Presentation is loading. Please wait.

Presentation is loading. Please wait.

or call for office visit, or call Kathy Cheek,

Published byRose Montgomery Modified over 6 years ago

Similar presentations

Presentation on theme: "or call for office visit, or call Kathy Cheek,"— Presentation transcript:

1 email or call for office visit, or call Kathy Cheek, 404 894-5696
ECE-6612 Prof. John A. Copeland fax Office: Centergy 5134 or call for office visit, or call Kathy Cheek, Chapter 6 - IPsec (IP Secure) (note: includes copies of figures from Chap. 6 of “Network Security Essentials, Applications and Standards” by William Stallings)

2 Each LAN Connects to Internet via a Router
2

3 The Internet is a Router Network
In an Router Network, circuits are defined by entries in the Routing Tables along the way. These may be Static (manually set up) or Dynamic (set up according to Algorithm in the Router). B IP A to D A C 1 2 3 E’net 6 E 4 5 7 D Station ( on a LAN) Token Ring A Local Connection 1 Router Trunk or Long-Haul 3

4 Optimal Paths From Router 1
(or To Router 1) Define Router 1's Sink Tree 4 E 3 A 5 C D B 1 7 6 2 Station Local Connection Trunk or Long-Haul Router 4

5 Router Web Server Browser Application Application Layer Layer (HTTP)
Port 80 Port 31337 Buffers Packets that Transport need to be forwarded Transport Layer (based on IP address). Layer (TCP,UDP) (TCP,UDP) Segment No. Segment No. Network Network Layer (IP) Layer (IP) IP Address Network Network IP Address Layer Layer Token Ring E'net Data Token Ring E'net Data Link Layer Link Layer Data-Link Layer Data Link Layer Ethernet Token Ring E'net Phys. Token Ring Phys. Layer Phys. Layer Layer Phys. Layer 5

6 Connecting Over the Internet to “www.cnn.com”
Discover the Ethernet address of the Domain Name Server • ARP - “Who has ” • Reply from Gateway Router “00 0E 36 A has ” * Use DNS (BIND) to convert “ to a 32-bit Internet address ( ). • Send UDP DNS-Request Packet to : UDP 53 • Reply = Discover the Ethernet address of host (or gateway router).** • ARP - “Who has ” • Reply from Gateway Router “00 0E 36 A has ” * Start a TCP connection • Send TCP Packet with SYN flag set to / 00 0E 36 A • Reply is TCP Packet with SYN and ACK flag bits set. • Send TCP packet with ACK flag set. * The gateway router “has” all IP addresses that are not local (on the LAN). ** This step may be skipped if your PC recognizes this is another off-LAN IP. 6

7 Ethereal (WireShark) Packet Capture - Browsing www.cnn.com
Notes: Ethernet Addresses have the first 3 bytes (of 6) translated into the interface manufacturer’s name (Apple_Computer is my PowerBook, Cisco_Linksys is the router). in my PowerBook, is the router, if the DNS server, and is In this case, the Apple PowerBook has code that detects that the DNS IP is outside the local area network, so it ARPs for the Ethernet address of the router ( ). It caches this address for 30 seconds, so it does not have to ARP again for the CNN IP address. 7

8 Answer: www.cnn.com = 64.236.16.52 not shown
UDP Datagrams are exchanged to find the IP address # Receive time: (0.000) packet length:80 received length:70 Ethernet: ( b22f -> Sun 75f53a) type: IP(0x800) Internet: > hl: 5 ver: 4 tos: 0 len: 66 id 0x01 fragoff:0 flags: 00 ttl:60 prot:UDP(17) xsum: 0x68ce UDP: > domain(53) len: 46 xsum: 0x5315 Domain Name Service: ID: 2984 opcode: Query (0) Flags: <DORECURSE> (0100) Queries: 1, answers: 0, name servers: 0, Query 0: Name: # Receive time: (0.048) packet length:148 received length:70 Ethernet: ( Sun 75f53a -> b22f) type: IP(0x800) Internet: > hl: 5 ver: 4 tos: 0 len:134 id:xbc77 fragoff 0 flags:00 ttl:60 prot:UDP(17) xsum:0xac13 UDP: domain(53) -> 1042 len: 114 xsum: 0000 Domain Name Service: ID: 2984 opcode: Query (0) Response: No. err (0) Flags: <RESPONSE><AUTHORITATIVE><DORECURSE><CANRECURSE> (8580) Queries: 1, answers: 3, name servers: 0, Query 0: Name: ... Answer: = not shown 8

9 The first two packets of the IP, TCP & HTTP (port 80) Connection.
# Receive time: packet length:60 Ethernet: ( b22f -> Cisco ) type: IP(0x800) Internet: > hl: 5 ver: 4 tos: 0 len: 44 id: 0x02 fragoff: 0 flags: 00 ttl: 60 prot: TCP(6) xsum: 0x9be5 TCP Port: > http(80) seq: 28a ack: win: hl: 6 xsum: 0x5342 urg: flags: <SYN> mss: 536 # Receive time: packet length:60 Ethernet: (Cisco > b22f) type: IP(0x800) Internet: > hl: 5 ver: 4 tos: 0 len:44 id:0x7d1f fragoff 0 flags:00 ttl:57 prot:TCP(6) xsum:0x21c8 TCP Port: http(80) -> seq: 3a28ac00 ack: 28a61071 win: hl: 6 xsum: 0x816d urg: 0 flags: <ACK><SYN> mss:1460 The Ethernet address (Cisco ...) is the local router port. The IP Address is used “end to end.” Ethernet addresses are local only. Address Resolution Protocol (ARP) E’net frames are not shown. 9

