SlideShare a Scribd company logo

05 06 ike

Download as PPT, PDF
Babaa Naya
Babaa Naya

СНХ

Education
1 of 56
ЛЕКЦ 5,6 IPsec ажиллагаа:Internet Key Exchange НУУЦЛАЛЫН ПРОТОКОЛУУД
EC-Council Агуулга  IPSec key management  VPN сүлжээний тохиргоо  GRE туннел  IPsec болон SSL харьцуулалт  Дүгнэлт
© 2012 Cisco and/or its affiliates. All rights reserved. 3 IPsec
EC-Council IPsec Protocol Framework AH ESP ESP + AH DES 3 DES AES SEAL MD5 SHA PSK RSA DH1 DH2 DH5 DH7
EC-Council IPsec Protocol Framework
EC-Council Confidentiality
EC-Council Integrity
EC-Council Authentication
EC-Council AH ESP ESP + AH DES 3 DES AES SEAL MD5 SHA PSK RSA DH1 DH2 DH5 DH7 768 bits 1024 bits 1536 bits Used by DES and 3DES Used by AES Secure Key Exchange
EC-Council  AH provides authentication and optional replay-detection services. • It authenticates the sender of the data. • AH operates on protocol number 51. • AH supports the HMAC-MD5 and HMAC-SHA-1 algorithms. Authentication Header (AH)
EC-Council  ESP provides the same security services as AH (authentication and integrity) AND encryption service. • It encapsulates the data to be protected. • It operates on protocol number 50. Encapsulating Security Payload (ESP)
© 2012 Cisco and/or its affiliates. All rights reserved. 12 Key Exchange
EC-Council SA Security Parameters
EC-Council How IPsec uses IKE 1. Outbound packet is sent from Alice to Bob. No IPsec SA. 4. Packet is sent from Alice to Bob protected by IPsec SA. IPsec IPsec
EC-Council  There are two phases in every IKE negotiation • Phase 1 (Authentication) • The first phase establishes an ISAKMP SA – based on pre-shared keys (PSK), – RSA keys and X.509 certificates, even via Kerberos. • Phase 2 (Key Exchange) – In the second phase the ISAKMP SA is used to negotiate and setup the IPsec SAs.  IKE negotiation can also occur in: • Main Mode • Aggressive mode  The difference between the two is that Main mode requires the exchange of 6 messages while Aggressive mode requires only 3 exchanges. IKE - Internet Key Exchange
EC-Council  IKE Phase One: 1. Negotiates an IKE protection suite. 2. Exchanges keying material to protect the IKE session (DH). 3. Authenticates each other. • Establishes the IKE SA. • Main Mode requires the exchange of 6 messages while Aggressive mode only uses 3 messages.  IKE Phase Two: 1. Negotiates IPsec security parameters, known as IPsec transform sets. • Establishes IPsec SAs. • Periodically renegotiates IPsec SAs to ensure security. • Quick mode exchange which is realized with 3 messages IKE 1 and 2 Phases
EC-Council Main Mode  Main mode negotiates an ISAKMP SA which will be used to create IPSec Sas  Three steps • SA negotiation • Diffie-Hellman and nonce exchange – Oakley Key Determination Protocol - RFC2412 • Authentication
EC-Council IKE -1 Main Mode (Kerberos) Initiator Responder Header, SA Proposals Header, Selected SA Proposal Header, D-H Key Exchange, Noncei, Kerberos Tokeni Header, D-H Key Exchange, Noncer, Kerberos Tokenr Header, Idi, Hashi Header, Idr, Hashr Encrypted
EC-Council IKE -1 Main Mode (Certificate) Initiator Responder Header, D-H Key Exchange, Noncei Header, Idi, Certificatei, Signaturei, Certificate Request Header, D-H Key Exchange, Noncer,Certificate Request Header, Idr, Certificater, Signaturer Encrypted Header, SA Proposals Header, Selected SA Proposal
