Last active
December 20, 2015 07:59
-
-
Save ajithbh/6097594 to your computer and use it in GitHub Desktop.
Notes on IPSec
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| IPSec framework of open standards define the essentials of network security | |
| - Data Origin Authentication | |
| - Data Integrity | |
| - Data Confidentiality | |
| - Anti-replay | |
| IPSec provides security based on the negotiated Security Association (SA) | |
| A Security Association Database (SADB) is a repository of SA's, which can be added dynamically by means of Internet Key Exchange (IKE) or manually. | |
| IPSec uses Authentication Header (AH) and Encapsulation Securit Payload (ESP) to extend security to IP packets. | |
| AH provides data origin authentication, data integrity and anti-replay protection | |
| ESP provides data confidentiality, data origin authentication, data integrity and anti-replay protection | |
| AH Protocol format | |
| - Header | |
| +---------------------------------------------------------------+ | |
| | 0 | 1 | 2 | 3 | | |
| +---------------------------------------------------------------+ | |
| |0|1|2|3|4|5|6|7|0|1|2|3|4|5|6|7|0|1|2|3|4|5|6|7|0|1|2|3|4|5|6|7| | |
| +---------------------------------------------------------------+ | |
| | Next Header | Payload Len | Reserved | | |
| +---------------------------------------------------------------+ | |
| | Security Parameter Index (SPI) | | |
| +---------------------------------------------------------------+ | |
| | Sequence Number | | |
| +---------------------------------------------------------------+ | |
| | Integrity Check Value (ICV) | | |
| . .... . | |
| +---------------------------------------------------------------+ | |
| The sequence number protects against anti-replay attacks. Increases monotonically. Sender and receiver must monitor the counter to ensure that it never cycles. When counter cycles, SA becomes invalid and a new SA must be established. | |
| The Authentication Data field provides data integrity and data origin authentication. It contains a generated Integrity Check Value (ICV), result of a hashed message authentication code (HMAC) algorithm. | |
| AH in Transport Mode - | |
| Authenticated IP packet | |
| +---------------------------------------------------------------+ | |
| | IP Header | AH | Payload | | |
| +---------------------------------------------------------------+ | |
| AH in Tunnel Mode - | |
| +---------------------------------------------------------------+ | |
| | Outer IP Header | AH | IP Header | Payload | | |
| +---------------------------------------------------------------+ | |
| ESP format | |
| +---------------------------------------------------------------+ | |
| | 0 | 1 | 2 | 3 | | |
| +---------------------------------------------------------------+ | |
| |0|1|2|3|4|5|6|7|0|1|2|3|4|5|6|7|0|1|2|3|4|5|6|7|0|1|2|3|4|5|6|7| | |
| +---------------------------------------------------------------+ | |
| | Security Parameter Index (SPI) | | |
| +---------------------------------------------------------------+ | |
| | Sequence Number | | |
| +---------------------------------------------------------------+ | |
| | Payload Data | | |
| + +-----------------------------------------------+ | |
| | | Padding (0 to 255 octets) | | |
| +---------------+ +-------------------------------+ | |
| | | Pad Length | Next Header | | |
| +---------------------------------------------------------------+ | |
| | Integrity Check Value (ICV) | | |
| . .... . | |
| +---------------------------------------------------------------+ | |
| Security Association (SA) is created between the two peers. The SPI identifies an SA to be used for a given packet. Sequence number protects against anti-replay attacks. | |
| Along with the encrypted packet, the encryption algorithm uses an initialization vector (IV). Typically, the IV is stored in the first 'n' bytes of the payload field. | |
| Authentication uses ICV same as AH. | |
| ESP in Transport Mode - | |
| +---------------------------------------------------------------+ | |
| | IP Header | ESP | Payload | Trailer | | |
| +---------------------------------------------------------------+ | |
| | <------------- Encrypted --------------------> | | |
| ESP in Tunnel Mode - | |
| +---------------------------------------------------------------+ | |
| | Outer IP Header | ESP | IP Header | Payload | Trailer | | |
| +---------------------------------------------------------------+ | |
| | <------------- Encrypted -----------------> | | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment