1. Network Security
German Research Center for
Artificial Intelligence
2. Malware - Summary
• Virus:
– program which is included in other
programs and can reproduce itself
• Worm:
– program that distributes itself via
the network
• Trojan horse:
– program that hides additional
functionality useful for an adversary
• Rootkit:
– faked OS providing additional functionality (for an
attacker) but simulating original OS (almost) perfectly:
e.g. faked versions of ls, ps, nstat, etc.
German Research Center for
Artificial Intelligence
3. Vulnerabilities all over the time
• see http://nvd.nist.gov
Recent CVE Vulnerabilities
CVE-2006-3349 Publish Date: 7/3/2006
Multiple SQL injection vulnerabilities in SmS Script allow remote attackers to execute arbitrary SQL commands via the CatID parameter in (1) cat.php and (2) add.php.
CVE-2006-3348 Publish Date: 7/3/2006
Multiple SQL injection vulnerabilities in HSPcomplete 3.2.2 and 3.3 Beta and earlier allow remote attackers to execute arbitrary SQL commands via the (1) type parameter in
report.php and (2) level parameter in custom_buttons.php.
CVE-2006-3347 Publish Date: 7/3/2006
SQL injection vulnerability in index.php in deV!Lz Clanportal DZCP 1.3.4 allows remote attackers to execute arbitrary SQL commands via the id parameter.
CVE-2006-3346 Publish Date: 7/3/2006
SQL injection vulnerability in tree.php in MyNewsGroups 0.6 allows remote attackers to execute arbitrary SQL commands via the grp_id parameter.
CVE-2006-3345 Publish Date: 7/3/2006
Cross-site scripting (XSS) vulnerability in AliPAGER, possibly 1.5 and earlier, allows remote attackers to inject arbitrary web script or HTML via a chat line.
CVE-2006-3344 Publish Date: 7/3/2006
Siemens Speedstream Wireless Router 2624 allows local users to bypass authentication and access protected files by using the UPnP (Universal Plug and Play)/1.0 component.
CVE-2006-3343 Publish Date: 7/3/2006
PHP remote file inclusion vulnerability in recipe/cookbook.php in CrisoftRicette 1.0pre15b allows remote attackers to execute arbitrary PHP code via a URL in the
crisoftricette^parameter.
CVE-2006-3342 Publish Date: 7/3/2006
Cross-site scripting (XSS) vulnerability in index.php in Arctic 1.0.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the query parameter in a search cmd.
CVE-2006-3341 Publish Date: 7/3/2006
SQL injection vulnerability in annonces-p-f.php in MyAds module 2.04jp for Xoops allows remote attackers to execute arbitrary SQL commands via the lid parameter.
CVE-2006-3340 Publish Date: 7/3/2006
Multiple PHP remote file inclusion vulnerabilities in Pearl For Mambo module 1.6 for Mambo, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code
via the (1) phpbb_root_path parameter in (a) includes/functions_cms.php and the (2) GlobalSettings[templatesDirectory] parameter in multiple files in the "includes" directory
including (b) adminSensored.php, (c) adminBoards.php, (d) adminAttachments.php, (e) adminAvatars.php, (f) adminBackupdatabase.php, (g) adminBanned.php, (h)
adminForums.php, (i) adminPolls.php, (j) adminSmileys.php, (k) poll.php, and (l) move.php.
CVE-2006-3339 Publish Date: 7/3/2006
secure/ConfigureReleaseNote.jspa in Atlassian JIRA 3.6.2-#156 allows remote attackers to obtain sensitive information via unspecified manipulations of the projectId parameter,
which displays the installation path and other system information in an error message.
CVE-2006-3338 Publish Date: 7/3/2006
Cross-site scripting (XSS) vulnerability in Atlassian JIRA 3.6.2-#156 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors in a direct request to
secure/ConfigureReleaseNote.jspa, which are not sanitized before being returned in an error page.
CVE-2006-3337 (cPanel)
Publish Date: 7/3/2006 CVSS Severity: 4.7 (Medium)
Cross-site scripting (XSS) vulnerability in frontend/x/files/select.html in cPanel 10.8.2-CURRENT 118 and earlier allows remote attackers to inject arbitrary web script or HTML via
the file parameter.