EC-Council M IKE -1 Main Mode (Pre-shared Key) Initiator Responder Header, D-H Key Exchange, Noncei Header, Idi, Hashi Header, D-H Key Exchange, Noncer Header, Idr, Hashr Encrypted Header, SA Proposals Header, Selected SA Proposal
EC-Council IKE -2 Quick Mode  All traffic is encrypted using the ISAKMP Security Association  Each quick mode negotiation results in two IPSec Security Associations (one inbound, one outbound)
EC-Council Quick Mode Negotiation Header, Hash Header, Connected Notification Encrypted Initiator Responder Header, IPSec Selected SA Header, IPSec Proposed SA
EC-Council IKE Phases
EC-Council Main Mode (Pre-shared Key) Initiator Responder Header, D-H Key Exchange, Noncei Header, Idi, Hashi Header, D-H Key Exchange, Noncer Header, Idr, Hashr Encrypted Header, SA Proposals Header, Selected SA Proposal
EC-Council Main Mode (Certificate) Initiator Responder Header, D-H Key Exchange, Noncei Header, Idi, Certificatei, Signaturei, Certificate Request Header, D-H Key Exchange, Noncer,Certificate Request Header, Idr, Certificater, Signaturer Encrypted Header, SA Proposals Header, Selected SA Proposal
EC-Council Quick Mode  All traffic is encrypted using the ISAKMP Security Association  Each quick mode negotiation results in two IPSec Security Associations (one inbound, one outbound)
EC-Council Quick Mode Negotiation Header, Hash Header, Connected Notification Encrypted Initiator Responder Header, IPSec Selected SA Header, IPSec Proposed SA
EC-Council Main mode  Protect DoS attack
EC-Council IKE session key computation  4 төрлийн түлхүүр ашиглана  SKEYID – master key (DH)  SKEYID_d – for IKE SAs  SKEYID_a – authentication key for message  SKEYID_e – encryption key for message
EC-Council Five Steps of IPsec IKE Phase 1 authenticates IPsec peers and negotiates IKE SAs to create a secure communications channel for negotiating IPsec SAs in Phase 2. Host A sends interesting traffic destined for Host B. IKE Phase 2 negotiates IPsec SA parameters and creates matching IPsec SAs in the peers to protect data and messages exchanged between endpoints. Data transfer occurs between IPsec peers based on the IPsec parameters and keys stored in the SA database. IPsec tunnel termination occurs by SAs through deletion or by timing out. Step 1 Step 2 Step 3 Step 4 Step 5
EC-Council Step 1 – Interesting Traffic
EC-Council IKE Policy Negotiation Step 2 – IKE Phase 1
EC-Council DH Key Exchange Step 2 – IKE Phase 1 RouterB hashes the received string together with the pre- shared secret and yields a hash value. RouterA randomly chooses a string and sends it to RouterB. RouterB sends the result of hashing back to RouterA. RouterA calculates its own hash of the random string, together with the pre-shared secret, and matches it with the received result from the other peer. If they match, RouterB knows the pre-shared secret, and is considered authenticated.
EC-Council DH Key Exchange Step 2 – IKE Phase 1 Now RouterB randomly chooses a different random string and sends it to RouterA. RouterA also hashes the received string together with the pre- shared secret and yields a hash value. RouterA sends the result of hashing back to RouterB. RouterB calculates its own hash of the random string, together with the pre-shared secret, and matches it with the received result from the other peer. If they match, RouterA knows the pre-shared secret, and is considered authenticated.
EC-Council Peer Authentication Step 2 – IKE Phase 1
