SlideShare a Scribd company logo

05 06 ike

Babaa Naya
Babaa Naya

СНХ

Education
1 of 56
Download to read offline
ЛЕКЦ 5,6 IPsec ажиллагаа:Internet Key Exchange НУУЦЛАЛЫН ПРОТОКОЛУУД
EC-Council Агуулга  IPSec key management  VPN сүлжээний тохиргоо  GRE туннел  IPsec болон SSL харьцуулалт  Дүгнэлт
© 2012 Cisco and/or its affiliates. All rights reserved. 3 IPsec
EC-Council IPsec Protocol Framework AH ESP ESP + AH DES 3 DES AES SEAL MD5 SHA PSK RSA DH1 DH2 DH5 DH7
EC-Council IPsec Protocol Framework
EC-Council Confidentiality
EC-Council Integrity
EC-Council Authentication
EC-Council AH ESP ESP + AH DES 3 DES AES SEAL MD5 SHA PSK RSA DH1 DH2 DH5 DH7 768 bits 1024 bits 1536 bits Used by DES and 3DES Used by AES Secure Key Exchange
EC-Council  AH provides authentication and optional replay-detection services. • It authenticates the sender of the data. • AH operates on protocol number 51. • AH supports the HMAC-MD5 and HMAC-SHA-1 algorithms. Authentication Header (AH)
EC-Council  ESP provides the same security services as AH (authentication and integrity) AND encryption service. • It encapsulates the data to be protected. • It operates on protocol number 50. Encapsulating Security Payload (ESP)
© 2012 Cisco and/or its affiliates. All rights reserved. 12 Key Exchange
EC-Council SA Security Parameters
EC-Council How IPsec uses IKE 1. Outbound packet is sent from Alice to Bob. No IPsec SA. 4. Packet is sent from Alice to Bob protected by IPsec SA. IPsec IPsec
EC-Council  There are two phases in every IKE negotiation • Phase 1 (Authentication) • The first phase establishes an ISAKMP SA – based on pre-shared keys (PSK), – RSA keys and X.509 certificates, even via Kerberos. • Phase 2 (Key Exchange) – In the second phase the ISAKMP SA is used to negotiate and setup the IPsec SAs.  IKE negotiation can also occur in: • Main Mode • Aggressive mode  The difference between the two is that Main mode requires the exchange of 6 messages while Aggressive mode requires only 3 exchanges. IKE - Internet Key Exchange
EC-Council  IKE Phase One: 1. Negotiates an IKE protection suite. 2. Exchanges keying material to protect the IKE session (DH). 3. Authenticates each other. • Establishes the IKE SA. • Main Mode requires the exchange of 6 messages while Aggressive mode only uses 3 messages.  IKE Phase Two: 1. Negotiates IPsec security parameters, known as IPsec transform sets. • Establishes IPsec SAs. • Periodically renegotiates IPsec SAs to ensure security. • Quick mode exchange which is realized with 3 messages IKE 1 and 2 Phases
EC-Council Main Mode  Main mode negotiates an ISAKMP SA which will be used to create IPSec Sas  Three steps • SA negotiation • Diffie-Hellman and nonce exchange – Oakley Key Determination Protocol - RFC2412 • Authentication
EC-Council IKE -1 Main Mode (Kerberos) Initiator Responder Header, SA Proposals Header, Selected SA Proposal Header, D-H Key Exchange, Noncei, Kerberos Tokeni Header, D-H Key Exchange, Noncer, Kerberos Tokenr Header, Idi, Hashi Header, Idr, Hashr Encrypted
EC-Council IKE -1 Main Mode (Certificate) Initiator Responder Header, D-H Key Exchange, Noncei Header, Idi, Certificatei, Signaturei, Certificate Request Header, D-H Key Exchange, Noncer,Certificate Request Header, Idr, Certificater, Signaturer Encrypted Header, SA Proposals Header, Selected SA Proposal
EC-Council M IKE -1 Main Mode (Pre-shared Key) Initiator Responder Header, D-H Key Exchange, Noncei Header, Idi, Hashi Header, D-H Key Exchange, Noncer Header, Idr, Hashr Encrypted Header, SA Proposals Header, Selected SA Proposal
EC-Council IKE -2 Quick Mode  All traffic is encrypted using the ISAKMP Security Association  Each quick mode negotiation results in two IPSec Security Associations (one inbound, one outbound)
EC-Council Quick Mode Negotiation Header, Hash Header, Connected Notification Encrypted Initiator Responder Header, IPSec Selected SA Header, IPSec Proposed SA
EC-Council IKE Phases
EC-Council Main Mode (Pre-shared Key) Initiator Responder Header, D-H Key Exchange, Noncei Header, Idi, Hashi Header, D-H Key Exchange, Noncer Header, Idr, Hashr Encrypted Header, SA Proposals Header, Selected SA Proposal
EC-Council Main Mode (Certificate) Initiator Responder Header, D-H Key Exchange, Noncei Header, Idi, Certificatei, Signaturei, Certificate Request Header, D-H Key Exchange, Noncer,Certificate Request Header, Idr, Certificater, Signaturer Encrypted Header, SA Proposals Header, Selected SA Proposal
EC-Council Quick Mode  All traffic is encrypted using the ISAKMP Security Association  Each quick mode negotiation results in two IPSec Security Associations (one inbound, one outbound)
EC-Council Quick Mode Negotiation Header, Hash Header, Connected Notification Encrypted Initiator Responder Header, IPSec Selected SA Header, IPSec Proposed SA
EC-Council Main mode  Protect DoS attack
EC-Council IKE session key computation  4 төрлийн түлхүүр ашиглана  SKEYID – master key (DH)  SKEYID_d – for IKE SAs  SKEYID_a – authentication key for message  SKEYID_e – encryption key for message
