Pokrewne
- Strona Główna
- Tcp Ip Biblia Pl (Helion)
- IBM TCP IP tutorial
- Szept róż Medeiros Teresa
- Eugenia Grandet Balzac H
- Slaughter Karin Will Trent 06 Zbrodniarz
- Collins Jackie Hollywood 3 Dzieci z Hollywood
- McCammon Robert R Godzina wilka (2)
- Higgins Clark Mary Coreczka tatusia
- Kay Guy Gavriel Tigana (2)
- Chmielewska Joanna Studnie Przodkow
- zanotowane.pl
- doc.pisz.pl
- pdf.pisz.pl
- cukrzycowo.xlx.pl
[ Pobierz całość w formacie PDF ]
.(Without tunneling he or she could.) The internal structure of a privatenetwork can be concealed in this way.298 TCP/IP Tutorial and Technical Overview Tunneling requires intermediate processing of the original packet on its route.Thedestination specified in the outer header, usually an IPSec firewall or router,retrieves the original packet and sends it to the ultimate destination.Theprocessing overhead is compensated by the extra security.A notable advantage of IP tunneling is the possibility to exchange packets withprivate IP addresses between two intranets over the public Internet, which requiresglobally unique addresses.Since the encapsulated header is not processed by theInternet routers, only the endpoints of the tunnel (the gateways) have to haveglobally assigned addresses; the hosts in the intranets behind them can beassigned private addresses, for example 10.x.x.x.As globally unique IP addressesare becoming a scarce resource, this interconnection method gains importance.Note: IPSec tunneling is modeled after RFC 2003 IP Encapsulation within IP.Itwas originally designed for Mobile IP, an architecture that allows a mobilehost to keep its home IP address even if attached to remote or foreignsubnets.5.5.2 Authentication Header (AH)AH is used to provide integrity and authentication to IP datagrams.Optional replayprotection is also possible.Although its usage is optional, the replay protectionservice must be implemented by any IPSec-compliant system.The mentionedservices are connectionless; that is they work on a per-packet basis.AH authenticates as much of the IP datagram as possible.Some fields in the IPheader change en-route and their value cannot be predicted by the receiver.These fields are called mutable and are not protected by AH.The mutable IPv4fields are:Type of Service (TOS)FlagsFragment OffsetTime to Live (TTL)Header ChecksumWhen protection of these fields is required, tunneling should be used.The payloadof the IP packet is considered immutable and is always protected by AH.AH is identified by protocol number 51, assigned by the IANA.The protocol header(IPv4, IPv6, or Extension) immediately preceding the AH header contains this valuein its Protocol (IPv4) or Next Header (IPv6, Extension) field.AH processing is applied only to non-fragmented IP packets.However, an IPpacket with AH applied can be fragmented by intermediate routers.In this case thedestination first reassembles the packet and then applies AH processing to it.If anIP packet that appears to be a fragment (offset field is non-zero, or the MoreFragments bit is set) is input to AH processing, it is discarded.This prevents theso-called overlapping fragment attack, which misuses the fragment reassemblyalgorithm in order to create forged packets and force them through a firewall.Packets that failed authentication are discarded and never delivered to upperlayers.This mode of operation greatly reduces the chances of successful denial ofChapter 5.TCP/IP Security Overview 299 service attacks, which aim to block the communication of a host or gateway byflooding it with bogus packets.5.5.2.1 AH Header FormatThe current AH header format is described in the Internet draftdraft-ietf-ipsec-auth-header-07.txt, which contains important modifications comparedto the previous AH specification, RFC 1826.The information in this section isbased on the respective Internet draft.AHIP Hdr PayloadHdrNext Hdr Payld Lgth ReservedSecurity Parameter Index (SPI)Sequence NumberAuthentication Data(variable size)(Integrity Check Value)32 bitsFigure 177.AH Header FormatIn Figure 177 the position of the AH header in the IP packet and the header fieldsare shown.The explanation of the fields are as follows:Next HeaderThe Next Header is an 8-bit field that identifies the type of the next payloadafter the Authentication Header.The value of this field is chosen from the setof IP protocol numbers defined in the most recent Assigned Numbers RFCfrom the Internet Assigned Numbers Authority (IANA).Payload LengthThis field is 8 bits long and contains the length of the AH header expressed in32-bit words, minus 2.It does not relate to the actual payload length of the IPpacket as a whole.If default options are used, the value is 4 (three 32-bitfixed words plus three 32-bit words of authentication data minus two).ReservedThis field is reserved for future use.Its length is 16 bits and it is set to zero.Security Parameter Index (SPI)This field is 32 bits in length.See Security Parameter Index (SPI) onpage 297 for a definition.Sequence NumberThis 32-bit field is a monotonically increasing counter which is used for replayprotection.Replay protection is