EC-Council IPsec Negotiation Step 3 – IKE Phase 2
EC-Council Transform Set Negotiation Step 3 – IKE Phase 2
EC-Council Security Associations Step 3 – IKE Phase 2
EC-Council IPsec Session Step 4
EC-Council Tunnel Termination Step 5
© 2012 Cisco and/or its affiliates. All rights reserved. 41 GRE Tunnel
EC-Council  There are 2 popular site-to-site tunneling protocols: • Cisco Generic Routing Encapsulation (GRE) • IP Security Protocol (IPsec)  When should you use GRE and / or IPsec? Layer 3 Tunneling User Traffic IP Only? Use GRE Tunnel No Yes No Yes Unicast Only? Use IPsec VPN
EC-Council  GRE can encapsulate almost any other type of packet. • Uses IP to create a virtual point-to-point link between Cisco routers • Supports multiprotocol (IP, CLNS, …) and IP multicast tunneling (and therefore routing protocols) • Best suited for site-to-site multiprotocol VPNs • RFC 1702 and RFC 2784 Generic Routing Encapsulation (GRE) GRE header adds 24 bytes of additional overhead
EC-Council  GRE can optionally contain any one or more of these fields: • Tunnel checksum • Tunnel key • Tunnel packet sequence number  GRE keepalives can be used to track tunnel path status. Optional GRE Extensions
EC-Council  GRE does not provide encryption! • It can be monitored with a protocol analyzer.  However, GRE and IPsec can be used together.  IPsec does not support multicast / broadcast and therefore does not forward routing protocol packets. • However IPsec can encapsulate a GRE packet that encapsulates routing traffic (GRE over IPsec). Generic Routing Encapsulation (GRE)
EC-Council 1. Create a tunnel interface: interface tunnel 0 2. Assign the tunnel an IP address. 3. Identify the source tunnel interface: tunnel source 4. Identify the tunnel destination: tunnel destination 5. (Optional) Identify the protocol to encapsulate in the GRE tunnel: tunnel mode gre ip • By default, GRE is tunneled in an IP packet. Five Steps to Configuring a GRE Tunnel
EC-Council Five Steps to Configuring a GRE Tunnel R1(config)# interface tunnel 0 R1(config–if)# ip address 10.1.1.1 255.255.255.252 R1(config–if)# tunnel source serial 0/0 R1(config–if)# tunnel destination 209.165.200.225 R1(config–if)# tunnel mode gre ip R1(config–if)# R2(config)# interface tunnel 0 R2(config–if)# ip address 10.1.1.2 255.255.255.252 R2(config–if)# tunnel source serial 0/0 R2(config–if)# tunnel destination 209.165.201.1 R2(config–if)# tunnel mode gre ip R2(config–if)#
EC-Council GRE Tunnel Example
© 2012 Cisco and/or its affiliates. All rights reserved. 49 Comparison between IPsec and SSL
EC-Council SSL
EC-Council IPsec
EC-Council IPsec vs SSL
EC-Council Comparison - 1
EC-Council Comparison - 2
EC-Council Харьцуулалт PGP SSL IPSec Application Layer Transport Layer (above TCP) Network Layer(above IP) Offline Online/Realtime Online/Realtime Connectionless -Single data message -Data order (n/a) -Replay attack (timestamp) Connection-oriented - A data stream - Data order (via tcp) - defense against replay attack Connectionless - defense against replay attack Protect application payload (only) Protect application payload (only) Transport: Protect tcp hdr + application payload Tunnel: Protect IP hdr + tcp hdr + payload Authentication Entity: User(Key ID) Protected Unit: entire data message Authentication Entity: SSL Session (certificate) Protected Unit: SSL connection/TCP/Port Entity: Security association
EC-Council АНХААРАЛ ТАВЬСАНД БАЯРЛАЛАА