German Research Center for
Artificial Intelligence
4. A Closer Look – CVE-2006-3344
• Digital Armaments advisory is 05.02.2006
• http://www.digitalarmaments.com/2006290674551938.html
• I. Background
• The SpeedStream Wireless DSL/Cable Router is usually adopted for home and small business solutions. Together with an existing DSL or cable modem
connection, this affordable, easy to use connection sharing solution brings the freedom of high-speed, wireless broadband connectivity to home and SOHO
networks. Its comprehensive functionality provides vital firewall protection, IP sharing capabilities, and fundamental routing features that support popular
protocols like NetMeeting and VPN.
• For further information or detail about the software you can refer to the vendor's homepage:
• http://subscriber.communications.siemens.com/
• II. Problem Description
• Speedstream routers have UPnP/1.0 support. An attacker can access protected files and bypass the password protection without login using the UPnP part
of the tree.
• III. Detection
• This problem has been detected on latest version of Siemens Speedstrem Router. It has been tested on the Speedstream 2624.
• IV. Impact analysis
• Successful exploitation allow an attacker to bypass the password protection. It also allow an attacker to access protected files without login.
• V. Solution
• First notification 05.02.2006.
• Second notification 05.20.2006.
• No answer from the vendor.
• VI. Credit
• Jaime Blasco - jaime.blasco (at) eazel (dot) es [email concealed] is credited with this discovery.
German Research Center for
Artificial Intelligence
5. Internet
• Internet as „the“ network
• Based on the early 70th ARPA-network
(Advanced Research Projects Agency)
• Internet protocols
– IP: internet protocol
– ICMP: internet control message
protocol
– TCP: transmission control protocol
– ARP: address resolution protocols
German Research Center for
Artificial Intelligence
6. TCP/IP - Model (a la ISO/OSI)
FTP, SMTP, HTTP FTP, SMTP, HTTP Application-layer
Transport-layer
Reliable protocol
TCP, UDP TCP, UDP
Packages, routing Network-layer
IP IP
frames Data link-layer
bitstreams Physical-layer
German Research Center for
Artificial Intelligence
7. IP – Security
Privacy
If privacy is outlawed,
only outlaws will have privacy
Phil Zimmermann
By 2010, driven by the improving capabilities
of data analysis, privacy will become a meaningless
concept in Western societies
Gartner group
German Research Center for
Artificial Intelligence
8. Phishing
• Social engineering (bank customers)
• Faking web pages of bank
– mismatch of real and visible URLs
• Requesting PIN/TAN from customers
German Research Center for
Artificial Intelligence
9. Network Services - DNS
• Domain Network Service provides translation of host
names (www.uni-sb.de) to IP-addresses (e.g.134.96.7.73)
• DNS-server provide two data bases:
– IP-addresses -> host names (reverse lookup)
– Host names -> IP-addresses (lookup)
• No mechanisms to secure consistency of tables!
• DNS-server are distributed
German Research Center for
Artificial Intelligence
10. Pharmining - DNS-Spoofing
• Faking of the reverse -lookup table
– Reverse lookup (e.g. for rlogin) provides Bobs host
name instead of Eve‘s for Eve‘s IP-address
– Access to Alice‘s host if Bob is member of
/etc/hosts.equiv or in .rhosts
– Countermeasure: forward and reverse lookup
• Sending faked update messages to the cache of DNS-
server
• Manipulating C:windowssystem32driversetchosts
German Research Center for
Artificial Intelligence
11. Observations of Users in Networks
eavesdropper staff
X
Switch
Link-to-link encryption:
staff
X
Switch
German Research Center for
Artificial Intelligence
12. Observation of Users in
Switched Networks
Link-to-link encryption
End-to-end encryption of content
staff
X
Switch
Problem of traffic data:
who communicates with whom, how long, where?
