SlideShare une entreprise Scribd logo

Ti Ip Sec Archi

P
pupupipi
Technologie
1  sur  8
Télécharger pour lire hors ligne
http://www.tech-invite.com IPSec Guide Architecture & Traffic Processing Copyright © 2005-2007 Tech-invite.com Joël Repiquet. All Rights Reserved. V1.0 – March 2, 2005 This document presents the document roadmap for IPSec, as well as a host-to- host architectural model, followed by a sequence of slides illustrating IPSec traffic processing related to this model. 8 pages
IPSec Document Roadmap RFC 2401 Security RFC 2406 Architecture for the RFC 2402 RFC 2411 Internet Protocol IP Encapsulating IP Authentication IP Security Security Payload Stephen Kent Header Document (ESP) Randall Atkinson (AH) Roadmap Nov 1998 Stephen Kent Stephen Kent Rodney Thayer, Randall Atkinson Randall Atkinson et. al. Nov 1998 Nov 1998 Nov 1998 Uses Uses Uses Dictate some of Encryption Algorithms Authentication Algorithms the values RFC 2451 RFC 2410 RFC 2405 RFC 2403 RFC 2404 RFC 2104 ESP CBC-Mode NULL Encryption ESP DES-CBC Use of HMAC- Use of HMAC- HMAC: Keyed- Copyright © 2005-2007 Tech-invite.com Joël Repiquet. All Rights Reserved. Cipher Algorithms Algorithm and its Cipher Algorithm RFC 2407 MD5-96 within SHA-1-96 within Hashing for Use with IPsec with Explicit IV ESP and AH ESP and AH Message Internet IP Security Authentication Roy Pereira Rob Glenn Cheryl Madson Domain of Cheryl Madson Cheryl Madson Rob Adams Stephen Kent N. Doraswamy Interpretation Rob Glenn Rob Glenn Krawczyk, et. al. Nov 1998 Nov 1998 Nov 1998 (DOI) for ISAKMP Nov 1998 Nov 1998 Feb 1997 Derrell Piper Nov 1998 Supplements IKE/ISAKMP with respect to Phase 2 RFC 2412 OAKLEY Key Determination RFC 2408 RFC 2409 Protocol SKEME Internet Security Internet Key A versatile Secure Association and Provides a framework Exchange Hilarie K. Orman Key Exchange Key Management for authentication and (IKE) Uses parts of Nov 1998 Mechanism for Protocol (ISAKMP) key exchange (but is not Internet Dan Harkins dependant on) Maughan, et. al. Dave Carrel these protocols Hugo Krawczyk Nov 1998 Nov 1998 Nov 1995
IPSec Architecture – Host-to-Host Model IPSec Peer A (Initiator role) IPSec Peer B (Responder role) Domain-Wide Policy Agent Policy Policy Agent Manager TCP/IP TCP/IP Applications Applications IP Main & Quick Main & Quick IP Filters Modes Settings Modes Settings Filters IKE ISAKMP SA IKE UDP UDP #500 #500 Copyright © 2005-2007 Tech-invite.com Joël Repiquet. All Rights Reserved. TCP / UDP TCP / UDP SPD Security Policy Database SPD SAD SAD Security Association Database SAD SPD SA AH AH SA IP IPSec IPSec IP SA ESP ESP SA IP@ a IP@ b Network Network Interface Interface
IPSec Traffic Processing – 1) Initialisation IPSec Peer A (Initiator role) IPSec Peer B (Responder role) 1 Domain-Wide 1 Policy Agent Policy Policy Agent 3 2 Manager 2 3 TCP/IP TCP/IP Applications Applications IP Main & Quick Main & Quick IP Filters Modes Settings Modes Settings Filters 1. Retrieve Policy Data from a domain-wide manager (as an alternative: from a IKE local database) IKE 2. Distribute security settings UDP UDP to IKE #500 #500 Copyright © 2005-2007 Tech-invite.com Joël Repiquet. All Rights Reserved. 3. Fill-in, directly or via the IPSec Driver, the SPD (Security Policy Database) TCP / UDP with IP filters (ordered list TCP / UDP of rules with selectors) SPD SAD SAD SPD AH AH IP IPSec IPSec IP ESP IP Connectivity ESP between A and B IP@ a IP@ b is a prerequisite Network Network Interface Interface
IPSec Traffic Processing – 2) IKE Phase 1 Triggering IPSec Peer A (Initiator role) IPSec Peer B (Responder role) 1. First outgoing quot;applicativequot; IP packet 2. The outgoing interface is IPSec-enabled and therefore the packet is passed to the IPSec driver 3. SPD Check returns quot;securedquot; TCP/IP 4. Is there an appropriate active SA in SAD? - No TCP/IP Applications 5. Request to IKE for creating the SA Applications 6. IKE starts Phase 1 by sending an ISAKMP message (quot;HDR, SAquot;) to Peer B 2. quot;IKEquot; IP packet passed to IPSec driver 3. SPD Check returns quot;permittedquot; (IKE traffic is not to be secured via AH/ESP) IKE 7. Packet returned unmodified by IPSec driver IKE 6 8. quot;IKEquot;Packet sent towards B 13 UDP 9. quot;IKEquot;Packet received by B UDP #500 #500 Copyright © 2005-2007 Tech-invite.com Joël Repiquet. All Rights Reserved. 10. The incoming interface is IPSec-enabled and therefore the packet is passed to the IPSec driver TCP / UDP 11. SPD Check returns quot;permittedquot; (IKE traffic is TCP / UDP not to be secured via AH/ESP) SPD SAD 12. Packet returned by IPSec driver SAD SPD 13. IKE message received by IKE on side B 1 3 4 5 11 AH AH 2 12 IP IPSec IPSec IP 7 10 ESP ESP IP@ a IP@ b 8 9 Network Network Interface Interface
IPSec Traffic Processing – 3) IKE Phase 1 Completion IPSec Peer A (Initiator role) IPSec Peer B (Responder role) Note: the following exchanges are detailed in another document HDR, SA Negotiation TCP/IP Diffie-Hellman TCP/IP Applications Exchange Applications Authentication IKE ISAKMP SA IKE UDP UDP #500 #500 Copyright © 2005-2007 Tech-invite.com Joël Repiquet. All Rights Reserved. TCP / UDP TCP / UDP SPD SAD SAD SPD AH AH IP IPSec IPSec IP ESP ESP IP@ a IP@ b Network Network Interface Interface
IPSec Traffic Processing – 4) IKE Phase 2 & Secured Traffic Resumption IPSec Peer A (Initiator role) IPSec Peer B (Responder role) 1. The Quick mode negotiation results in one 5. Packet is modified with ESP (depending on SA outbound and one inbound SA, with SPI-a mode: transport / tunnel) and sent back to IP and SPI-b respectively chosen by the 6. The secured packet is sent towards B initiator and the responder 7. The secured packet is received on side B 2. The SAD is updated by IKE on each side 8. It is sent to the IPSec driver TCP/IP 3. On the initiator side, IKE notifies the IPSec 9. The inbound SA is retrieved from the SPI value TCP/IP Applications driver in answer to its previous request in the ESP header. Checkings are performed. Applications 4. Retrieval of SA parameters in the SAD is 10. The ESP header and trailer are removed and resumed for the pending quot;applicationquot; the IP packet sent back to the IP module packet 11. Payload is sent to upper layers IKE ISAKMP SA IKE 1 1 UDP UDP #500 #500 Copyright © 2005-2007 Tech-invite.com Joël Repiquet. All Rights Reserved. 2 3 Note: the following exchanges are 2 detailed in another document TCP / UDP 1 HDR*, HASH(1), TCP / UDP SA, Ni... SPD SAD HDR*, HASH(2), SAD SPD SA, Nr... 4 HDR*, HASH(3) 9 11 AH AH 10 IP IPSec IPSec IP 5 10 5 SA 8 ESP ESP SA IP@ a IP@ b 6 1 1 7 Network Network Interface Interface
IPSec Traffic Processing – 5) Secured (Outgoing) Traffic IPSec Peer A (Initiator role) IPSec Peer B (Responder role) TCP/IP TCP/IP Applications Applications IKE ISAKMP SA IKE UDP UDP #500 #500 Copyright © 2005-2007 Tech-invite.com Joël Repiquet. All Rights Reserved. TCP / UDP TCP / UDP SPD SAD SAD SPD 1 3 4 10 13 AH AH 2 12 IP IPSec IPSec IP 5 11 6 SA 9 ESP ESP SA IP@ a IP@ b 7 8 Network Network Interface Interface

Recommandé

Storing up as we prosper 8 26-12 sermon
Storing up as we prosper 8 26-12 sermonStoring up as we prosper 8 26-12 sermon
Storing up as we prosper 8 26-12 sermonJames Bradshaw
 
An Introduction to BlueBox Payroll
An Introduction to BlueBox PayrollAn Introduction to BlueBox Payroll
An Introduction to BlueBox Payrollblueboxadmin
 
Two wolves and the eldest youngster
Two wolves and the eldest youngsterTwo wolves and the eldest youngster
Two wolves and the eldest youngsterMeryl Runion Rose
 
Pecha Kuch - Childhood - By Shivam Mishra
Pecha Kuch - Childhood - By Shivam MishraPecha Kuch - Childhood - By Shivam Mishra
Pecha Kuch - Childhood - By Shivam MishraCompassites Navigator
 
04 06 2008 Worship 1st
04 06 2008 Worship 1st04 06 2008 Worship 1st
04 06 2008 Worship 1stguest3bffdd
 
Cbs.Blog.Contributors
Cbs.Blog.ContributorsCbs.Blog.Contributors
Cbs.Blog.Contributorsmanagemarketing
 
vi knallgrau vine.co - Überblick für retail und consumer brands
vi knallgrau vine.co - Überblick für retail und consumer brandsvi knallgrau vine.co - Überblick für retail und consumer brands
vi knallgrau vine.co - Überblick für retail und consumer brandsvi knallgrau
 
Protocol Aware Ate Semi Submitted
Protocol Aware Ate Semi SubmittedProtocol Aware Ate Semi Submitted
Protocol Aware Ate Semi SubmittedEric Larson
 

Recommandé

Storing up as we prosper 8 26-12 sermon
Storing up as we prosper 8 26-12 sermonStoring up as we prosper 8 26-12 sermon
Storing up as we prosper 8 26-12 sermonJames Bradshaw
 
An Introduction to BlueBox Payroll
An Introduction to BlueBox PayrollAn Introduction to BlueBox Payroll
An Introduction to BlueBox Payrollblueboxadmin
 
Two wolves and the eldest youngster
Two wolves and the eldest youngsterTwo wolves and the eldest youngster
Two wolves and the eldest youngsterMeryl Runion Rose
 
Pecha Kuch - Childhood - By Shivam Mishra
Pecha Kuch - Childhood - By Shivam MishraPecha Kuch - Childhood - By Shivam Mishra
Pecha Kuch - Childhood - By Shivam MishraCompassites Navigator
 
04 06 2008 Worship 1st
04 06 2008 Worship 1st04 06 2008 Worship 1st
04 06 2008 Worship 1stguest3bffdd
 
Cbs.Blog.Contributors
Cbs.Blog.ContributorsCbs.Blog.Contributors
Cbs.Blog.Contributorsmanagemarketing
 
vi knallgrau vine.co - Überblick für retail und consumer brands
vi knallgrau vine.co - Überblick für retail und consumer brandsvi knallgrau vine.co - Überblick für retail und consumer brands
vi knallgrau vine.co - Überblick für retail und consumer brandsvi knallgrau
 
Protocol Aware Ate Semi Submitted
Protocol Aware Ate Semi SubmittedProtocol Aware Ate Semi Submitted
Protocol Aware Ate Semi SubmittedEric Larson
 
La Nuova Architettura Processori Intel® Xeon® 5500
La Nuova Architettura Processori Intel® Xeon® 5500La Nuova Architettura Processori Intel® Xeon® 5500
La Nuova Architettura Processori Intel® Xeon® 5500Walter Moriconi
 
DAC 2012
DAC 2012DAC 2012
DAC 2012FlexTiles Team
 
Quality of Service at the Internet Engineering Task Force
Quality of Service at the Internet Engineering Task ForceQuality of Service at the Internet Engineering Task Force
Quality of Service at the Internet Engineering Task ForceJohn Loughney
 
Zero-Copy Event-Driven Servers with Netty
Zero-Copy Event-Driven Servers with NettyZero-Copy Event-Driven Servers with Netty
Zero-Copy Event-Driven Servers with NettyDaniel Bimschas
 
Management & control of home automation devices
Management & control of home automation devicesManagement & control of home automation devices
Management & control of home automation devicesPiyush Chand
 
ENUM in Austria
ENUM in AustriaENUM in Austria
ENUM in AustriaKurt Reichinger
 
Sample of product development
Sample of product developmentSample of product development
Sample of product developmentTransit-Protect
 
GE Smallworld Network Inventory Overview
GE Smallworld Network Inventory OverviewGE Smallworld Network Inventory Overview
GE Smallworld Network Inventory Overviewcwilson5496
 
Cascading and BigData Problems
Cascading and BigData ProblemsCascading and BigData Problems
Cascading and BigData Problemscwensel
 
Data Search Searching And Finding Information In Unstructured And Structured ...
Data Search Searching And Finding Information In Unstructured And Structured ...Data Search Searching And Finding Information In Unstructured And Structured ...
Data Search Searching And Finding Information In Unstructured And Structured ...Erik Fransen
 
Green Telecom & IT Workshop: Ee routing and networking thierry klein
Green Telecom & IT Workshop: Ee routing and networking thierry kleinGreen Telecom & IT Workshop: Ee routing and networking thierry klein
Green Telecom & IT Workshop: Ee routing and networking thierry kleinBellLabs
 
Oracle+golden+gate+introduction
Oracle+golden+gate+introductionOracle+golden+gate+introduction
Oracle+golden+gate+introductionxiakaicd
 
open innovation : Comment l'ouverture peut-être un atout pour l'innovation ?
open innovation : Comment l'ouverture peut-être un atout pour l'innovation ?open innovation : Comment l'ouverture peut-être un atout pour l'innovation ?
open innovation : Comment l'ouverture peut-être un atout pour l'innovation ?Francois Letellier
 
The CORA Model Explained
The CORA Model ExplainedThe CORA Model Explained
The CORA Model Explainedtelzinga
 
Il Cloud chiavi in mano | Marco Soldi (Intel) | Milano
Il Cloud chiavi in mano | Marco Soldi (Intel) | MilanoIl Cloud chiavi in mano | Marco Soldi (Intel) | Milano
Il Cloud chiavi in mano | Marco Soldi (Intel) | MilanoCA Technologies Italia
 
LMAX Architecture
LMAX ArchitectureLMAX Architecture
LMAX ArchitectureStephan Schmidt
 
Naumen Inventory
Naumen InventoryNaumen Inventory
Naumen InventoryNAUMEN. Информационные системы управления растущим бизнесом
 
Future Signaling Protocols What’s New in IETF
Future Signaling Protocols What’s New in IETFFuture Signaling Protocols What’s New in IETF
Future Signaling Protocols What’s New in IETFJohn Loughney
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 

Contenu connexe

Similaire à Ti Ip Sec Archi

La Nuova Architettura Processori Intel® Xeon® 5500
La Nuova Architettura Processori Intel® Xeon® 5500La Nuova Architettura Processori Intel® Xeon® 5500
La Nuova Architettura Processori Intel® Xeon® 5500Walter Moriconi
 
Quality of Service at the Internet Engineering Task Force
Quality of Service at the Internet Engineering Task ForceQuality of Service at the Internet Engineering Task Force
Quality of Service at the Internet Engineering Task ForceJohn Loughney
 
Zero-Copy Event-Driven Servers with Netty
Zero-Copy Event-Driven Servers with NettyZero-Copy Event-Driven Servers with Netty
Zero-Copy Event-Driven Servers with NettyDaniel Bimschas
 
Management & control of home automation devices
Management & control of home automation devicesManagement & control of home automation devices
Management & control of home automation devicesPiyush Chand
 
Sample of product development
Sample of product developmentSample of product development
Sample of product developmentTransit-Protect
 
GE Smallworld Network Inventory Overview
GE Smallworld Network Inventory OverviewGE Smallworld Network Inventory Overview
GE Smallworld Network Inventory Overviewcwilson5496
 
Cascading and BigData Problems
Cascading and BigData ProblemsCascading and BigData Problems
Cascading and BigData Problemscwensel
 
Data Search Searching And Finding Information In Unstructured And Structured ...
Data Search Searching And Finding Information In Unstructured And Structured ...Data Search Searching And Finding Information In Unstructured And Structured ...
Data Search Searching And Finding Information In Unstructured And Structured ...Erik Fransen
 
Green Telecom & IT Workshop: Ee routing and networking thierry klein
Green Telecom & IT Workshop: Ee routing and networking thierry kleinGreen Telecom & IT Workshop: Ee routing and networking thierry klein
Green Telecom & IT Workshop: Ee routing and networking thierry kleinBellLabs
 
Oracle+golden+gate+introduction
Oracle+golden+gate+introductionOracle+golden+gate+introduction
Oracle+golden+gate+introductionxiakaicd
 
open innovation : Comment l'ouverture peut-être un atout pour l'innovation ?
open innovation : Comment l'ouverture peut-être un atout pour l'innovation ?open innovation : Comment l'ouverture peut-être un atout pour l'innovation ?
open innovation : Comment l'ouverture peut-être un atout pour l'innovation ?Francois Letellier
 
The CORA Model Explained
The CORA Model ExplainedThe CORA Model Explained
The CORA Model Explainedtelzinga
 
Il Cloud chiavi in mano | Marco Soldi (Intel) | Milano
Il Cloud chiavi in mano | Marco Soldi (Intel) | MilanoIl Cloud chiavi in mano | Marco Soldi (Intel) | Milano
Il Cloud chiavi in mano | Marco Soldi (Intel) | MilanoCA Technologies Italia
 
Future Signaling Protocols What’s New in IETF
Future Signaling Protocols What’s New in IETFFuture Signaling Protocols What’s New in IETF
Future Signaling Protocols What’s New in IETFJohn Loughney
 

Similaire à Ti Ip Sec Archi (18)

La Nuova Architettura Processori Intel® Xeon® 5500
La Nuova Architettura Processori Intel® Xeon® 5500La Nuova Architettura Processori Intel® Xeon® 5500
La Nuova Architettura Processori Intel® Xeon® 5500
 
DAC 2012
DAC 2012DAC 2012
DAC 2012
 
Quality of Service at the Internet Engineering Task Force
Quality of Service at the Internet Engineering Task ForceQuality of Service at the Internet Engineering Task Force
Quality of Service at the Internet Engineering Task Force
 
Zero-Copy Event-Driven Servers with Netty
Zero-Copy Event-Driven Servers with NettyZero-Copy Event-Driven Servers with Netty
Zero-Copy Event-Driven Servers with Netty
 
Management & control of home automation devices
Management & control of home automation devicesManagement & control of home automation devices
Management & control of home automation devices
 
ENUM in Austria
ENUM in AustriaENUM in Austria
ENUM in Austria
 
Sample of product development
Sample of product developmentSample of product development
Sample of product development
 
GE Smallworld Network Inventory Overview
GE Smallworld Network Inventory OverviewGE Smallworld Network Inventory Overview
GE Smallworld Network Inventory Overview
 
Cascading and BigData Problems
Cascading and BigData ProblemsCascading and BigData Problems
Cascading and BigData Problems
 
Data Search Searching And Finding Information In Unstructured And Structured ...
Data Search Searching And Finding Information In Unstructured And Structured ...Data Search Searching And Finding Information In Unstructured And Structured ...
Data Search Searching And Finding Information In Unstructured And Structured ...
 
Green Telecom & IT Workshop: Ee routing and networking thierry klein
Green Telecom & IT Workshop: Ee routing and networking thierry kleinGreen Telecom & IT Workshop: Ee routing and networking thierry klein
Green Telecom & IT Workshop: Ee routing and networking thierry klein
 
Oracle+golden+gate+introduction
Oracle+golden+gate+introductionOracle+golden+gate+introduction
Oracle+golden+gate+introduction
 
open innovation : Comment l'ouverture peut-être un atout pour l'innovation ?
open innovation : Comment l'ouverture peut-être un atout pour l'innovation ?open innovation : Comment l'ouverture peut-être un atout pour l'innovation ?
open innovation : Comment l'ouverture peut-être un atout pour l'innovation ?
 
The CORA Model Explained
The CORA Model ExplainedThe CORA Model Explained
The CORA Model Explained
 
Il Cloud chiavi in mano | Marco Soldi (Intel) | Milano
Il Cloud chiavi in mano | Marco Soldi (Intel) | MilanoIl Cloud chiavi in mano | Marco Soldi (Intel) | Milano
Il Cloud chiavi in mano | Marco Soldi (Intel) | Milano
 
LMAX Architecture
LMAX ArchitectureLMAX Architecture
LMAX Architecture
 
Naumen Inventory
Naumen InventoryNaumen Inventory
Naumen Inventory
 
Future Signaling Protocols What’s New in IETF
Future Signaling Protocols What’s New in IETFFuture Signaling Protocols What’s New in IETF
Future Signaling Protocols What’s New in IETF
 

Dernier

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 

Dernier (20)

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 

Ti Ip Sec Archi

  • 1. http://www.tech-invite.com IPSec Guide Architecture & Traffic Processing Copyright © 2005-2007 Tech-invite.com Joël Repiquet. All Rights Reserved. V1.0 – March 2, 2005 This document presents the document roadmap for IPSec, as well as a host-to- host architectural model, followed by a sequence of slides illustrating IPSec traffic processing related to this model. 8 pages
  • 2. IPSec Document Roadmap RFC 2401 Security RFC 2406 Architecture for the RFC 2402 RFC 2411 Internet Protocol IP Encapsulating IP Authentication IP Security Security Payload Stephen Kent Header Document (ESP) Randall Atkinson (AH) Roadmap Nov 1998 Stephen Kent Stephen Kent Rodney Thayer, Randall Atkinson Randall Atkinson et. al. Nov 1998 Nov 1998 Nov 1998 Uses Uses Uses Dictate some of Encryption Algorithms Authentication Algorithms the values RFC 2451 RFC 2410 RFC 2405 RFC 2403 RFC 2404 RFC 2104 ESP CBC-Mode NULL Encryption ESP DES-CBC Use of HMAC- Use of HMAC- HMAC: Keyed- Copyright © 2005-2007 Tech-invite.com Joël Repiquet. All Rights Reserved. Cipher Algorithms Algorithm and its Cipher Algorithm RFC 2407 MD5-96 within SHA-1-96 within Hashing for Use with IPsec with Explicit IV ESP and AH ESP and AH Message Internet IP Security Authentication Roy Pereira Rob Glenn Cheryl Madson Domain of Cheryl Madson Cheryl Madson Rob Adams Stephen Kent N. Doraswamy Interpretation Rob Glenn Rob Glenn Krawczyk, et. al. Nov 1998 Nov 1998 Nov 1998 (DOI) for ISAKMP Nov 1998 Nov 1998 Feb 1997 Derrell Piper Nov 1998 Supplements IKE/ISAKMP with respect to Phase 2 RFC 2412 OAKLEY Key Determination RFC 2408 RFC 2409 Protocol SKEME Internet Security Internet Key A versatile Secure Association and Provides a framework Exchange Hilarie K. Orman Key Exchange Key Management for authentication and (IKE) Uses parts of Nov 1998 Mechanism for Protocol (ISAKMP) key exchange (but is not Internet Dan Harkins dependant on) Maughan, et. al. Dave Carrel these protocols Hugo Krawczyk Nov 1998 Nov 1998 Nov 1995
  • 3. IPSec Architecture – Host-to-Host Model IPSec Peer A (Initiator role) IPSec Peer B (Responder role) Domain-Wide Policy Agent Policy Policy Agent Manager TCP/IP TCP/IP Applications Applications IP Main & Quick Main & Quick IP Filters Modes Settings Modes Settings Filters IKE ISAKMP SA IKE UDP UDP #500 #500 Copyright © 2005-2007 Tech-invite.com Joël Repiquet. All Rights Reserved. TCP / UDP TCP / UDP SPD Security Policy Database SPD SAD SAD Security Association Database SAD SPD SA AH AH SA IP IPSec IPSec IP SA ESP ESP SA IP@ a IP@ b Network Network Interface Interface
  • 4. IPSec Traffic Processing – 1) Initialisation IPSec Peer A (Initiator role) IPSec Peer B (Responder role) 1 Domain-Wide 1 Policy Agent Policy Policy Agent 3 2 Manager 2 3 TCP/IP TCP/IP Applications Applications IP Main & Quick Main & Quick IP Filters Modes Settings Modes Settings Filters 1. Retrieve Policy Data from a domain-wide manager (as an alternative: from a IKE local database) IKE 2. Distribute security settings UDP UDP to IKE #500 #500 Copyright © 2005-2007 Tech-invite.com Joël Repiquet. All Rights Reserved. 3. Fill-in, directly or via the IPSec Driver, the SPD (Security Policy Database) TCP / UDP with IP filters (ordered list TCP / UDP of rules with selectors) SPD SAD SAD SPD AH AH IP IPSec IPSec IP ESP IP Connectivity ESP between A and B IP@ a IP@ b is a prerequisite Network Network Interface Interface
  • 5. IPSec Traffic Processing – 2) IKE Phase 1 Triggering IPSec Peer A (Initiator role) IPSec Peer B (Responder role) 1. First outgoing quot;applicativequot; IP packet 2. The outgoing interface is IPSec-enabled and therefore the packet is passed to the IPSec driver 3. SPD Check returns quot;securedquot; TCP/IP 4. Is there an appropriate active SA in SAD? - No TCP/IP Applications 5. Request to IKE for creating the SA Applications 6. IKE starts Phase 1 by sending an ISAKMP message (quot;HDR, SAquot;) to Peer B 2. quot;IKEquot; IP packet passed to IPSec driver 3. SPD Check returns quot;permittedquot; (IKE traffic is not to be secured via AH/ESP) IKE 7. Packet returned unmodified by IPSec driver IKE 6 8. quot;IKEquot;Packet sent towards B 13 UDP 9. quot;IKEquot;Packet received by B UDP #500 #500 Copyright © 2005-2007 Tech-invite.com Joël Repiquet. All Rights Reserved. 10. The incoming interface is IPSec-enabled and therefore the packet is passed to the IPSec driver TCP / UDP 11. SPD Check returns quot;permittedquot; (IKE traffic is TCP / UDP not to be secured via AH/ESP) SPD SAD 12. Packet returned by IPSec driver SAD SPD 13. IKE message received by IKE on side B 1 3 4 5 11 AH AH 2 12 IP IPSec IPSec IP 7 10 ESP ESP IP@ a IP@ b 8 9 Network Network Interface Interface
  • 6. IPSec Traffic Processing – 3) IKE Phase 1 Completion IPSec Peer A (Initiator role) IPSec Peer B (Responder role) Note: the following exchanges are detailed in another document HDR, SA Negotiation TCP/IP Diffie-Hellman TCP/IP Applications Exchange Applications Authentication IKE ISAKMP SA IKE UDP UDP #500 #500 Copyright © 2005-2007 Tech-invite.com Joël Repiquet. All Rights Reserved. TCP / UDP TCP / UDP SPD SAD SAD SPD AH AH IP IPSec IPSec IP ESP ESP IP@ a IP@ b Network Network Interface Interface
  • 7. IPSec Traffic Processing – 4) IKE Phase 2 & Secured Traffic Resumption IPSec Peer A (Initiator role) IPSec Peer B (Responder role) 1. The Quick mode negotiation results in one 5. Packet is modified with ESP (depending on SA outbound and one inbound SA, with SPI-a mode: transport / tunnel) and sent back to IP and SPI-b respectively chosen by the 6. The secured packet is sent towards B initiator and the responder 7. The secured packet is received on side B 2. The SAD is updated by IKE on each side 8. It is sent to the IPSec driver TCP/IP 3. On the initiator side, IKE notifies the IPSec 9. The inbound SA is retrieved from the SPI value TCP/IP Applications driver in answer to its previous request in the ESP header. Checkings are performed. Applications 4. Retrieval of SA parameters in the SAD is 10. The ESP header and trailer are removed and resumed for the pending quot;applicationquot; the IP packet sent back to the IP module packet 11. Payload is sent to upper layers IKE ISAKMP SA IKE 1 1 UDP UDP #500 #500 Copyright © 2005-2007 Tech-invite.com Joël Repiquet. All Rights Reserved. 2 3 Note: the following exchanges are 2 detailed in another document TCP / UDP 1 HDR*, HASH(1), TCP / UDP SA, Ni... SPD SAD HDR*, HASH(2), SAD SPD SA, Nr... 4 HDR*, HASH(3) 9 11 AH AH 10 IP IPSec IPSec IP 5 10 5 SA 8 ESP ESP SA IP@ a IP@ b 6 1 1 7 Network Network Interface Interface
  • 8. IPSec Traffic Processing – 5) Secured (Outgoing) Traffic IPSec Peer A (Initiator role) IPSec Peer B (Responder role) TCP/IP TCP/IP Applications Applications IKE ISAKMP SA IKE UDP UDP #500 #500 Copyright © 2005-2007 Tech-invite.com Joël Repiquet. All Rights Reserved. TCP / UDP TCP / UDP SPD SAD SAD SPD 1 3 4 10 13 AH AH 2 12 IP IPSec IPSec IP 5 11 6 SA 9 ESP ESP SA IP@ a IP@ b 7 8 Network Network Interface Interface