Recommended

IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
Abdullaziz Tagawy
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
NetProtocol Xpert
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1
Sankaranarayanan Subramanian
 
IPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP ExplainedIPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP Explained
Andriy Berestovskyy
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and ssl
Mohd Arif
 
Short Introduction to IPv6
Short Introduction to IPv6Short Introduction to IPv6
Short Introduction to IPv6
Martin Schütte
 
I psec
I psecI psec
I psec
ahmad1986jor
 
NetBSD syslogd with IETF Syslog Protocols
NetBSD syslogd with IETF Syslog ProtocolsNetBSD syslogd with IETF Syslog Protocols
NetBSD syslogd with IETF Syslog Protocols
Martin Schütte
 

Recommended

IPSec and VPN
IPSec and VPNIPSec and VPN
IPSec and VPN
Abdullaziz Tagawy
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
NetProtocol Xpert
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1
Sankaranarayanan Subramanian
 
IPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP ExplainedIPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP Explained
Andriy Berestovskyy
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and ssl
Mohd Arif
 
Short Introduction to IPv6
Short Introduction to IPv6Short Introduction to IPv6
Short Introduction to IPv6
Martin Schütte
 
I psec
I psecI psec
I psec
ahmad1986jor
 
NetBSD syslogd with IETF Syslog Protocols
NetBSD syslogd with IETF Syslog ProtocolsNetBSD syslogd with IETF Syslog Protocols
NetBSD syslogd with IETF Syslog Protocols
Martin Schütte
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Wardner Maia
 
Ipsec
IpsecIpsec
Ipsec
Rupesh Mishra
 
Creating a firewall in UBUNTU
Creating a firewall in UBUNTUCreating a firewall in UBUNTU
Creating a firewall in UBUNTU
Mumbai University
 
IP Sec - Basic Concepts
IP Sec - Basic ConceptsIP Sec - Basic Concepts
IP Sec - Basic Concepts
Avadhesh Agrawal
 
Tunnel & vpn1
Tunnel & vpn1Tunnel & vpn1
Tunnel & vpn1
ariesubagyo
 
IPv6 Security
IPv6 SecurityIPv6 Security
IPv6 Security
Progreso Training
 
Ip Sec
Ip SecIp Sec
Ip Sec
Ram Dutt Shukla
 
Access over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEAccess over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoE
amiable_indian
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols
NetProtocol Xpert
 
DPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway ApplicationDPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway Application
Michelle Holley
 
Ip sec talk
Ip sec talkIp sec talk
Ip sec talk
anoean
 
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
Martin Schütte
 
Ip security in i psec
Ip security in i psecIp security in i psec
Ip security in i psec
Mohd Arif
 
IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1
Abdallah Abuouf
 
Linux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationLinux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai Presentation
Vinoth Sivasubramanan
 
CCNA 200-301 IPv6 addressing and subnetting MCQs Collection
CCNA 200-301 IPv6 addressing and subnetting MCQs CollectionCCNA 200-301 IPv6 addressing and subnetting MCQs Collection
CCNA 200-301 IPv6 addressing and subnetting MCQs Collection
CAS
 
Asfws2014 tproxy
Asfws2014 tproxyAsfws2014 tproxy
Asfws2014 tproxy
Cyber Security Alliance
 
Cisco Router As A Vpn Server
Cisco Router As A Vpn ServerCisco Router As A Vpn Server
Cisco Router As A Vpn Server
mmoizuddin
 
ip security
ip securityip security
ip security
Chirag Patel
 
I psec
I psecI psec
I psec
nlekh
 
The Security layer
The Security layerThe Security layer
The Security layer
Swetha S
 
IPsec for IMS
IPsec for IMSIPsec for IMS
IPsec for IMS
Hossein Yavari
 

More Related Content

What's hot

Ip security in i psec
Ip security in i psecIp security in i psec
Ip security in i psec
Mohd Arif
 
Cisco Router As A Vpn Server
Cisco Router As A Vpn ServerCisco Router As A Vpn Server
Cisco Router As A Vpn Server
mmoizuddin
 

What's hot (19)

Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
 
Ipsec
IpsecIpsec
Ipsec
 
Creating a firewall in UBUNTU
Creating a firewall in UBUNTUCreating a firewall in UBUNTU
Creating a firewall in UBUNTU
 
IP Sec - Basic Concepts
IP Sec - Basic ConceptsIP Sec - Basic Concepts
IP Sec - Basic Concepts
 
Tunnel & vpn1
Tunnel & vpn1Tunnel & vpn1
Tunnel & vpn1
 
IPv6 Security
IPv6 SecurityIPv6 Security
IPv6 Security
 
Ip Sec
Ip SecIp Sec
Ip Sec
 
Access over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEAccess over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoE
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols
 
DPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway ApplicationDPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway Application
 
Ip sec talk
Ip sec talkIp sec talk
Ip sec talk
 
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
The IPv6 Snort Plugin (at Troopers 14 IPv6 Security Summit)
 
Ip security in i psec
Ip security in i psecIp security in i psec
Ip security in i psec
 
IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1
 
Linux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai PresentationLinux Firewall - NullCon Chennai Presentation
Linux Firewall - NullCon Chennai Presentation
 
CCNA 200-301 IPv6 addressing and subnetting MCQs Collection
CCNA 200-301 IPv6 addressing and subnetting MCQs CollectionCCNA 200-301 IPv6 addressing and subnetting MCQs Collection
CCNA 200-301 IPv6 addressing and subnetting MCQs Collection
 
