Скачать презентацию Lesson 22 IP Security IPSec Microsoft Windows Server Скачать презентацию Lesson 22 IP Security IPSec Microsoft Windows Server

3c8b8f1aae3f5be7ea7fee04321e356d.ppt

  • Количество слайдов: 35

Lesson 22 IP Security (IPSec) Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Lesson 22 IP Security (IPSec) Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1

IP Security (IPSec) n n n n IPSec overview Authentication Header (AH) Encapsulating Security IP Security (IPSec) n n n n IPSec overview Authentication Header (AH) Encapsulating Security Payload (ESP) Internet Key Exchange (IKE) Main Mode negotiation Quick Mode negotiation Retransmit behavior IPSec NAT Traversal (NAT-T) Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 2

IPSec Overview n Properties of secure communication l l l n Hashing algorithms l IPSec Overview n Properties of secure communication l l l n Hashing algorithms l l n Peer authentication Data origin authentication Data integrity Data confidentiality Antireplay Key management HMAC MD 5 HMAC SHA 1 Encryption algorithms l l DES 3 DES Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 3

Security Associations n n n Combination of mutually agreed security services, protection mechanisms, and Security Associations n n n Combination of mutually agreed security services, protection mechanisms, and cryptographic keys ISAKMP SA IPSec SAs l l n Security Parameters Index (SPI) l n One for inbound traffic One for outbound traffic Helps identify an SA Creating SAs l l Main Mode for ISAKMP SA Quick Mode for IPSec SAs Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 4

IPSec Headers n Authentication Header (AH) l n Provides data origin authentication, data integrity, IPSec Headers n Authentication Header (AH) l n Provides data origin authentication, data integrity, and replay protection for the entire IP datagram Encapsulating Security Payload (ESP) l Provides data origin authentication, data integrity, replay protection, and data confidentiality for the ESP-encapsulated portion of the packet Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 5

Authentication Header (AH) Next Header Payload Length Reserved Security Parameters Index Sequence Number Authentication Authentication Header (AH) Next Header Payload Length Reserved Security Parameters Index Sequence Number Authentication Data . . . Payload . . . Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 6

IPSec Modes n Transport mode l l n Typically used for IPSec peers doing IPSec Modes n Transport mode l l n Typically used for IPSec peers doing end-to-end security Provides protection for upper-layer protocol data units (PDUs) Tunnel mode l l Typically used by network routers to protect IP datagrams Provides protection for entire IP datagrams Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 7

AH Transport Mode IP IP Upper layer PDU AH Upper layer PDU Authenticated Microsoft AH Transport Mode IP IP Upper layer PDU AH Upper layer PDU Authenticated Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 8

AH Tunnel Mode IP IP (new) AH Upper layer PDU IP Upper layer PDU AH Tunnel Mode IP IP (new) AH Upper layer PDU IP Upper layer PDU Authenticated Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 9

ESP Header and Trailer Security Parameters Index Sequence Number Payload . . . Padding ESP Header and Trailer Security Parameters Index Sequence Number Payload . . . Padding Length Next Header . . . Authentication Data . . . Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 10

ESP Transport Mode IP IP ESP Upper layer PDU ESP Auth Data Encrypted Authenticated ESP Transport Mode IP IP ESP Upper layer PDU ESP Auth Data Encrypted Authenticated Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 11

ESP with AH Transport Mode IP IP AH ESP Upper layer PDU ESP Auth ESP with AH Transport Mode IP IP AH ESP Upper layer PDU ESP Auth Encrypted Authenticated with ESP Authenticated with AH Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 12

ESP Tunnel Mode IP IP (new) ESP Upper layer PDU IP Upper layer PDU ESP Tunnel Mode IP IP (new) ESP Upper layer PDU IP Upper layer PDU ESP Auth Data Encrypted Authenticated Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 13

Internet Key Exchange n n Standard that defines a mechanism to establish SAs Combines Internet Key Exchange n n Standard that defines a mechanism to establish SAs Combines ISAKMP and the Oakley Key Determination Protocol l l ISAKMP is used to identify and authenticate peers, manage SAs, and exchange key material Oakley Key Determination Protocol is used to generate secret key material for secure communications (Diffie-Hellman key exchange algorithm) Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 14

ISAKMP Message Structure IP header UDP header ISAKMP payloads UDP message IP datagram Microsoft ISAKMP Message Structure IP header UDP header ISAKMP payloads UDP message IP datagram Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 15

ISAKMP Header Initiator Cookie Responder Cookie Next Payload Major Version Minor Version Exchange Type ISAKMP Header Initiator Cookie Responder Cookie Next Payload Major Version Minor Version Exchange Type Flags Message ID Length Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 16

ISAKMP Payloads n n n n SA Proposal Transform Vendor ID Nonce Key Exchange ISAKMP Payloads n n n n SA Proposal Transform Vendor ID Nonce Key Exchange Notification Delete Identification Hash Certificate Request Certificate Signature Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 17