German Research Center for
Artificial Intelligence
13. Abilities of a Potential Attacker
Worst case analysis:
• Observation of all communication channels
• Generation of new messages
• Operating some network services (e.g. as an
anonymity service, as a web server, etc)
• No break of cryptographical systems
• No attack on user‘s personal machine
• Limited time and computing power
German Research Center for
Artificial Intelligence
14. Anonymity and Unobservability
Anonymity:
• Sender and/or receiver stay anonymous to each
other
Unobservability:
• All parties cannot trace communication relations
• Sending and receiving of messages is
unobservable
Pseudonym:
• identity can only be revealed in special cases
German Research Center for
Artificial Intelligence
15. Anonymity and Unobservability
Need for a group of users where all users behave similarily
Events
Anonymity group
Everybody can be the originator of an event with equal possibility
German Research Center for
Artificial Intelligence
16. Simple Proxies
• Proxy gets an URL on behalf of the user
• Server has no information about the real originator of the
request
• Examples:
– Anonymizer.com (Lance Cottrel)
– Aixs.net
– ProxyMate.com (Lucent, Bell Labs)
User Proxy Server
German Research Center for
Artificial Intelligence
17. Problems with Simple Proxies
• No protection against the operator
• No protection against traffic analysis
– Timing correlation of incoming and outgoing
requests
– Correlation by message length and coding
User 1
GET page.html
User 2 http
... proxy
GET page.html
User n
German Research Center for
Artificial Intelligence
18. Possible Attacks
• Timing attacks:
– Observe duration by linking possible endpoints of
communication, wait for a correlation between events
at endpoints
• Message volume attacks:
– Observe the amount of transmitted data
• Flooding attacks:
– Almost all messages except the message to be
observed are created by the attacker
• Linking attacks:
– Observe intersections of anonymity groups due to
on/off-line periods (profiles)
German Research Center for
Artificial Intelligence
19. Broadcast
Message is sent to all participants
But only one person is able
to read it
German Research Center for
Artificial Intelligence
20. Mixes (David Chaum, 1981)
• Collect messages in batches, change their
coding and forward them at the same time but
in different order
• Use of various mixes
• If one mix is not corrupt then perfect
unlinkability of sender and receiver
German Research Center for
Artificial Intelligence
21. Internals of Mixes
Mix
Discard Store Wait for a
Change Reorder
message incoming Sufficient
coding messages
repeats messages Number
Avoid replay attacks
German Research Center for
Artificial Intelligence
22. Encryption of Messages
• ci encryption with public key of Mixi
• Ai address of Mixi
• M message to be sent
• ri : random numbers (to ensure indeterminism)
A1, c1(A2, c2(M, r2), r1)
M
A2, c2(M, r2),
German Research Center for
Artificial Intelligence
23. Real Time Aspects
• Mixes are good for non-real time
communication: E-mail
• Problems with real-time applications like
net-phone, ftp, www
– Sampling messages yields high delay
– Message length vary in a very large interval or
no support of connection oriented services
German Research Center for
Artificial Intelligence
24. Traffic padding and Time Slices
Waiting time Traffic padding
Sending of random data to cover last message
Traffic padding
Waiting time
German Research Center for
Artificial Intelligence
25. Dummy Traffic
• Users (not Mixes) send messages all the time
• Nobody can distinguish between encrypted
messages and faked ones (random numbers)
• Increases amount of traffic if necessary
• Avoiding high delay of messages
German Research Center for
Artificial Intelligence
26. Flooding and Attacks
• Flooding Attacks:
– Introduction of tickets to be processed by a Mix
– Only one message of a user in one branch
– Attacker needs help of other users
• Long-time observation:
– Intersection of anonymity groups
– No good solution known for this attack
German Research Center for
Artificial Intelligence
28. Internet Control Message Protocol
• Transfer of error- and status- messages
– destination unreachable: unreachable port (host)
• Forged message may cause abortion of all traffic to this hosts
– fragmentation needed
• Continuing generation of faked message causes denial of
service
– Redirect : to change routing behaviour
• Rerouting of all packets of a host via a malicous host
– Source quench : to reduce traffic caused by a host
• faked message causes denial of service
German Research Center for
Artificial Intelligence
29. Address Resolution Protocols (ARP)
• Translating IP-names (e.g. 134.96.88.122) to real physical
addresses (eg. 00:A0:C9:44.BA.20) inbuilt in the firmware
of physical device
• ARP address-table of the router
– Updated via broadcast messages („Who is?“)
• Masquerading: faked answers to broadcast messages
• Denial-of-service: request for non-existing host is
broadcasted through gateways. Malicious host may even
redistribute requests coming back!
German Research Center for
Artificial Intelligence
30. TCP - Connections
• Logical connections between ports
• TCP-packet contains:
– 32bit-addresses of sender and receiver
– 32bit sequence number
• Randomly generated
• 3-phased handshake:
– Client -> Server: Seqc
– Server -> Client: SeqS, Ack = Seqc + 1
– Client -> Server: Ack = SeqS + 1
– Client -> Server: Data
German Research Center for
Artificial Intelligence
31. Security in TCP - Sequence numbers
• Masquerading using sequence number attacks:
– To incorporate a malicious packet into an ongoing
communication the intruder has to know the sequent
number
– Implementations use 32bit counter to generate sequence
number (instead random numbers)
(counter is incremented every second by 1, new
connections will increment counter by 64)
– Sequence numbers can be guessed
German Research Center for
Artificial Intelligence
32. Security in TCP - Sequence numbers
• Eve -> Alice: Port 25, SeqEve
• Alice -> Eve: Ack: SeqEve + 1, SeqAlice
Guessing seqAlice‘ :
• Eve as Bob -> Alice: Port 513, SeqEve‘
• Alice -> Bob: Ack: SeqEve‘ + 1, SeqAlice‘
• Eve as Bob -> Alice: Ack: SeqAlice‘ + 1
Problem: answers of Bob are sent to Alice:
Additional attack neccessary to flood Alice with requests to
prevent Alice from sending reset- packets
German Research Center for
Artificial Intelligence
33. Security Problems in IP: Denial of Service
Address spoofing – Examples of denial of service:
– UDP-flood attack:
• Eve sends UDP-packet with faked return-address
• Target machine sends echo-packets to machine of
return address which echos etc...
– SYN-flood attack:
• Eve sends SYN-packets with faked return addresses
of non-available machines
• Target sends SYN-Ack packets
• Overflow of SYN-stack
German Research Center for
Artificial Intelligence
34. Distributed Denial of Service
Attacker
Stepping
stones
Handler
Agent
Attack
German Research Center for
Artificial Intelligence
35. Intrusion Detection Systems
Intrusion Detection is the process of identifying
and responding to malicious activity targeted at
computing and network resources
Edward Amoroso
German Research Center for
Artificial Intelligence
36. Intrusion Detection Systems
• Monitoring:
– Examine and process information about
activities on the target system
• Reporting:
– Report information about monitored system
into a system security infrastructure
• Responding:
– Respond to detected intrusion
German Research Center for
Artificial Intelligence
37. Dimensions of IDS
• Analysis approach:
– Attack signature detection identifies patterns
corresponding to known attack
– Types of attacks have to be known in advance
• Anomaly detection:
– Identifies unacceptable deviation form
expected behaviour using profiles
– Can respond to previously unknown types of
attacks
German Research Center for
Artificial Intelligence
38. Methods of IDS
• Audit trail processing:
– Existing log-files are examined by IDS
– Off-line
– Auditable events, auditable information, audit basis
– Example: Unix Syslog Audit Processing
• On-the-fly processing („network intrusion detection“)
– Monitoring of traffic in real-time
– Suspicious string patterns „/etc/passwd“
– Signatures of abnormal behaviours
– Warnings before damage can occur
German Research Center for
Artificial Intelligence
39. Methods of IDS (II)
Anomality Detection
• Profiles of normal behaviour
Capturing expectations about user and system
computing and networking activities
– Estimation of initial profile
– Fine-tuning of profiles
– Profiling using all-source information
German Research Center for
Artificial Intelligence
40. Architecture of an IDS
• Sensor: Provides necessary information about target
• System management: maintain control over internal components,
communication with over IDS
• Processing engine: reduction of irrelevant data, identification of
key intrusion evidence, decision-making of type of response
• Knowledge base: profiles of user and data, attack signatures
• Audit archive: storage of target system activities
• Alarms
• GUI
German Research Center for
Artificial Intelligence
41. Intrusion Response
• Identification of the attacker
– DNS ???
– Identification of intermediate hosts
• Preventing damages
– Closing ports and network connections
– Counter attack by denial of service attack ???
• Repair of existing damages
– Loss of integrity, accessability,
authentication, privacy?
German Research Center for
Artificial Intelligence
42. Firewalls
Intranet
Firewall Open network
(Internet)
e.g. router
• All traffic between intranet and open network is controlled
by the firewall
• Security strategy, access control, protocols, authentication
German Research Center for
Artificial Intelligence
43. Types of Firewalls
• Packet filter
– Controlling IP (TCP) packets
• Circuit-level gateway
– Operates on transport layer
• Application-level gateway (proxy server)
– Operates on application layer
– Can analyse application data
German Research Center for
Artificial Intelligence
44. Packet Filters
• Filters packets (TCP / IP) according to a security
policy based on header information
• No internal state
• Accessable information:
– Sender/receiver addresses, ports, options,
ack-bit, type of protocol, ...
