Sunteți pe pagina 1din 19

Internet Protocol Security

(IPSec) Transport Mode


GROUP MEMBERS
MUHAMMAD SHAIFUL BIN SHAFAIN
MUHAMMAD ARIF IRFAN B.MOHD
TARMIDZI
MOHAMMAD AMIRUL BIN AZIZ
AHMAD RADHI ZIKRI BIN AZIZ

History of Internet Protocol (IP)


IP protocol was designed in the late 70s to early
80s
Part of DARPA Internet Project
Very small network
All hosts are known!
So are the users!
Therefore, security was not an issue.

Security issues that are related to IP

Source spoofing
usually used in
DoS attacks.
Replay packets
No data integrity
and
confidentiality

DoS attacks
Attack
type

Replay attacks
Spying

Goals of IPSec
To verify sources of IP packets
authentication
To prevent replaying of old packets
To protect integrity and/or confidentiality of
packets
data Integrity/Data Encryption

The IPSec Security Model

Secure

Insecure

IPSec Architecture

ESP

AH

Encapsulating Security
Authentication Header
Payload
IPSec Security Policy

IKE
The Internet Key Exchange

IPSec Architecture

IPSec provides security in three situations:


Host-to-host, host-to-gateway and
gateway-to-gateway
IPSec operates in two modes:
Transport mode (for end-to-end)
Tunnel mode (for VPN)

IPSec Architecture (Tunnel and Transport


Mode)

Transport Mode

Router

Router

Tunnel Mode

Various Packets

TCP
Original IP Header Heade
r
IPSec
Transport
IP
Head
Header
Mode
er
Tunnel
Mode

IP
Header

IPSec
Head
er

Data
TCP
Head
er

IP
Head
er

TCP
Head
er

Data
Data

Authentication Header
Provides source authentication

Protects against source spoofing

Provides data integrity


Protects against replay attacks

Use monotonically increasing sequence numbers

Protects against denial of service attacks

There is NO protection for confidentiality.

Authentication Header (AH) Packet Details


New IP header
Next Payload
header length

Reserved

Security Parameters Index (SPI)


Authenticated

Sequence Number
Old IP header (only in Tunnel mode)
TCP header

Hash of everything
else

Data
Authentication Data

Encapsulated
TCP or IP packet

Encapsulating Security Payload (ESP)


Provides all that AH offers, and
In addition provides data confidentiality
Uses symmetric key encryption

Encapsulating Security Payload (ESP) Packet


Structure
IP header
Next
header

Payload
length

Reserved

Security Parameters Index (SPI)


Authenticated

Sequence Number
Initialization vector
TCP header
Data
Pad Pad length

Next

Encrypted TCP
packet

Authentication Data
13

IPSec TRANSPORT MODE


IPSec Transport mode is used for end-to-end
communications, for example, for
communication between a client and a server
or between a workstation and a gateway.
A good example would be an encrypted Telnet
or Remote Desktop session from a workstation
to a server.

Figure for IPSec Encrypted Transport

Continue
Transport mode provides the protection of our data, also
known as IP Payload, and consists of TCP/UDP header + Data,
through an AH or ESP header.
The payload is encapsulated by the IPSec headers and
trailers.
The original IP headers remain intact, except that the IP
protocol field is changed to ESP (50) or AH (51), and the
original protocol value is saved in the IPsec trailer to be
restored when the packet is decrypted.
IPSec transport mode is usually used when another tunneling
protocol (like GRE) is used to first encapsulate the IP data
packet, then IPSec is used to protect the GRE tunnel packets.
IPSec protects the GRE tunnel traffic in transport mode.

The packet diagram below illustratesIPSec


Transport modewithESP header:

The packet diagram below illustratesIPSec


Transport modewithAH header:

Continue

The AH can be applied alone or together with the


ESP when IPSec is in transport mode.
AHs job is toprotectthe entire packet, however,
IPSec in transport mode does not create a new IP
header in front of the packet but places a copy of
the original with some minor changes to the
protocol ID therefore not providing essential
protection to the details contained in the IP
header (Source IP, destination IP etc).
AH is identified in theNew IP headerwith an
IPprotocol IDof51.
In both ESP and AH cases with IPSec Transport

S-ar putea să vă placă și