EC-Council Five Steps of IPsec IKE Phase 1 authenticates IPsec peers and negotiates IKE SAs to create a secure communications channel for negotiating IPsec SAs in Phase 2. Host A sends interesting traffic destined for Host B. IKE Phase 2 negotiates IPsec SA parameters and creates matching IPsec SAs in the peers to protect data and messages exchanged between endpoints. Data transfer occurs between IPsec peers based on the IPsec parameters and keys stored in the SA database. IPsec tunnel termination occurs by SAs through deletion or by timing out. Step 1 Step 2 Step 3 Step 4 Step 5
EC-Council Step 1 – Interesting Traffic
EC-Council IKE Policy Negotiation Step 2 – IKE Phase 1
EC-Council DH Key Exchange Step 2 – IKE Phase 1 RouterB hashes the received string together with the pre- shared secret and yields a hash value. RouterA randomly chooses a string and sends it to RouterB. RouterB sends the result of hashing back to RouterA. RouterA calculates its own hash of the random string, together with the pre-shared secret, and matches it with the received result from the other peer. If they match, RouterB knows the pre-shared secret, and is considered authenticated.
EC-Council DH Key Exchange Step 2 – IKE Phase 1 Now RouterB randomly chooses a different random string and sends it to RouterA. RouterA also hashes the received string together with the pre- shared secret and yields a hash value. RouterA sends the result of hashing back to RouterB. RouterB calculates its own hash of the random string, together with the pre-shared secret, and matches it with the received result from the other peer. If they match, RouterA knows the pre-shared secret, and is considered authenticated.
EC-Council Peer Authentication Step 2 – IKE Phase 1
EC-Council IPsec Negotiation Step 3 – IKE Phase 2
EC-Council Transform Set Negotiation Step 3 – IKE Phase 2
EC-Council Security Associations Step 3 – IKE Phase 2
EC-Council IPsec Session Step 4
EC-Council Tunnel Termination Step 5
© 2012 Cisco and/or its affiliates. All rights reserved. 41 GRE Tunnel
EC-Council  There are 2 popular site-to-site tunneling protocols: • Cisco Generic Routing Encapsulation (GRE) • IP Security Protocol (IPsec)  When should you use GRE and / or IPsec? Layer 3 Tunneling User Traffic IP Only? Use GRE Tunnel No Yes No Yes Unicast Only? Use IPsec VPN
EC-Council  GRE can encapsulate almost any other type of packet. • Uses IP to create a virtual point-to-point link between Cisco routers • Supports multiprotocol (IP, CLNS, …) and IP multicast tunneling (and therefore routing protocols) • Best suited for site-to-site multiprotocol VPNs • RFC 1702 and RFC 2784 Generic Routing Encapsulation (GRE) GRE header adds 24 bytes of additional overhead
EC-Council  GRE can optionally contain any one or more of these fields: • Tunnel checksum • Tunnel key • Tunnel packet sequence number  GRE keepalives can be used to track tunnel path status. Optional GRE Extensions
EC-Council  GRE does not provide encryption! • It can be monitored with a protocol analyzer.  However, GRE and IPsec can be used together.  IPsec does not support multicast / broadcast and therefore does not forward routing protocol packets. • However IPsec can encapsulate a GRE packet that encapsulates routing traffic (GRE over IPsec). Generic Routing Encapsulation (GRE)
EC-Council 1. Create a tunnel interface: interface tunnel 0 2. Assign the tunnel an IP address. 3. Identify the source tunnel interface: tunnel source 4. Identify the tunnel destination: tunnel destination 5. (Optional) Identify the protocol to encapsulate in the GRE tunnel: tunnel mode gre ip • By default, GRE is tunneled in an IP packet. Five Steps to Configuring a GRE Tunnel
EC-Council Five Steps to Configuring a GRE Tunnel R1(config)# interface tunnel 0 R1(config–if)# ip address 10.1.1.1 255.255.255.252 R1(config–if)# tunnel source serial 0/0 R1(config–if)# tunnel destination 209.165.200.225 R1(config–if)# tunnel mode gre ip R1(config–if)# R2(config)# interface tunnel 0 R2(config–if)# ip address 10.1.1.2 255.255.255.252 R2(config–if)# tunnel source serial 0/0 R2(config–if)# tunnel destination 209.165.201.1 R2(config–if)# tunnel mode gre ip R2(config–if)#
EC-Council GRE Tunnel Example
© 2012 Cisco and/or its affiliates. All rights reserved. 49 Comparison between IPsec and SSL
EC-Council SSL
EC-Council IPsec
EC-Council IPsec vs SSL
EC-Council Comparison - 1
EC-Council Comparison - 2
EC-Council Харьцуулалт PGP SSL IPSec Application Layer Transport Layer (above TCP) Network Layer(above IP) Offline Online/Realtime Online/Realtime Connectionless -Single data message -Data order (n/a) -Replay attack (timestamp) Connection-oriented - A data stream - Data order (via tcp) - defense against replay attack Connectionless - defense against replay attack Protect application payload (only) Protect application payload (only) Transport: Protect tcp hdr + application payload Tunnel: Protect IP hdr + tcp hdr + payload Authentication Entity: User(Key ID) Protected Unit: entire data message Authentication Entity: SSL Session (certificate) Protected Unit: SSL connection/TCP/Port Entity: Security association
EC-Council АНХААРАЛ ТАВЬСАНД БАЯРЛАЛАА

