiality: encrypt a client data and then transmit
it in cipher text.
Data Integrity: authenticate the received data so as to
determine whether the packet has been modified.
Data Authentication: to authenticate the data source
to make sure that the data is sent from a real sender.
● Data integrity
● Data origin authentication
Anti-Replay : prevent some malicious client from
repeatedly sending a data packet. In other words, the
receiver will deny old or repeated data packets.
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 86
Basic Concept of IPSec
Security Association
Security Parameter Index
Sequence Number
Life Time
Data Flow
Security Proposal
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 87
AH Protocol
Data IP HDR
Data IP HDR AH
Data Org IP HDR AH New IP HDR
Transport mode
Tunnel mode
Next Header Payload Len RESERVED
Security Parameters Index (SPI)
Sequence Number Field
Authentication Data (variable)
AH Format 0 8 16 31
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 88
ESP Protocol Data IP HDR
Encryption Data IP HDR ESP Hdr
ESP Hdr New IP HDR
Transport mode
Tunnel mode
ESP Trailer ESP Auth
ESP Trailer ESP Auth
0 8 16 24
Security Parameters Index (SPI)
Sequence Number
Payload Data* (variable)
Padding (0-255 bytes)
Pad Length Next Header
Authentication Data (variable)
ESP format
Data Org IP HDR
Encryption part
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 89
IKE
IKE (Internet Key Exchange), an Internet key exchange
protocol, implements hybrid protocol of both Oakley
and SKEME key exchanges
This protocol defines standards for automatically
authenticating IPSec peer end, negotiating security
service and generating shared key
IKE calculate the key, not transmit the key
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 90
IKE Security Mechanism
Perfect Forward Security
Authentication
● Identity Authentication
● Identity protection
DH Exchange and key
distribute
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 91
IKE Exchange Process
SA Exchange
Key Exchange
ID Exchange
and authentication
Send local
IKE strategy
ID and
Exchange
auth
Key
Generation
Key
generation
Strategy
confirmed
Search the
Matched
strategy
ID and
Exchange
auth
Confirm the
algorithm used
by both sides
Generate Key
Authentication
Peer Identity
Strategy of sender
Strategy of receiver conformed
The key information of sender
The key information of
receiver
The ID and auth data of sender
The ID and auth data of receiver
Peer1 Peer2
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 92
DH Exchange and Key Product
a
c=gamodp
damodp
peer2 peer1
b
d=gbmodp
cbmodp
damodp= cbmodp=gabmodp
(g ,p)
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 93
The Function of IKE in IPSec
Reduce the complex of configuration by manual
Update the IPSec SA after an Interval time
Update the encryption key after an Interval time
Permit IPSec to provide anti-replay
Permit dynamic authentication between the Peers
HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 94
Relation Between IPSec and
IKE
IKE
TCP UDP
IPSec
IKE
TCP UDP
IPSec
Encrypted IP Packet
IP
IKE SA negotiation
SA SA