Protocol Basics

IPSec

• Provides two modes of protection– Tunnel Mode– Transport Mode

• Authentication and Integrity

• Confidentiality

• Replay Protection

Tunnel Mode

• Encapsulates the entire IP packet within IPSec protection

• Tunnels can be created between several different node types– Gateway to gateway– Host to gateway– Host to host

Three Types of Tunnels

Host to Host

Host to Gateway

Gateway to Gateway

Transport Mode

• Encapsulates only the transport layer information within IPSec protection

• Can only be created between host nodes

Authentication and Integrity

• Verification of the origin of data

• Assurance that data sent is the data received

• Assurance that the network headers have not changed since the data was sent

Confidentiality

• Encrypts data to protect against eavesdropping

• Can hide data source when encryption is used over a tunnel

Replay Prevention

• Causes retransmitted packets to be dropped.

IPSec Protection Protocols

• Authentication Header– Authenticates payload data– Authenticates network header– Gives anti-replay protection

• Encapsulated Security Payload– Encrypts payload data– Authenticates payload data– Gives anti-replay protection

IPSec AH in Transport Mode

DataDataTCP HdrTCP HdrOrig IP HdrOrig IP Hdr

DataDataTCP HdrTCP HdrAH HdrAH HdrOrig IP HdrOrig IP Hdr

Integrity hash coverage (except for mutable fields in IP hdr)Integrity hash coverage (except for mutable fields in IP hdr)

Insert

© 2000 Microsoft Corporation

IPSec AH in Tunnel Mode

DataDataTCP HdrTCP HdrOrig IP HdrOrig IP Hdr

Integrity hash coverage (except for mutable new IP hdr fields)Integrity hash coverage (except for mutable new IP hdr fields)

IP HdrIP Hdr AH HdrAH Hdr DataDataTCP HdrTCP HdrOrig IP HdrOrig IP Hdr

New IP header with source & destination IP address

© 2000 Microsoft Corporation

IPSec ESP in Transport Mode

DataDataTCP HdrTCP HdrOrig IP HdrOrig IP Hdr

DataDataTCP HdrTCP HdrESP HdrESP HdrOrig IP HdrOrig IP Hdr ESP TrailerESP Trailer ESP AuthESP Auth

Usually encryptedUsually encrypted

integrity hash coverageintegrity hash coverage

Insert Append

© 2000 Microsoft Corporation

IPSec ESP Tunnel Mode

DataDataTCP HdrTCP HdrOrig IP HdrOrig IP Hdr

ESP TrailerESP Trailer ESP AuthESP Auth

Usually encryptedUsually encrypted

integrity hash coverageintegrity hash coverage

DataDataTCP HdrTCP HdrESP HdrESP Hdr IP HdrIP HdrIPHdrIPHdr

New IP header with source & destination IP address

© 2000 Microsoft Corporation

IPSec Basic Architecture

• IPSec Driver

• Policy Agent

• Internet Key Exchange (IKE)

Policy Agent

IKE

IPSec DriverTCP/IP Driver

IPSec Driver

• Monitors and Secures IP traffic– Encryption and Authentication of outbound

packets– Decryption and Authentication of inbound

packets– Prompts IKE to negotiate secure channels as

needed

• Maintains secure channel state information

Policy Agent

• Maintains IPSec policy and state information

• Distributes filter rule sets to the IPSec Driver

• Distributes authentication and security settings to IKE

IKE

• Negotiates secure channels based on settings received from the Policy Agent

• Distributes secure channel information to the IPSec driver

How It All Fits TogetherTunnel

TransportTransport

Sending in Transport ModeApplicationApplication

TransportTransport

IPIP

PhysicalPhysical

IPSecIPSec

PhysicalPhysical IPIP IPSecIPSec TCPTCPApplicationApplication

DataData

Sending in Tunnel Mode

PhysicalPhysical IPIP IPSecIPSec TCPTCPApplicationApplication

DataData

IPIP IPSecIPSec TCPTCPApplicationApplication

DataData

InnerInnerIPIP

IPSecIPSec TCPTCPApplicationApplication

DataDataIPSecIPSec

OuterOuterIPIP

PhysicalPhysical

IPIP

PhysicalPhysical

IPSecIPSec IPIP

PhysicalPhysical

IPSecIPSec

Receiving in Tunnel Mode

PhysicalPhysical IPIP IPSecIPSec TCPTCPApplicationApplication

DataData

IPIP IPSecIPSec TCPTCPApplicationApplication

DataData

InnerInnerIPIP

IPSecIPSec TCPTCPApplicationApplication

DataDataIPSecIPSec

OuterOuterIPIP

PhysicalPhysical

IPIP

PhysicalPhysical

IPSecIPSec IPIP

PhysicalPhysical

IPSecIPSec

Receiving in Transport ModeApplicationApplication

TransportTransport

IPIP

PhysicalPhysical

IPSecIPSec

PhysicalPhysical IPIP IPSecIPSec TCPTCPApplicationApplication

DataData

Layer Two Tunneling Protocol (L2TP)

• Provides– Provides PPP encapsulation over IP– VPN services

• Doesn’t Provide– A method of encryption for it’s traffic– Protection against injection of packets into an

open L2TP session

How L2TP Works

ApplicationApplication

L2TPL2TP

PPPPPP

Driver LayerDriver Layer

TCP, UDPTCP, UDP

NICNIC

IPSecIPSec

IPIP

L2TP/IPSecL2TP/IPSec

44

33

55

IKE ServiceIKE Service22

11

controlcontrol

Kerberos

• Provides authentication of network server and client

What Kerberos Provides

• Mutual authentication of parties

How Kerberos WorksKDCKDC

ClientClientApplicationApplication

ServerServer

ASAS TGSTGS

Authorization Authorization RequestRequest

Ticket Ticket Granting Granting TicketTicket

Ticket Ticket RequestRequest

TicketTicket

TicketTicket

Public Key Infrastructure Basics

How Public Keys Are Used for Authentication

What’s In a Certificate?

How PKI Works