Recommended

IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPNAbdullaziz Tagawy
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS NetProtocol Xpert
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1Sankaranarayanan Subramanian
 
IPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP ExplainedIPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP ExplainedAndriy Berestovskyy
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and sslMohd Arif
 
Short Introduction to IPv6
Short Introduction to IPv6Short Introduction to IPv6
Short Introduction to IPv6Martin Schütte
 
I psec
I psecI psec
I psecahmad1986jor
 
NetBSD syslogd with IETF Syslog Protocols
NetBSD syslogd with IETF Syslog ProtocolsNetBSD syslogd with IETF Syslog Protocols
NetBSD syslogd with IETF Syslog ProtocolsMartin Schütte
 

Recommended

IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPNAbdullaziz Tagawy
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS NetProtocol Xpert
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1Sankaranarayanan Subramanian
 
IPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP ExplainedIPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP ExplainedAndriy Berestovskyy
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and sslMohd Arif
 
Short Introduction to IPv6
Short Introduction to IPv6Short Introduction to IPv6
Short Introduction to IPv6Martin Schütte
 
I psec
I psecI psec
I psecahmad1986jor
 
NetBSD syslogd with IETF Syslog Protocols
NetBSD syslogd with IETF Syslog ProtocolsNetBSD syslogd with IETF Syslog Protocols
NetBSD syslogd with IETF Syslog ProtocolsMartin Schütte
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaWardner Maia
 
Ipsec
IpsecIpsec
IpsecRupesh Mishra
 
Creating a firewall in UBUNTU
Creating a firewall in UBUNTUCreating a firewall in UBUNTU
Creating a firewall in UBUNTUMumbai University
 
IP Sec - Basic Concepts
IP Sec - Basic ConceptsIP Sec - Basic Concepts
IP Sec - Basic ConceptsAvadhesh Agrawal
 
Tunnel & vpn1
Tunnel & vpn1Tunnel & vpn1
Tunnel & vpn1ariesubagyo
 
IPv6 Security
IPv6 SecurityIPv6 Security
IPv6 SecurityProgreso Training
 
Ip Sec
Ip SecIp Sec
Ip SecRam Dutt Shukla
 
Access over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEAccess over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEamiable_indian
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols NetProtocol Xpert
 
DPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway ApplicationDPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway ApplicationMichelle Holley
 
Ip sec talk
Ip sec talkIp sec talk
Ip sec talkanoean
 
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)Martin Schütte
 
Ip security in i psec
Ip security in i psecIp security in i psec
Ip security in i psecMohd Arif
 
IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1Abdallah Abuouf
 
Linux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationLinux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationVinoth Sivasubramanan
 
CCNA 200-301 IPv6 addressing and subnetting MCQs Collection
CCNA 200-301 IPv6 addressing and subnetting MCQs CollectionCCNA 200-301 IPv6 addressing and subnetting MCQs Collection
CCNA 200-301 IPv6 addressing and subnetting MCQs CollectionCAS
 
Asfws2014 tproxy
Asfws2014 tproxyAsfws2014 tproxy
Asfws2014 tproxyCyber Security Alliance
 
Cisco Router As A Vpn Server
Cisco Router As A Vpn ServerCisco Router As A Vpn Server
Cisco Router As A Vpn Servermmoizuddin
 
ip security
ip securityip security
ip securityChirag Patel
 
I psec
I psecI psec
I psecnlekh
 
The Security layer
The Security layerThe Security layer
The Security layerSwetha S
 
IPsec for IMS
IPsec for IMSIPsec for IMS
IPsec for IMSHossein Yavari
 

More Related Content

What's hot

Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaWardner Maia
 
Creating a firewall in UBUNTU
Creating a firewall in UBUNTUCreating a firewall in UBUNTU
Creating a firewall in UBUNTUMumbai University
 
Access over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEAccess over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEamiable_indian
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols NetProtocol Xpert
 
DPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway ApplicationDPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway ApplicationMichelle Holley
 
Ip sec talk
Ip sec talkIp sec talk
Ip sec talkanoean
 
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)Martin Schütte
 
Ip security in i psec
Ip security in i psecIp security in i psec
Ip security in i psecMohd Arif
 
IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1Abdallah Abuouf
 
Linux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationLinux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationVinoth Sivasubramanan
 
CCNA 200-301 IPv6 addressing and subnetting MCQs Collection
CCNA 200-301 IPv6 addressing and subnetting MCQs CollectionCCNA 200-301 IPv6 addressing and subnetting MCQs Collection
CCNA 200-301 IPv6 addressing and subnetting MCQs CollectionCAS
 
Cisco Router As A Vpn Server
Cisco Router As A Vpn ServerCisco Router As A Vpn Server
Cisco Router As A Vpn Servermmoizuddin
 

What's hot (19)

Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
 
Ipsec
IpsecIpsec
Ipsec
 
Creating a firewall in UBUNTU
Creating a firewall in UBUNTUCreating a firewall in UBUNTU
Creating a firewall in UBUNTU
 
IP Sec - Basic Concepts
IP Sec - Basic ConceptsIP Sec - Basic Concepts
IP Sec - Basic Concepts
 
Tunnel & vpn1
Tunnel & vpn1Tunnel & vpn1
Tunnel & vpn1
 
IPv6 Security
IPv6 SecurityIPv6 Security
IPv6 Security
 
Ip Sec
Ip SecIp Sec
Ip Sec
 
Access over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEAccess over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoE
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols
 
DPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway ApplicationDPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway Application
 
Ip sec talk
Ip sec talkIp sec talk
Ip sec talk
 
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
 
Ip security in i psec
Ip security in i psecIp security in i psec
Ip security in i psec
 
IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1
 
Linux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationLinux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai Presentation
 
CCNA 200-301 IPv6 addressing and subnetting MCQs Collection
CCNA 200-301 IPv6 addressing and subnetting MCQs CollectionCCNA 200-301 IPv6 addressing and subnetting MCQs Collection
CCNA 200-301 IPv6 addressing and subnetting MCQs Collection
 
Asfws2014 tproxy
Asfws2014 tproxyAsfws2014 tproxy
Asfws2014 tproxy
 
Cisco Router As A Vpn Server
Cisco Router As A Vpn ServerCisco Router As A Vpn Server
Cisco Router As A Vpn Server
 
ip security
ip securityip security
ip security
 

Similar to 05 06 ike

I psec
I psecI psec
I psecnlekh
 
The Security layer
The Security layerThe Security layer
The Security layerSwetha S
 
Computer network (4)
Computer network (4)Computer network (4)
Computer network (4)NYversity
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network SecurityKathirvel Ayyaswamy
 
IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1CAS
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteHostedGraphite
 
rooster-ipsecindepth.ppt
rooster-ipsecindepth.pptrooster-ipsecindepth.ppt
rooster-ipsecindepth.pptImXaib
 
8.X Sec & I Pv6
8.X Sec & I Pv68.X Sec & I Pv6
8.X Sec & I Pv6phanleson
 
Crypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configurationCrypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configurationdborsan
 
ssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxjithu26327
 

Similar to 05 06 ike (20)

I psec
I psecI psec
I psec
 
The Security layer
The Security layerThe Security layer
The Security layer
 
IPsec for IMS
IPsec for IMSIPsec for IMS
IPsec for IMS
 
20 palo alto site to site
20 palo alto site to site20 palo alto site to site
20 palo alto site to site
 
Computer network (4)
Computer network (4)Computer network (4)
Computer network (4)
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 
Ip Sec
Ip SecIp Sec
Ip Sec
 
IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
 
Lecture14..pdf
Lecture14..pdfLecture14..pdf
Lecture14..pdf
 
Ipsec rbe guide
Ipsec rbe guideIpsec rbe guide
Ipsec rbe guide
 
rooster-ipsecindepth.ppt
rooster-ipsecindepth.pptrooster-ipsecindepth.ppt
rooster-ipsecindepth.ppt
 
VPN presentation - moeshesh
VPN presentation - moesheshVPN presentation - moeshesh
VPN presentation - moeshesh
 
8.X Sec & I Pv6
8.X Sec & I Pv68.X Sec & I Pv6
8.X Sec & I Pv6
 
Vpn(4)
Vpn(4)Vpn(4)
Vpn(4)
 
IPSEC
IPSECIPSEC
IPSEC
 
Crypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configurationCrypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configuration
 
ssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptx
 
IPSec_VPN_Final_
IPSec_VPN_Final_IPSec_VPN_Final_
IPSec_VPN_Final_
 
Ip Sec Rev1
Ip Sec Rev1Ip Sec Rev1
Ip Sec Rev1
 

More from Babaa Naya

Суралцагчийн мэдлэг, чадвар, дадлыг үнэлэх, дүгнэх журам
Суралцагчийн мэдлэг, чадвар, дадлыг үнэлэх, дүгнэх журам Суралцагчийн мэдлэг, чадвар, дадлыг үнэлэх, дүгнэх журам
Суралцагчийн мэдлэг, чадвар, дадлыг үнэлэх, дүгнэх журам Babaa Naya
 
Мэргэжлийн болон техникийн боловсролын сургалтын байгууллагын суралцагчид тэт...
Мэргэжлийн болон техникийн боловсролын сургалтын байгууллагын суралцагчид тэт...Мэргэжлийн болон техникийн боловсролын сургалтын байгууллагын суралцагчид тэт...
Мэргэжлийн болон техникийн боловсролын сургалтын байгууллагын суралцагчид тэт...Babaa Naya
 
Мэргэжлийн болон техникийн боловсролын сургалтын байгууллагын багшид мэргэжли...
Мэргэжлийн болон техникийн боловсролын сургалтын байгууллагын багшид мэргэжли...Мэргэжлийн болон техникийн боловсролын сургалтын байгууллагын багшид мэргэжли...
Мэргэжлийн болон техникийн боловсролын сургалтын байгууллагын багшид мэргэжли...Babaa Naya
 