Asfws2014 tproxy
Asfws2014 tproxyAsfws2014 tproxy
Asfws2014 tproxy
 
Cisco Router As A Vpn Server
Cisco Router As A Vpn ServerCisco Router As A Vpn Server
Cisco Router As A Vpn Server
 
ip security
ip securityip security
ip security
 

Similar to 05 06 ike

I psec
I psecI psec
I psec
nlekh
 
Computer network (4)
Computer network (4)Computer network (4)
Computer network (4)
NYversity
 
rooster-ipsecindepth.ppt
rooster-ipsecindepth.pptrooster-ipsecindepth.ppt
rooster-ipsecindepth.ppt
ImXaib
 
8.X Sec & I Pv6
8.X Sec & I Pv68.X Sec & I Pv6
8.X Sec & I Pv6
phanleson
 

Similar to 05 06 ike (20)

I psec
I psecI psec
I psec
 
The Security layer
The Security layerThe Security layer
The Security layer
 
IPsec for IMS
IPsec for IMSIPsec for IMS
IPsec for IMS
 
20 palo alto site to site
20 palo alto site to site20 palo alto site to site
20 palo alto site to site
 
Computer network (4)
Computer network (4)Computer network (4)
Computer network (4)
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 
Ip Sec
Ip SecIp Sec
Ip Sec
 
IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
 
Lecture14..pdf
Lecture14..pdfLecture14..pdf
Lecture14..pdf
 
Ipsec rbe guide
Ipsec rbe guideIpsec rbe guide
Ipsec rbe guide
 
rooster-ipsecindepth.ppt
rooster-ipsecindepth.pptrooster-ipsecindepth.ppt
rooster-ipsecindepth.ppt
 
VPN presentation - moeshesh
VPN presentation - moesheshVPN presentation - moeshesh
VPN presentation - moeshesh
 
8.X Sec & I Pv6
8.X Sec & I Pv68.X Sec & I Pv6
8.X Sec & I Pv6
 
Vpn(4)
Vpn(4)Vpn(4)
Vpn(4)
 
IPSEC
IPSECIPSEC
IPSEC
 
Crypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configurationCrypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configuration
 
ssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptx
 
IPSec_VPN_Final_
IPSec_VPN_Final_IPSec_VPN_Final_
IPSec_VPN_Final_
 
Ip Sec Rev1
Ip Sec Rev1Ip Sec Rev1
Ip Sec Rev1
 

More from Babaa Naya

Suraltsagchid chiglesen uilchilgee hesgiin notolgoo
Suraltsagchid chiglesen uilchilgee hesgiin notolgooSuraltsagchid chiglesen uilchilgee hesgiin notolgoo
Suraltsagchid chiglesen uilchilgee hesgiin notolgoo
Babaa Naya
 

More from Babaa Naya (20)

Суралцагчийн мэдлэг, чадвар, дадлыг үнэлэх, дүгнэх журам
Суралцагчийн мэдлэг, чадвар, дадлыг үнэлэх, дүгнэх журам Суралцагчийн мэдлэг, чадвар, дадлыг үнэлэх, дүгнэх журам
Суралцагчийн мэдлэг, чадвар, дадлыг үнэлэх, дүгнэх журам
 
Мэргэжлийн болон техникийн боловсролын сургалтын байгууллагын суралцагчид тэт...
Мэргэжлийн болон техникийн боловсролын сургалтын байгууллагын суралцагчид тэт...Мэргэжлийн болон техникийн боловсролын сургалтын байгууллагын суралцагчид тэт...
Мэргэжлийн болон техникийн боловсролын сургалтын байгууллагын суралцагчид тэт...
 
Мэргэжлийн болон техникийн боловсролын сургалтын байгууллагын багшид мэргэжли...
Мэргэжлийн болон техникийн боловсролын сургалтын байгууллагын багшид мэргэжли...Мэргэжлийн болон техникийн боловсролын сургалтын байгууллагын багшид мэргэжли...
Мэргэжлийн болон техникийн боловсролын сургалтын байгууллагын багшид мэргэжли...
 