Rules:
sender receiv. port proto. action reason
* * 53 UDP ok DNS-queries
Extern intern 123 UDP ok NTP-access
* * 69 UDP no no TFTP
Extern * 513 TCP no no rlogin from outside
German Research Center for
Artificial Intelligence
45. Packet Filters - Pros and Cons
• Easy and cheap to implement
• Transparent for upper layers
• Prevents some IP-spoofing and router attacks
But:
• Uses possibly faked IP-addresses and ports
• No detailed filtering (e.g. according to users)
• Error-pruned specification of filter table
– Large, unreadable tables
– Need for tools
German Research Center for
Artificial Intelligence
46. Circuit-level Gateway
• Controls the transport layer
• Operates as client for the server and as server
for the client (proxy - server)
• Provides generic proxy services
• Has internal state and protocols activities
• Example: SOCKS - gateway (Hummingbird)
– Provides socket access via rconnect, rlisten
and rbind through gateway with
authentication
German Research Center for
Artificial Intelligence
47. Circuit-Layer Gateway -
Pros and Cons
• Independent of applications
• Allows for filtering of existing connections
• Authorization and logging
• Filtering of UDP services possible
But:
• Do not consider application specific information
– Cannot distinguish http-content
• Modification of application necessary
German Research Center for
Artificial Intelligence
48. Application Filter
• Operating on application layer
• Proxies for telnet, ftp, smtp, http, ...
• Provides application specific knowledge
– E.g. ftp-proxy knows about ftp-commands
– http-proxy about activeX, Javascript, JAVA...
• Internal state and logging
German Research Center for
Artificial Intelligence
49. Application Filter - Pros and Cons
• Allows for sophisticated authentication and
controlling (e.g. generating profiles)
• Accounting and logging of accesses
– Intrusion Detection Systems
• Fine granular rules possible
But:
• Individual fiter for each service - Automation ?
• Based on unreliable lower layers
German Research Center for
Artificial Intelligence
50. Architecture of Firewalls
Intranet
NTP-server
Packet filter
Dual-Home Bastion
Intranet
Application filter
Application filter Packet filter Internet
Internet
Dual-Home Firewall Screened-Host Firewall
German Research Center for
Artificial Intelligence
51. Architecture of Firewalls (II)
Internal
Application filter
host Packet filter Internet
Packet filter
Internal
www-server
WWW
server
Internal
DNS-server DNS
server
Screened-Subnet Firewall
German Research Center for
Artificial Intelligence
52. Firewalls - Summary
• Security mechanisms concentrated at one point
• Fine-granular policies can be implemented
• Logging features to create profiles
But:
• Difficult to come up with consistent configuration
• Continuous maintenance necessary
• Problems with tunneling
• Mobile devices: Laptops, Palms etc
German Research Center for
Artificial Intelligence
54. Security Problems in IP - Authentication
• Address - Spoofing:
– Faking the sender address in IP-packets
Eve.evil.org
Alice.uni-sb.de
(188.88.88.88)
(134.96.12.102)
IP
/etc/hosts.equiv : From: 134.96.12.104
To: 134.96.12.102
Bob.uni-sb.de
Bob.uni-sb.de
(134.96.12.104)
German Research Center for
Artificial Intelligence
55. Secure Socket Layer (SSL)
• SSL operates on top of the transportation layer
• Developed by Netscape according the recommendations
of the OSI - security architecture
• Authentication of communication partners
– Assymmetric encryption
• Private communication
– Symmetric session keys
• Integrity of messages
– Message Authentication Codes (MAC)
• Encryption- and hashing algorithms are negotiated
between communication partners
German Research Center for
Artificial Intelligence
56. SSL - Overview
Telnet, Ftp, Telnet, Ftp,
http, Smtp, http, Smtp,
Authentication of partners
Exchange of secrets
SSL-Handshake SSL-Handshake
SSL-Record SSL-Record
Fragmentation of data,
Compression,
Computation of MACs
TCP IP TCP IP and session-keys,
Encryption of records
German Research Center for
Artificial Intelligence
57. SSL - Handshake Protocol
• Agree in SSL-communication by using specific ports:
443 (https), 456 (ssmtp), 990 (ftps), 992 (telnets)
Client Hallo
ServerHello
Certificate (optional)
ServerKeyExchange (optional)
Certificate Request (optional)
ServerHelloDone
Certificate (optional)
Client Key Exchange
Certificate Validate (optional)
ChangeCipherSpec
Finished
ChangeCipherSpec
Finished
Use Data
German Research Center for
Artificial Intelligence
58. SSL - Handshake Protocol
• ClientHello: timestamp (32bit), Nonce RC (28bit),
SessionID, list of prefered encryption algorithms
• ServerHello: timestamp(32bit), Nonce RS, list of
prefered encryption algorithms of client
• Certificates according X.509
• ServerKeyExchange: temporary public key PKS (RSA)
• ClientKeyExchange: 48bit secret „pre“ encrypted with PKS
(or public key of client in case of DiffieHellman)
• Computing the master secret
MD5(pre, SHA(„A“ . pre . RC . RS)) |
MD5(pre, SHA(„BB“ . pre . RC . RS)) |
MD5(pre, SHA(„CCC“ . pre . RC . RS))
to compute secret keys
• Finished messages incorporate MAC/SHA of all previous
message parts
German Research Center for
Artificial Intelligence
59. Security of SSL
• SSL allows for an authenticated and private
communication without manipulations
• Finished messages prevent man-in-the-middle
attack
• Depends on used cryptographical algorithms
(MD5? HMAC!)