Мэргэжлийн боловсрол, сургалтын байгууллагын төгсөгчдөд мэргэжлийн диплом, үн...
Мэргэжлийн боловсрол, сургалтын байгууллагын төгсөгчдөд мэргэжлийн диплом, үн...Мэргэжлийн боловсрол, сургалтын байгууллагын төгсөгчдөд мэргэжлийн диплом, үн...
Мэргэжлийн боловсрол, сургалтын байгууллагын төгсөгчдөд мэргэжлийн диплом, үн...Babaa Naya
 
Suraltsagchid chiglesen uilchilgee hesgiin notolgoo
Suraltsagchid chiglesen uilchilgee hesgiin notolgooSuraltsagchid chiglesen uilchilgee hesgiin notolgoo
Suraltsagchid chiglesen uilchilgee hesgiin notolgooBabaa Naya
 
Img 20210105 0002
Img 20210105 0002Img 20210105 0002
Img 20210105 0002Babaa Naya
 
Img 20210105 0001
Img 20210105 0001Img 20210105 0001
Img 20210105 0001Babaa Naya
 
Cisco packet tracer
Cisco packet tracerCisco packet tracer
Cisco packet tracerBabaa Naya
 
Cisco packet tracer
Cisco packet tracerCisco packet tracer
Cisco packet tracerBabaa Naya
 

More from Babaa Naya (20)

Суралцагчийн мэдлэг, чадвар, дадлыг үнэлэх, дүгнэх журам
Суралцагчийн мэдлэг, чадвар, дадлыг үнэлэх, дүгнэх журам Суралцагчийн мэдлэг, чадвар, дадлыг үнэлэх, дүгнэх журам
Суралцагчийн мэдлэг, чадвар, дадлыг үнэлэх, дүгнэх журам
 
Мэргэжлийн болон техникийн боловсролын сургалтын байгууллагын суралцагчид тэт...
Мэргэжлийн болон техникийн боловсролын сургалтын байгууллагын суралцагчид тэт...Мэргэжлийн болон техникийн боловсролын сургалтын байгууллагын суралцагчид тэт...
Мэргэжлийн болон техникийн боловсролын сургалтын байгууллагын суралцагчид тэт...
 
Мэргэжлийн болон техникийн боловсролын сургалтын байгууллагын багшид мэргэжли...
Мэргэжлийн болон техникийн боловсролын сургалтын байгууллагын багшид мэргэжли...Мэргэжлийн болон техникийн боловсролын сургалтын байгууллагын багшид мэргэжли...
Мэргэжлийн болон техникийн боловсролын сургалтын байгууллагын багшид мэргэжли...
 
Мэргэжлийн боловсрол, сургалтын байгууллагын төгсөгчдөд мэргэжлийн диплом, үн...
Мэргэжлийн боловсрол, сургалтын байгууллагын төгсөгчдөд мэргэжлийн диплом, үн...Мэргэжлийн боловсрол, сургалтын байгууллагын төгсөгчдөд мэргэжлийн диплом, үн...
Мэргэжлийн боловсрол, сургалтын байгууллагын төгсөгчдөд мэргэжлийн диплом, үн...
 
Suraltsagchid chiglesen uilchilgee hesgiin notolgoo
Suraltsagchid chiglesen uilchilgee hesgiin notolgooSuraltsagchid chiglesen uilchilgee hesgiin notolgoo
Suraltsagchid chiglesen uilchilgee hesgiin notolgoo
 
Img 20210105 0002
Img 20210105 0002Img 20210105 0002
Img 20210105 0002
 
Img 20210105 0001
Img 20210105 0001Img 20210105 0001
Img 20210105 0001
 
Cisco packet tracer
Cisco packet tracerCisco packet tracer
Cisco packet tracer
 
Cisco packet tracer
Cisco packet tracerCisco packet tracer
Cisco packet tracer
 
Lab10
Lab10Lab10
Lab10
 
Lab9
Lab9Lab9
Lab9
 
Lab8
Lab8Lab8
Lab8
 
Lab7
Lab7Lab7
Lab7
 
Lab6
Lab6Lab6
Lab6
 
Lab 6
Lab 6Lab 6
Lab 6
 
Lab5
Lab5Lab5
Lab5
 
Lab4
Lab4Lab4
Lab4
 
Lab3
Lab3Lab3
Lab3
 
Lab2
Lab2Lab2
Lab2
 
Lab1
Lab1Lab1
Lab1
 

Recently uploaded

BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxBIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxSayali Powar
 
Tree View Decoration Attribute in the Odoo 17
Tree View Decoration Attribute in the Odoo 17Tree View Decoration Attribute in the Odoo 17
Tree View Decoration Attribute in the Odoo 17Celine George
 
ICS 2208 Lecture Slide Notes for Topic 6
ICS 2208 Lecture Slide Notes for Topic 6ICS 2208 Lecture Slide Notes for Topic 6
ICS 2208 Lecture Slide Notes for Topic 6Vanessa Camilleri
 
Shark introduction Morphology and its behaviour characteristics
Shark introduction Morphology and its behaviour characteristicsShark introduction Morphology and its behaviour characteristics
Shark introduction Morphology and its behaviour characteristicsArubSultan
 
Man or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptx
Man or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptxMan or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptx
Man or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptxDhatriParmar
 
CLASSIFICATION OF ANTI - CANCER DRUGS.pptx
CLASSIFICATION OF ANTI - CANCER DRUGS.pptxCLASSIFICATION OF ANTI - CANCER DRUGS.pptx
CLASSIFICATION OF ANTI - CANCER DRUGS.pptxAnupam32727
 
How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17Celine George
 
4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptx4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptxmary850239
 
The role of Geography in climate education: science and active citizenship
The role of Geography in climate education: science and active citizenshipThe role of Geography in climate education: science and active citizenship
The role of Geography in climate education: science and active citizenshipKarl Donert
 
PART 1 - CHAPTER 1 - CELL THE FUNDAMENTAL UNIT OF LIFE
PART 1 - CHAPTER 1 - CELL THE FUNDAMENTAL UNIT OF LIFEPART 1 - CHAPTER 1 - CELL THE FUNDAMENTAL UNIT OF LIFE
PART 1 - CHAPTER 1 - CELL THE FUNDAMENTAL UNIT OF LIFEMISSRITIMABIOLOGYEXP
 
DiskStorage_BasicFileStructuresandHashing.pdf
DiskStorage_BasicFileStructuresandHashing.pdfDiskStorage_BasicFileStructuresandHashing.pdf
DiskStorage_BasicFileStructuresandHashing.pdfChristalin Nelson
 
Mythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWMythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWQuiz Club NITW
 
4.9.24 School Desegregation in Boston.pptx
4.9.24 School Desegregation in Boston.pptx4.9.24 School Desegregation in Boston.pptx
4.9.24 School Desegregation in Boston.pptxmary850239
 
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptxDecoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptxDhatriParmar
 
An Overview of the Calendar App in Odoo 17 ERP
An Overview of the Calendar App in Odoo 17 ERPAn Overview of the Calendar App in Odoo 17 ERP
An Overview of the Calendar App in Odoo 17 ERPCeline George
 

Recently uploaded (20)

BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxBIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
 
Tree View Decoration Attribute in the Odoo 17
Tree View Decoration Attribute in the Odoo 17Tree View Decoration Attribute in the Odoo 17
Tree View Decoration Attribute in the Odoo 17
 
ICS 2208 Lecture Slide Notes for Topic 6
ICS 2208 Lecture Slide Notes for Topic 6ICS 2208 Lecture Slide Notes for Topic 6
ICS 2208 Lecture Slide Notes for Topic 6
 
Shark introduction Morphology and its behaviour characteristics
Shark introduction Morphology and its behaviour characteristicsShark introduction Morphology and its behaviour characteristics
Shark introduction Morphology and its behaviour characteristics
 
Man or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptx
Man or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptxMan or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptx
Man or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptx
 
Introduction to Research ,Need for research, Need for design of Experiments, ...
Introduction to Research ,Need for research, Need for design of Experiments, ...Introduction to Research ,Need for research, Need for design of Experiments, ...
Introduction to Research ,Need for research, Need for design of Experiments, ...
 
Mattingly "AI & Prompt Design" - Introduction to Machine Learning"
Mattingly "AI & Prompt Design" - Introduction to Machine Learning"Mattingly "AI & Prompt Design" - Introduction to Machine Learning"
Mattingly "AI & Prompt Design" - Introduction to Machine Learning"
 
CLASSIFICATION OF ANTI - CANCER DRUGS.pptx
CLASSIFICATION OF ANTI - CANCER DRUGS.pptxCLASSIFICATION OF ANTI - CANCER DRUGS.pptx
CLASSIFICATION OF ANTI - CANCER DRUGS.pptx
 
Chi-Square Test Non Parametric Test Categorical Variable
Chi-Square Test Non Parametric Test Categorical VariableChi-Square Test Non Parametric Test Categorical Variable
Chi-Square Test Non Parametric Test Categorical Variable
 
How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17
 
4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptx4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptx
 
The role of Geography in climate education: science and active citizenship
The role of Geography in climate education: science and active citizenshipThe role of Geography in climate education: science and active citizenship
The role of Geography in climate education: science and active citizenship
 
PART 1 - CHAPTER 1 - CELL THE FUNDAMENTAL UNIT OF LIFE
PART 1 - CHAPTER 1 - CELL THE FUNDAMENTAL UNIT OF LIFEPART 1 - CHAPTER 1 - CELL THE FUNDAMENTAL UNIT OF LIFE
PART 1 - CHAPTER 1 - CELL THE FUNDAMENTAL UNIT OF LIFE
 
DiskStorage_BasicFileStructuresandHashing.pdf
DiskStorage_BasicFileStructuresandHashing.pdfDiskStorage_BasicFileStructuresandHashing.pdf
DiskStorage_BasicFileStructuresandHashing.pdf
 
Mythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWMythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITW
 
4.9.24 School Desegregation in Boston.pptx
4.9.24 School Desegregation in Boston.pptx4.9.24 School Desegregation in Boston.pptx
4.9.24 School Desegregation in Boston.pptx
 
Spearman's correlation,Formula,Advantages,
Spearman's correlation,Formula,Advantages,Spearman's correlation,Formula,Advantages,
Spearman's correlation,Formula,Advantages,
 
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptxDecoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
 
An Overview of the Calendar App in Odoo 17 ERP
An Overview of the Calendar App in Odoo 17 ERPAn Overview of the Calendar App in Odoo 17 ERP
An Overview of the Calendar App in Odoo 17 ERP
 