Мэргэжлийн боловсрол, сургалтын байгууллагын төгсөгчдөд мэргэжлийн диплом, үн...
Мэргэжлийн боловсрол, сургалтын байгууллагын төгсөгчдөд мэргэжлийн диплом, үн...Мэргэжлийн боловсрол, сургалтын байгууллагын төгсөгчдөд мэргэжлийн диплом, үн...
Мэргэжлийн боловсрол, сургалтын байгууллагын төгсөгчдөд мэргэжлийн диплом, үн...
 
Suraltsagchid chiglesen uilchilgee hesgiin notolgoo
Suraltsagchid chiglesen uilchilgee hesgiin notolgooSuraltsagchid chiglesen uilchilgee hesgiin notolgoo
Suraltsagchid chiglesen uilchilgee hesgiin notolgoo
 
Img 20210105 0002
Img 20210105 0002Img 20210105 0002
Img 20210105 0002
 
Img 20210105 0001
Img 20210105 0001Img 20210105 0001
Img 20210105 0001
 
Cisco packet tracer
Cisco packet tracerCisco packet tracer
Cisco packet tracer
 
Cisco packet tracer
Cisco packet tracerCisco packet tracer
Cisco packet tracer
 
Lab10
Lab10Lab10
Lab10
 
Lab9
Lab9Lab9
Lab9
 
Lab8
Lab8Lab8
Lab8
 
Lab7
Lab7Lab7
Lab7
 
Lab6
Lab6Lab6
Lab6
 
Lab 6
Lab 6Lab 6
Lab 6
 
Lab5
Lab5Lab5
Lab5
 
Lab4
Lab4Lab4
Lab4
 
Lab3
Lab3Lab3
Lab3
 
Lab2
Lab2Lab2
Lab2
 
Lab1
Lab1Lab1
Lab1
 

Recently uploaded

Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
KarakKing
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
AnaAcapella
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
Association for Project Management
 

Recently uploaded (20)

ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 

05 06 ike

  • 1. ЛЕКЦ 5,6 IPsec ажиллагаа:Internet Key Exchange НУУЦЛАЛЫН ПРОТОКОЛУУД
  • 2. EC-Council Агуулга  IPSec key management  VPN сүлжээний тохиргоо  GRE туннел  IPsec болон SSL харьцуулалт  Дүгнэлт
  • 3. © 2012 Cisco and/or its affiliates. All rights reserved. 3 IPsec
  • 4. EC-Council IPsec Protocol Framework AH ESP ESP + AH DES 3 DES AES SEAL MD5 SHA PSK RSA DH1 DH2 DH5 DH7
  • 9. EC-Council AH ESP ESP + AH DES 3 DES AES SEAL MD5 SHA PSK RSA DH1 DH2 DH5 DH7 768 bits 1024 bits 1536 bits Used by DES and 3DES Used by AES Secure Key Exchange
  • 10. EC-Council  AH provides authentication and optional replay-detection services. • It authenticates the sender of the data. • AH operates on protocol number 51. • AH supports the HMAC-MD5 and HMAC-SHA-1 algorithms. Authentication Header (AH)
  • 11. EC-Council  ESP provides the same security services as AH (authentication and integrity) AND encryption service. • It encapsulates the data to be protected. • It operates on protocol number 50. Encapsulating Security Payload (ESP)
  • 12. © 2012 Cisco and/or its affiliates. All rights reserved. 12 Key Exchange
  • 14. EC-Council How IPsec uses IKE 1. Outbound packet is sent from Alice to Bob. No IPsec SA. 4. Packet is sent from Alice to Bob protected by IPsec SA. IPsec IPsec
  • 15. EC-Council  There are two phases in every IKE negotiation • Phase 1 (Authentication) • The first phase establishes an ISAKMP SA – based on pre-shared keys (PSK), – RSA keys and X.509 certificates, even via Kerberos. • Phase 2 (Key Exchange) – In the second phase the ISAKMP SA is used to negotiate and setup the IPsec SAs.  IKE negotiation can also occur in: • Main Mode • Aggressive mode  The difference between the two is that Main mode requires the exchange of 6 messages while Aggressive mode requires only 3 exchanges. IKE - Internet Key Exchange
  • 16. EC-Council  IKE Phase One: 1. Negotiates an IKE protection suite. 2. Exchanges keying material to protect the IKE session (DH). 3. Authenticates each other. • Establishes the IKE SA. • Main Mode requires the exchange of 6 messages while Aggressive mode only uses 3 messages.  IKE Phase Two: 1. Negotiates IPsec security parameters, known as IPsec transform sets. • Establishes IPsec SAs. • Periodically renegotiates IPsec SAs to ensure security. • Quick mode exchange which is realized with 3 messages IKE 1 and 2 Phases
  • 17. EC-Council Main Mode  Main mode negotiates an ISAKMP SA which will be used to create IPSec Sas  Three steps • SA negotiation • Diffie-Hellman and nonce exchange – Oakley Key Determination Protocol - RFC2412 • Authentication
  • 18. EC-Council IKE -1 Main Mode (Kerberos) Initiator Responder Header, SA Proposals Header, Selected SA Proposal Header, D-H Key Exchange, Noncei, Kerberos Tokeni Header, D-H Key Exchange, Noncer, Kerberos Tokenr Header, Idi, Hashi Header, Idr, Hashr Encrypted
  • 19. EC-Council IKE -1 Main Mode (Certificate) Initiator Responder Header, D-H Key Exchange, Noncei Header, Idi, Certificatei, Signaturei, Certificate Request Header, D-H Key Exchange, Noncer,Certificate Request Header, Idr, Certificater, Signaturer Encrypted Header, SA Proposals Header, Selected SA Proposal
  • 20. EC-Council M IKE -1 Main Mode (Pre-shared Key) Initiator Responder Header, D-H Key Exchange, Noncei Header, Idi, Hashi Header, D-H Key Exchange, Noncer Header, Idr, Hashr Encrypted Header, SA Proposals Header, Selected SA Proposal
  • 21. EC-Council IKE -2 Quick Mode  All traffic is encrypted using the ISAKMP Security Association  Each quick mode negotiation results in two IPSec Security Associations (one inbound, one outbound)
  • 22. EC-Council Quick Mode Negotiation Header, Hash Header, Connected Notification Encrypted Initiator Responder Header, IPSec Selected SA Header, IPSec Proposed SA
  • 24. EC-Council Main Mode (Pre-shared Key) Initiator Responder Header, D-H Key Exchange, Noncei Header, Idi, Hashi Header, D-H Key Exchange, Noncer Header, Idr, Hashr Encrypted Header, SA Proposals Header, Selected SA Proposal
  • 25. EC-Council Main Mode (Certificate) Initiator Responder Header, D-H Key Exchange, Noncei Header, Idi, Certificatei, Signaturei, Certificate Request Header, D-H Key Exchange, Noncer,Certificate Request Header, Idr, Certificater, Signaturer Encrypted Header, SA Proposals Header, Selected SA Proposal
  • 26. EC-Council Quick Mode  All traffic is encrypted using the ISAKMP Security Association  Each quick mode negotiation results in two IPSec Security Associations (one inbound, one outbound)
  • 27. EC-Council Quick Mode Negotiation Header, Hash Header, Connected Notification Encrypted Initiator Responder Header, IPSec Selected SA Header, IPSec Proposed SA
  • 29. EC-Council IKE session key computation  4 төрлийн түлхүүр ашиглана  SKEYID – master key (DH)  SKEYID_d – for IKE SAs  SKEYID_a – authentication key for message  SKEYID_e – encryption key for message