SA Payload Next Payload Reserved Payload Length Domain of Interpretation Situation … Microsoft Windows SA Payload Next Payload Reserved Payload Length Domain of Interpretation Situation … Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 18

Proposal Payload Next Payload Reserved Payload Length Proposal Number Protocol ID SPI Size Number Proposal Payload Next Payload Reserved Payload Length Proposal Number Protocol ID SPI Size Number of Transforms SPI … Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 19

Transform Payload Next Payload Reserved Payload Length Transform Number Transform ID Reserved 2 SA Transform Payload Next Payload Reserved Payload Length Transform Number Transform ID Reserved 2 SA Attributes … Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 20

Vendor ID Payload Next Payload Reserved Payload Length Vendor ID … Microsoft Windows Server Vendor ID Payload Next Payload Reserved Payload Length Vendor ID … Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 21

Nonce Payload Next Payload Reserved Payload Length Nonce Data … Microsoft Windows Server 2003 Nonce Payload Next Payload Reserved Payload Length Nonce Data … Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 22

Key Exchange Payload Next Payload Reserved Payload Length Key Exchange Data … Microsoft Windows Key Exchange Payload Next Payload Reserved Payload Length Key Exchange Data … Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 23

Notification Payload Next Payload Reserved Payload Length Domain of Interpretation Protocol ID SPI Size Notification Payload Next Payload Reserved Payload Length Domain of Interpretation Protocol ID SPI Size Notification Message Type SPI Notification Data … … Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 24

Delete Payload Next Payload Reserved Payload Length Domain of Interpretation Protocol ID SPI Size Delete Payload Next Payload Reserved Payload Length Domain of Interpretation Protocol ID SPI Size # of SPIs … Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 25

Identification Payload Next Payload Reserved Payload Length ID Type DOI-Specific ID Data Identification Data Identification Payload Next Payload Reserved Payload Length ID Type DOI-Specific ID Data Identification Data … Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 26

Hash Payload Next Payload Reserved Payload Length Hash Data … Microsoft Windows Server 2003 Hash Payload Next Payload Reserved Payload Length Hash Data … Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 27

Certificate Request Payload Next Payload Reserved Payload Length Certificate Type Certificate Authority … Microsoft Certificate Request Payload Next Payload Reserved Payload Length Certificate Type Certificate Authority … Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 28

Certificate Payload Next Payload Reserved Payload Length Certificate Encoding Certificate Data … Microsoft Windows Certificate Payload Next Payload Reserved Payload Length Certificate Encoding Certificate Data … Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 29

Signature Payload Next Payload Reserved Payload Length Signature Data … Microsoft Windows Server 2003 Signature Payload Next Payload Reserved Payload Length Signature Data … Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 30

Main Mode Negotiation n Phases of main mode negotiation: 1. Negotiation of protection suites Main Mode Negotiation n Phases of main mode negotiation: 1. Negotiation of protection suites 2. A Diffie-Hellman exchange 3. Authentication n Kerberos Authentication l n Certificate Authentication l n Kerberos Tokens exchanged and validated Certificates and signatures exchanged and validated Preshared Key Authentication l Hash payloads exchanged and validated Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 31

Quick Mode Negotiation n n Four ISAKMP messages to determine traffic to be secured Quick Mode Negotiation n n Four ISAKMP messages to determine traffic to be secured and how it is secured Initiator and responder exchange: l l SA payloads (how to secure traffic) Identification payloads (the traffic to secure) Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 32

Retransmit Behavior n Main Mode l l l n 1 second wait after initial Retransmit Behavior n Main Mode l l l n 1 second wait after initial message and then exponential backoff for 5 retransmissions 63 seconds to fail Fallback to unsecured in 3 seconds if configured Quick Mode l l 1 second wait after initial message and then exponential backoff for 5 retransmissions 63 seconds to fail Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 33

IPSec NAT-T n n Network Address Translators (NATs) invalidate IPSec packet protections IPSec NAT IPSec NAT-T n n Network Address Translators (NATs) invalidate IPSec packet protections IPSec NAT Traversal (NAT-T): l l Encapsulates ESP-protected payloads with a UDP header Defines additional Main Mode payloads to detect IPSec NAT-T-capable peers and whether either is behind a NAT Defines an additional Quick Mode payload to indicate untranslated addresses Allows ESP-protected traffic to traverse a NAT Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 34

Review n n n n IPSec overview Authentication Header (AH) Encapsulating Security Payload (ESP) Review n n n n IPSec overview Authentication Header (AH) Encapsulating Security Payload (ESP) Internet Key Exchange (IKE) Main Mode negotiation Quick Mode negotiation Retransmit behavior IPSec NAT Traversal (NAT-T) Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 35