Faculty Profile prashantha K EEE dept Sri Sairam college of Engineering
Faculty Profile prashantha K EEE dept Sri Sairam college of EngineeringFaculty Profile prashantha K EEE dept Sri Sairam college of Engineering
Faculty Profile prashantha K EEE dept Sri Sairam college of Engineering
 

05 06 ike

  • 1. ЛЕКЦ 5,6 IPsec ажиллагаа:Internet Key Exchange НУУЦЛАЛЫН ПРОТОКОЛУУД
  • 2. EC-Council Агуулга  IPSec key management  VPN сүлжээний тохиргоо  GRE туннел  IPsec болон SSL харьцуулалт  Дүгнэлт
  • 3. © 2012 Cisco and/or its affiliates. All rights reserved. 3 IPsec
  • 4. EC-Council IPsec Protocol Framework AH ESP ESP + AH DES 3 DES AES SEAL MD5 SHA PSK RSA DH1 DH2 DH5 DH7
  • 9. EC-Council AH ESP ESP + AH DES 3 DES AES SEAL MD5 SHA PSK RSA DH1 DH2 DH5 DH7 768 bits 1024 bits 1536 bits Used by DES and 3DES Used by AES Secure Key Exchange
  • 10. EC-Council  AH provides authentication and optional replay-detection services. • It authenticates the sender of the data. • AH operates on protocol number 51. • AH supports the HMAC-MD5 and HMAC-SHA-1 algorithms. Authentication Header (AH)
  • 11. EC-Council  ESP provides the same security services as AH (authentication and integrity) AND encryption service. • It encapsulates the data to be protected. • It operates on protocol number 50. Encapsulating Security Payload (ESP)
  • 12. © 2012 Cisco and/or its affiliates. All rights reserved. 12 Key Exchange
  • 14. EC-Council How IPsec uses IKE 1. Outbound packet is sent from Alice to Bob. No IPsec SA. 4. Packet is sent from Alice to Bob protected by IPsec SA. IPsec IPsec
  • 15. EC-Council  There are two phases in every IKE negotiation • Phase 1 (Authentication) • The first phase establishes an ISAKMP SA – based on pre-shared keys (PSK), – RSA keys and X.509 certificates, even via Kerberos. • Phase 2 (Key Exchange) – In the second phase the ISAKMP SA is used to negotiate and setup the IPsec SAs.  IKE negotiation can also occur in: • Main Mode • Aggressive mode  The difference between the two is that Main mode requires the exchange of 6 messages while Aggressive mode requires only 3 exchanges. IKE - Internet Key Exchange
  • 16. EC-Council  IKE Phase One: 1. Negotiates an IKE protection suite. 2. Exchanges keying material to protect the IKE session (DH). 3. Authenticates each other. • Establishes the IKE SA. • Main Mode requires the exchange of 6 messages while Aggressive mode only uses 3 messages.  IKE Phase Two: 1. Negotiates IPsec security parameters, known as IPsec transform sets. • Establishes IPsec SAs. • Periodically renegotiates IPsec SAs to ensure security. • Quick mode exchange which is realized with 3 messages IKE 1 and 2 Phases
  • 17. EC-Council Main Mode  Main mode negotiates an ISAKMP SA which will be used to create IPSec Sas  Three steps • SA negotiation • Diffie-Hellman and nonce exchange – Oakley Key Determination Protocol - RFC2412 • Authentication
  • 18. EC-Council IKE -1 Main Mode (Kerberos) Initiator Responder Header, SA Proposals Header, Selected SA Proposal Header, D-H Key Exchange, Noncei, Kerberos Tokeni Header, D-H Key Exchange, Noncer, Kerberos Tokenr Header, Idi, Hashi Header, Idr, Hashr Encrypted
  • 19. EC-Council IKE -1 Main Mode (Certificate) Initiator Responder Header, D-H Key Exchange, Noncei Header, Idi, Certificatei, Signaturei, Certificate Request Header, D-H Key Exchange, Noncer,Certificate Request Header, Idr, Certificater, Signaturer Encrypted Header, SA Proposals Header, Selected SA Proposal
  • 20. EC-Council M IKE -1 Main Mode (Pre-shared Key) Initiator Responder Header, D-H Key Exchange, Noncei Header, Idi, Hashi Header, D-H Key Exchange, Noncer Header, Idr, Hashr Encrypted Header, SA Proposals Header, Selected SA Proposal
  • 21. EC-Council IKE -2 Quick Mode  All traffic is encrypted using the ISAKMP Security Association  Each quick mode negotiation results in two IPSec Security Associations (one inbound, one outbound)
  • 22. EC-Council Quick Mode Negotiation Header, Hash Header, Connected Notification Encrypted Initiator Responder Header, IPSec Selected SA Header, IPSec Proposed SA
  • 24. EC-Council Main Mode (Pre-shared Key) Initiator Responder Header, D-H Key Exchange, Noncei Header, Idi, Hashi Header, D-H Key Exchange, Noncer Header, Idr, Hashr Encrypted Header, SA Proposals Header, Selected SA Proposal
  • 25. EC-Council Main Mode (Certificate) Initiator Responder Header, D-H Key Exchange, Noncei Header, Idi, Certificatei, Signaturei, Certificate Request Header, D-H Key Exchange, Noncer,Certificate Request Header, Idr, Certificater, Signaturer Encrypted Header, SA Proposals Header, Selected SA Proposal
  • 26. EC-Council Quick Mode  All traffic is encrypted using the ISAKMP Security Association  Each quick mode negotiation results in two IPSec Security Associations (one inbound, one outbound)
  • 27. EC-Council Quick Mode Negotiation Header, Hash Header, Connected Notification Encrypted Initiator Responder Header, IPSec Selected SA Header, IPSec Proposed SA