  • 30. EC-Council Five Steps of IPsec IKE Phase 1 authenticates IPsec peers and negotiates IKE SAs to create a secure communications channel for negotiating IPsec SAs in Phase 2. Host A sends interesting traffic destined for Host B. IKE Phase 2 negotiates IPsec SA parameters and creates matching IPsec SAs in the peers to protect data and messages exchanged between endpoints. Data transfer occurs between IPsec peers based on the IPsec parameters and keys stored in the SA database. IPsec tunnel termination occurs by SAs through deletion or by timing out. Step 1 Step 2 Step 3 Step 4 Step 5
  • 31. EC-Council Step 1 – Interesting Traffic
  • 33. EC-Council DH Key Exchange Step 2 – IKE Phase 1 RouterB hashes the received string together with the pre- shared secret and yields a hash value. RouterA randomly chooses a string and sends it to RouterB. RouterB sends the result of hashing back to RouterA. RouterA calculates its own hash of the random string, together with the pre-shared secret, and matches it with the received result from the other peer. If they match, RouterB knows the pre-shared secret, and is considered authenticated.
  • 34. EC-Council DH Key Exchange Step 2 – IKE Phase 1 Now RouterB randomly chooses a different random string and sends it to RouterA. RouterA also hashes the received string together with the pre- shared secret and yields a hash value. RouterA sends the result of hashing back to RouterB. RouterB calculates its own hash of the random string, together with the pre-shared secret, and matches it with the received result from the other peer. If they match, RouterA knows the pre-shared secret, and is considered authenticated.
  • 41. © 2012 Cisco and/or its affiliates. All rights reserved. 41 GRE Tunnel
  • 42. EC-Council  There are 2 popular site-to-site tunneling protocols: • Cisco Generic Routing Encapsulation (GRE) • IP Security Protocol (IPsec)  When should you use GRE and / or IPsec? Layer 3 Tunneling User Traffic IP Only? Use GRE Tunnel No Yes No Yes Unicast Only? Use IPsec VPN
  • 43. EC-Council  GRE can encapsulate almost any other type of packet. • Uses IP to create a virtual point-to-point link between Cisco routers • Supports multiprotocol (IP, CLNS, …) and IP multicast tunneling (and therefore routing protocols) • Best suited for site-to-site multiprotocol VPNs • RFC 1702 and RFC 2784 Generic Routing Encapsulation (GRE) GRE header adds 24 bytes of additional overhead
  • 44. EC-Council  GRE can optionally contain any one or more of these fields: • Tunnel checksum • Tunnel key • Tunnel packet sequence number  GRE keepalives can be used to track tunnel path status. Optional GRE Extensions
  • 45. EC-Council  GRE does not provide encryption! • It can be monitored with a protocol analyzer.  However, GRE and IPsec can be used together.  IPsec does not support multicast / broadcast and therefore does not forward routing protocol packets. • However IPsec can encapsulate a GRE packet that encapsulates routing traffic (GRE over IPsec). Generic Routing Encapsulation (GRE)
  • 46. EC-Council 1. Create a tunnel interface: interface tunnel 0 2. Assign the tunnel an IP address. 3. Identify the source tunnel interface: tunnel source 4. Identify the tunnel destination: tunnel destination 5. (Optional) Identify the protocol to encapsulate in the GRE tunnel: tunnel mode gre ip • By default, GRE is tunneled in an IP packet. Five Steps to Configuring a GRE Tunnel
  • 47. EC-Council Five Steps to Configuring a GRE Tunnel R1(config)# interface tunnel 0 R1(config–if)# ip address 10.1.1.1 255.255.255.252 R1(config–if)# tunnel source serial 0/0 R1(config–if)# tunnel destination 209.165.200.225 R1(config–if)# tunnel mode gre ip R1(config–if)# R2(config)# interface tunnel 0 R2(config–if)# ip address 10.1.1.2 255.255.255.252 R2(config–if)# tunnel source serial 0/0 R2(config–if)# tunnel destination 209.165.201.1 R2(config–if)# tunnel mode gre ip R2(config–if)#
  • 49. © 2012 Cisco and/or its affiliates. All rights reserved. 49 Comparison between IPsec and SSL
  • 55. EC-Council Харьцуулалт PGP SSL IPSec Application Layer Transport Layer (above TCP) Network Layer(above IP) Offline Online/Realtime Online/Realtime Connectionless -Single data message -Data order (n/a) -Replay attack (timestamp) Connection-oriented - A data stream - Data order (via tcp) - defense against replay attack Connectionless - defense against replay attack Protect application payload (only) Protect application payload (only) Transport: Protect tcp hdr + application payload Tunnel: Protect IP hdr + tcp hdr + payload Authentication Entity: User(Key ID) Protected Unit: entire data message Authentication Entity: SSL Session (certificate) Protected Unit: SSL connection/TCP/Port Entity: Security association