optional; however, this field is mandatory.The sender always includes this field and it is at the discretion of the receiverto process it or not.At the establishment of an SA the sequence number isinitialized to zero.The first packet transmitted using the SA has a sequencenumber of 1.Sequence numbers are not allowed to repeat.Thus themaximum number of IP packets that can be transmitted on any given SA is300 TCP/IP Tutorial and Technical Overview 232-1.After the highest sequence number is used, a new SA andconsequently a new key is established.Anti-replay is enabled at the senderby default.If upon SA establishment the receiver chooses not to use it, thesender does not concern with the value in this field anymore.Notes:1.Typically the anti-replay mechanism is not used with manual keymanagement.2.The original AH specification in RFC 1826 did not discuss the concept ofsequence numbers.Older IPSec implementations that are based on thatRFC can therefore not provide replay protection.Authentication DataThis is a variable-length field, also called Integrity Check Value (ICV).TheICV for the packet is calculated with the algorithm selected at the SAinitialization.The authentication data length is an integral multiple of 32 bits.As its name tells, it is used by the receiver to verify the integrity of theincoming packet.In theory any MAC algorithm can be used to calculate the ICV.Thespecification requires that HMAC-MD5-96 and HMAC-SHA-1-96 must besupported.The old RFC 1826 requires Keyed MD5.In practice KeyedSHA-1 is also used.Implementations usually support two to four algorithms.When doing the ICV calculation, the mutable fields are considered to be filledwith zero.5.5.2.2 Ways of Using AHAH can be used in two ways: transport mode and tunnel mode.AH in Transport Mode: In this mode the original IP datagram is taken and theAH header is inserted right after the IP header, as it is shown in Figure 178.If thedatagram already has IPSec header(s), then the AH header is inserted before anyof those.IP Hdr PayloadOriginal IP datagramDatagram with AH headerAHPayloadIP HdrHdr in transport modeAuthenticated(except mutable fields)Figure 178.Authentication Header in Transport ModeThe transport mode is used by hosts, not by gateways.Gateways are not evenrequired to support transport mode.The advantage of the transport mode is less processing overhead.Thedisadvantage is that the mutable fields are not authenticated.Chapter 5.TCP/IP Security Overview 301 AH in Tunnel Mode: With this mode the tunneling concept is applied a new IPdatagram is constructed and the original IP datagram is made the payload of it.Then AH in transport mode is applied to the resulting datagram.See Figure 179on page 302 for an illustration [ Pobierz całość w formacie PDF ]
zanotowane.pl doc.pisz.pl pdf.pisz.pl agnieszka90.opx.pl
.(Without tunneling he or she could.) The internal structure of a privatenetwork can be concealed in this way.298 TCP/IP Tutorial and Technical Overview Tunneling requires intermediate processing of the original packet on its route.Thedestination specified in the outer header, usually an IPSec firewall or router,retrieves the original packet and sends it to the ultimate destination.Theprocessing overhead is compensated by the extra security.A notable advantage of IP tunneling is the possibility to exchange packets withprivate IP addresses between two intranets over the public Internet, which requiresglobally unique addresses.Since the encapsulated header is not processed by theInternet routers, only the endpoints of the tunnel (the gateways) have to haveglobally assigned addresses; the hosts in the intranets behind them can beassigned private addresses, for example 10.x.x.x.As globally unique IP addressesare becoming a scarce resource, this interconnection method gains importance.Note: IPSec tunneling is modeled after RFC 2003 IP Encapsulation within IP.Itwas originally designed for Mobile IP, an architecture that allows a mobilehost to keep its home IP address even if attached to remote or foreignsubnets.5.5.2 Authentication Header (AH)AH is used to provide integrity and authentication to IP datagrams.Optional replayprotection is also possible.Although its usage is optional, the replay protectionservice must be implemented by any IPSec-compliant system.The mentionedservices are connectionless; that is they work on a per-packet basis.AH authenticates as much of the IP datagram as possible.Some fields in the IPheader change en-route and their value cannot be predicted by the receiver.These fields are called mutable and are not protected by AH.The mutable IPv4fields are:Type of Service (TOS)FlagsFragment OffsetTime to Live (TTL)Header ChecksumWhen protection of these fields is required, tunneling should be used.The payloadof the IP packet is considered immutable and is always protected by AH.AH is identified by protocol number 51, assigned by the IANA.The protocol header(IPv4, IPv6, or Extension) immediately preceding the AH header contains this valuein its Protocol (IPv4) or Next Header (IPv6, Extension) field.AH processing is applied only to non-fragmented IP