  • 29. EC-Council IKE session key computation  4 төрлийн түлхүүр ашиглана  SKEYID – master key (DH)  SKEYID_d – for IKE SAs  SKEYID_a – authentication key for message  SKEYID_e – encryption key for message
  • 30. EC-Council Five Steps of IPsec IKE Phase 1 authenticates IPsec peers and negotiates IKE SAs to create a secure communications channel for negotiating IPsec SAs in Phase 2. Host A sends interesting traffic destined for Host B. IKE Phase 2 negotiates IPsec SA parameters and creates matching IPsec SAs in the peers to protect data and messages exchanged between endpoints. Data transfer occurs between IPsec peers based on the IPsec parameters and keys stored in the SA database. IPsec tunnel termination occurs by SAs through deletion or by timing out. Step 1 Step 2 Step 3 Step 4 Step 5
  • 31. EC-Council Step 1 – Interesting Traffic
  • 33. EC-Council DH Key Exchange Step 2 – IKE Phase 1 RouterB hashes the received string together with the pre- shared secret and yields a hash value. RouterA randomly chooses a string and sends it to RouterB. RouterB sends the result of hashing back to RouterA. RouterA calculates its own hash of the random string, together with the pre-shared secret, and matches it with the received result from the other peer. If they match, RouterB knows the pre-shared secret, and is considered authenticated.
  • 34. EC-Council DH Key Exchange Step 2 – IKE Phase 1 Now RouterB randomly chooses a different random string and sends it to RouterA. RouterA also hashes the received string together with the pre- shared secret and yields a hash value. RouterA sends the result of hashing back to RouterB. RouterB calculates its own hash of the random string, together with the pre-shared secret, and matches it with the received result from the other peer. If they match, RouterA knows the pre-shared secret, and is considered authenticated.
  • 41. © 2012 Cisco and/or its affiliates. All rights reserved. 41 GRE Tunnel
  • 42. EC-Council  There are 2 popular site-to-site tunneling protocols: • Cisco Generic Routing Encapsulation (GRE) • IP Security Protocol (IPsec)  When should you use GRE and / or IPsec? Layer 3 Tunneling User Traffic IP Only? Use GRE Tunnel No Yes No Yes Unicast Only? Use IPsec VPN
  • 43. EC-Council  GRE can encapsulate almost any other type of packet. • Uses IP to create a virtual point-to-point link between Cisco routers • Supports multiprotocol (IP, CLNS, …) and IP multicast tunneling (and therefore routing protocols) • Best suited for site-to-site multiprotocol VPNs • RFC 1702 and RFC 2784 Generic Routing Encapsulation (GRE) GRE header adds 24 bytes of additional overhead
  • 44. EC-Council  GRE can optionally contain any one or more of these fields: • Tunnel checksum • Tunnel key • Tunnel packet sequence number  GRE keepalives can be used to track tunnel path status. Optional GRE Extensions
  • 45. EC-Council  GRE does not provide encryption! • It can be monitored with a protocol analyzer.  However, GRE and IPsec can be used together.  IPsec does not support multicast / broadcast and therefore does not forward routing protocol packets. • However IPsec can encapsulate a GRE packet that encapsulates routing traffic (GRE over IPsec). Generic Routing Encapsulation (GRE)
  • 46. EC-Council 1. Create a tunnel interface: interface tunnel 0 2. Assign the tunnel an IP address. 3. Identify the source tunnel interface: tunnel source 4. Identify the tunnel destination: tunnel destination 5. (Optional) Identify the protocol to encapsulate in the GRE tunnel: tunnel mode gre ip • By default, GRE is tunneled in an IP packet. Five Steps to Configuring a GRE Tunnel
  • 47. EC-Council Five Steps to Configuring a GRE Tunnel R1(config)# interface tunnel 0 R1(config–if)# ip address 10.1.1.1 255.255.255.252 R1(config–if)# tunnel source serial 0/0 R1(config–if)# tunnel destination 209.165.200.225 R1(config–if)# tunnel mode gre ip R1(config–if)# R2(config)# interface tunnel 0 R2(config–if)# ip address 10.1.1.2 255.255.255.252 R2(config–if)# tunnel source serial 0/0 R2(config–if)# tunnel destination 209.165.201.1 R2(config–if)# tunnel mode gre ip R2(config–if)#
  • 49. © 2012 Cisco and/or its affiliates. All rights reserved. 49 Comparison between IPsec and SSL
  • 55. EC-Council Харьцуулалт PGP SSL IPSec Application Layer Transport Layer (above TCP) Network Layer(above IP) Offline Online/Realtime Online/Realtime Connectionless -Single data message -Data order (n/a) -Replay attack (timestamp) Connection-oriented - A data stream - Data order (via tcp) - defense against replay attack Connectionless - defense against replay attack Protect application payload (only) Protect application payload (only) Transport: Protect tcp hdr + application payload Tunnel: Protect IP hdr + tcp hdr + payload Authentication Entity: User(Key ID) Protected Unit: entire data message Authentication Entity: SSL Session (certificate) Protected Unit: SSL connection/TCP/Port Entity: Security association