• No use with application filter
• TLS (transport level security) as „internet
standard“ based on SSL 3.1
German Research Center for
Artificial Intelligence
60. IPSec
„Suite“ of protocols to secure network connections
• Allows for different encryption and authentication
methods
• Integrity (authentication) and secrecy (encryption)
• Operates on the IP – level
• IKE : Internet Key Exchange
German Research Center for
Artificial Intelligence
61. IPSec - Alternatives
• AH („Authentication Header“): authentication vs.
ESP (Encapsulating Security Payload): encryption +
authentication
• Tunnel mode (total IP-packet) vs.
transport mode (payload only)
• Different cryptographical choices
MD5, SHA-1…
3DES, AES, Blowfish, …
• IKE (Internet Key Exchange) protocol vs. manual setup
German Research Center for
Artificial Intelligence
62. Authentication Header – Transport Mode
Version Hdr.len TOS Length (max. 64k)
Identification Flags Fragment-Offset Original IP-packet
Time to Live TCP Header checksum
Address of receiver
Address of sender
IP-options Padding
DATA
IPSec-packet
Version Hdr.len TOS Length (max. 64k)
Identification Flags Fragment-Offset
Time to Live IH Header checksum
Address of receiver Protected by
Address of sender
IP-options Padding Authentication Data
Version AH-len
TCP Reserved
Security Parameter Index Changed entries
Sequence Number
Authentication Data
DATA
German Research Center for
Artificial Intelligence
63. Authentication Header – Tunnel Mode
Version Hdr.len TOS Length (max. 64k)
Identification Flags Fragment-Offset
Time to Live AH Header checksum
Address of receiver IPSec-packet
Address of sender
IP-options Padding
Version AH-len
IP Reserved Protected by
Security Parameter Index Authentication Data
Sequence Number
Authentication Data
Version Hdr.len TOS Length (max. 64k)
Identification Flags Fragment-Offset
Time to Live TCP Header checksum
Address of receiver
Address of sender
IP-options Padding
DATA
German Research Center for
Artificial Intelligence
64. ESP – Transport Mode
Version Hdr.len TOS Length (max. 64k)
Identification Flags Fragment-Offset Original IP-packet
Time to Live TCP Header checksum
Address of receiver
Address of sender
IP-options Padding
DATA
IPSec-packet
Version Hdr.len TOS Length (max. 64k)
Identification Flags Fragment-Offset
Time to Live ESP Header checksum
Address of receiver Encrypted Data
Address of sender
IP-options Padding
Security Parameter Index
Sequence Number Changed entries
Data
pad-len TCP
Authentication Data
German Research Center for
Artificial Intelligence
65. ESP – Tunnel Mode: VPN
Version Hdr.len TOS Length (max. 64k)
Identification Flags Fragment-Offset
Time to Live ESP Header checksum
Address of receiver IPSec-packet
Address of sender
IP-options Padding
Encrypted data
Security Parameter Index
Sequence Number
Authenticated data
Version Hdr.len TOS Length (max. 64k)
Identification Flags Fragment-Offset
Time to Live TCP Header checksum
Address of receiver Changed entries
Address of sender
IP-options Padding
DATA + Padding
Authentication Data
German Research Center for
Artificial Intelligence