packets.However, an IPpacket with AH applied can be fragmented by intermediate routers.In this case thedestination first reassembles the packet and then applies AH processing to it.If anIP packet that appears to be a fragment (offset field is non-zero, or the MoreFragments bit is set) is input to AH processing, it is discarded.This prevents theso-called overlapping fragment attack, which misuses the fragment reassemblyalgorithm in order to create forged packets and force them through a firewall.Packets that failed authentication are discarded and never delivered to upperlayers.This mode of operation greatly reduces the chances of successful denial ofChapter 5.TCP/IP Security Overview 299 service attacks, which aim to block the communication of a host or gateway byflooding it with bogus packets.5.5.2.1 AH Header FormatThe current AH header format is described in the Internet draftdraft-ietf-ipsec-auth-header-07.txt, which contains important modifications comparedto the previous AH specification, RFC 1826.The information in this section isbased on the respective Internet draft.AHIP Hdr PayloadHdrNext Hdr Payld Lgth ReservedSecurity Parameter Index (SPI)Sequence NumberAuthentication Data(variable size)(Integrity Check Value)32 bitsFigure 177.AH Header FormatIn Figure 177 the position of the AH header in the IP packet and the header fieldsare shown.The explanation of the fields are as follows:Next HeaderThe Next Header is an 8-bit field that identifies the type of the next payloadafter the Authentication Header.The value of this field is chosen from the setof IP protocol numbers defined in the most recent Assigned Numbers RFCfrom the Internet Assigned Numbers Authority (IANA).Payload LengthThis field is 8 bits long and contains the length of the AH header expressed in32-bit words, minus 2.It does not relate to the actual payload length of the IPpacket as a whole.If default options are used, the value is 4 (three 32-bitfixed words plus three 32-bit words of authentication data minus two).ReservedThis field is reserved for future use.Its length is 16 bits and it is set to zero.Security Parameter Index (SPI)This field is 32 bits in length.See Security Parameter Index (SPI) onpage 297 for a definition.Sequence NumberThis 32-bit field is a monotonically increasing counter which is used for replayprotection.Replay protection is optional; however, this field is mandatory.The sender always includes this field and it is at the discretion of the receiverto process it or not.At the establishment of an SA the sequence number isinitialized to zero.The first packet transmitted using the SA has a sequencenumber of 1.Sequence numbers are not allowed to repeat.Thus themaximum number of IP packets that can be transmitted on any given SA is300 TCP/IP Tutorial and Technical Overview 232-1.After the highest sequence number is used, a new SA andconsequently a new key is established.Anti-replay is enabled at the senderby default.If upon SA establishment the receiver chooses not to use it, thesender does not concern with the value in this field anymore.Notes:1.Typically the anti-replay mechanism is not used with manual keymanagement.2.The original AH specification in RFC 1826 did not discuss the concept ofsequence numbers.Older IPSec implementations that are based on thatRFC can therefore not provide replay protection.Authentication DataThis is a variable-length field, also called Integrity Check Value (ICV).TheICV for the packet is calculated with the algorithm selected at the SAinitialization.The authentication data length is an integral multiple of 32 bits.As its name tells, it is used by the receiver to verify the integrity of theincoming packet.In theory any MAC algorithm can be used to calculate the ICV.Thespecification requires that HMAC-MD5-96 and HMAC-SHA-1-96 must besupported.The old RFC 1826 requires Keyed MD5.In practice KeyedSHA-1 is also used.Implementations usually support two to four algorithms.When doing the ICV calculation, the mutable fields are considered to be filledwith zero.5.5.2.2 Ways of Using AHAH can be used in two ways: transport mode and tunnel mode.AH in Transport Mode: In this mode the original IP datagram is taken and theAH header is inserted right after the IP header, as it is shown in Figure 178.If thedatagram already has IPSec header(s), then the AH header is inserted before anyof those.IP Hdr PayloadOriginal IP datagramDatagram with AH headerAHPayloadIP HdrHdr in transport modeAuthenticated(except mutable fields)Figure 178.Authentication Header in Transport ModeThe transport mode is used by hosts, not by gateways.Gateways are not evenrequired to support transport mode.The advantage of the transport mode is less processing overhead.Thedisadvantage is that the mutable fields are not authenticated.Chapter 5.TCP/IP Security Overview 301 AH in Tunnel Mode: With this mode the tunneling concept is applied a new IPdatagram is constructed and the original IP datagram is made the payload of it.Then AH in transport mode is applied to the resulting datagram.See Figure 179on page 302 for an illustration [ Pobierz całość w formacie PDF ]