10 Internet Layer Security (IPsec)
The Internet Engineering Task Force (IETF) Internet Security Protocol working group standardized an IP Security Protocol (IPsec) and an Internet Key Management Protocol (IKMP). objective of IPsec is to make available cryptographic security mechanisms to users who desire security. mechanisms should work for both the current version of IP (IPv4) and the new IP (IPv6). should be algorithm-independent, in that the cryptographic algorithms can be altered. should be useful in enforcing different security policies, but avoid adverse impacts on users who do not employ them. Internet Layer Security (IPsec) Rolf Oppliger, "Internet Security: Firewalls and Beyond," p92, Comm. ACM 40, May 1997 10

11 IPsec Authentication Header (AH)
Transport Mode Transport Mode Tunnel Mode 11

12 Encapsulated Secure Payload (ESP) Transport Level Security
12

13 Virtual Private Network (VPN)
IPsec ESP - Tunnel Mode Virtual Private Network (VPN) 13

14 Internet Layer Security (IPsec)
Normal Internet Protocol (IP) IP Header, A to B TCP Header Application Header Data IPsec Authentication Header (AH) - Transport and Tunnel Modes IP Header, A to B AH TCP Header Application Header Data IP Hdr, A to Rb AH IP Hdr A to B TCP Hdr Application Header Data Authenticated IPsec Encapsulated Secure Payload (ESP) IP Header, A to Rb ESP Header TCP Header Application Header Data Encrypted IPsec Encapsulated Secure Payload (ESP) with AH IP Header, A to Rb AH ESP Header TCP Header Application Hdr Data Encrypted Authenticated 14

15 Security Associations
Transport, Host-Host Tunnel, Gateway-Gateway (Routers) 15

Download ppt "or call for office visit, or call Kathy Cheek,"

Similar presentations

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Network Layer Packet Forwarding IS250 Spring 2010

Network Layer Packet Forwarding IS250 Spring 2010
1 Application TCPUDP IPICMPARPRARP Physical network Application TCP/IP Protocol Suite.

1 Application TCPUDP IPICMPARPRARP Physical network Application TCP/IP Protocol Suite.
Networking and Internetworking: Standards and Protocols i206 Fall 2010 John Chuang Some slides adapted from Coulouris, Dollimore and Kindberg.

Networking and Internetworking: Standards and Protocols i206 Fall 2010 John Chuang Some slides adapted from Coulouris, Dollimore and Kindberg.
ITIS 6167/8167: Network and Information Security Weichao Wang.

ITIS 6167/8167: Network and Information Security Weichao Wang.
ECE-6612 Prof. John A. Copeland 404 894-5177 fax 404 894-0035 Office: Klaus 3362.

ECE Prof. John A. Copeland fax Office: Klaus 3362.
Lecture 8 Modeling & Simulation of Communication Networks.

Lecture 8 Modeling & Simulation of Communication Networks.
TCP/IP Essentials A Lab-Based Approach Shivendra Panwar, Shiwen Mao Jeong-dong Ryoo, and Yihan Li Chapter 0 TCP/IP Overview.

TCP/IP Essentials A Lab-Based Approach Shivendra Panwar, Shiwen Mao Jeong-dong Ryoo, and Yihan Li Chapter 0 TCP/IP Overview.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
TCOM 509 – Internet Protocols (TCP/IP) Lecture 03_a

TCOM 509 – Internet Protocols (TCP/IP) Lecture 03_a
Chapter 13 – Network Security

Chapter 13 – Network Security
A day in the life: scenario

A day in the life: scenario
ECE-8843 Prof. John A. Copeland 404 894-5177 fax 404 894-0035 Office: GCATT.

ECE Prof. John A. Copeland fax Office: GCATT.
1 John Magee 11 July 2013 CS 101 Lecture 11: How do you “visit” a web page, revisted Slides adapted from Kurose and Ross, Computer Networking 5/e Source.

1 John Magee 11 July 2013 CS 101 Lecture 11: How do you “visit” a web page, revisted Slides adapted from Kurose and Ross, Computer Networking 5/e Source.
Advanced Unix 25 Oct 2005 An Introduction to IPsec.

Advanced Unix 25 Oct 2005 An Introduction to IPsec.
Internet Ethernet Token Ring Video High Speed Router Host A: Client browser: REQUEST:http//mango.ee.nogradesu.edu/c461.

Internet Ethernet Token Ring Video High Speed Router Host A: Client browser: REQUEST:http//mango.ee.nogradesu.edu/c461.
Fall 2005Computer Networks20-1 Chapter 20. Network Layer Protocols: ARP, IPv4, ICMPv4, IPv6, and ICMPv6 20.1 ARP 20.2 IP 20.3 ICMP 20.4 IPv6.

Fall 2005Computer Networks20-1 Chapter 20. Network Layer Protocols: ARP, IPv4, ICMPv4, IPv6, and ICMPv ARP 20.2 IP 20.3 ICMP 20.4 IPv6.
TCP/IP Protocols Contains Five Layers

TCP/IP Protocols Contains Five Layers
5: Link Layer Part-2 5-1 Link Layer r 5.1 Introduction and services r 5.2 Error detection and correction r 5.3Multiple access protocols r 5.4 Link-Layer.

5: Link Layer Part Link Layer r 5.1 Introduction and services r 5.2 Error detection and correction r 5.3Multiple access protocols r 5.4 Link-Layer.

Similar presentations

Ads by Google