Internet Protocol Security (IPSec) – Transport Mode GROUP MEMBERS MUHAMMA SHAI!U" BI# SHA!AI# MUHAMMA ARI! IR!A# B$MOH TARMI%I MOHAMMA AMIRU" BI# A%I% AHMA RAHI %I&RI BI# A% I%
8/18/2019 Internet Protocol Security (IPSec) – Transport.pptx
http://slidepdf.com/reader/full/internet-protocol-security-ipsec-transportpptx 1/19
Internet Protocol Security
(IPSec) – Transport Mode
GROUP MEMBERS
MUHAMMA SHAI!U" BI# SHA!AI#
MUHAMMA ARI! IR!A# B$MOHTARMI%I
MOHAMMA AMIRU" BI# A%I%
AHMA RAHI %I&RI BI# A%I%
8/18/2019 Internet Protocol Security (IPSec) – Transport.pptx
http://slidepdf.com/reader/full/internet-protocol-security-ipsec-transportpptx 2/19
History of Internet Protocol (IP)
IP protocol was designed in the late 70s to ear80s
• Part of DARPA Internet Project
• Very sall networ!
•
All hosts are !nown"• #o are the $sers"
• %herefore& sec$rity was not an iss$e'
8/18/2019 Internet Protocol Security (IPSec) – Transport.pptx
http://slidepdf.com/reader/full/internet-protocol-security-ipsec-transportpptx 3/19
#ec$rity iss$es that are related to IP
• #o$rce spoong $s$ally $sed inDo# attac!s'
•
Replay pac!ets• *o data integrity
andcondentiality
• Do# attac!s
•
Replay atta• #pying
Attac'type
8/18/2019 Internet Protocol Security (IPSec) – Transport.pptx
http://slidepdf.com/reader/full/internet-protocol-security-ipsec-transportpptx 4/19
+oals of IP#ec
• %o ,erify so$rces of IP pac!ets• authentication
• %o pre,ent replaying of old pac!ets
• %o protect integrity and-or condentiality of
pac!ets• data Integrity/Data Encryption
8/18/2019 Internet Protocol Security (IPSec) – Transport.pptx
http://slidepdf.com/reader/full/internet-protocol-security-ipsec-transportpptx 5/19
%he IP#ec #ec$rity .odel
Secure
Insecure
8/18/2019 Internet Protocol Security (IPSec) – Transport.pptx
http://slidepdf.com/reader/full/internet-protocol-security-ipsec-transportpptx 6/19
IP#ec Architect$re
/#P AH
I/
IP#ec #ec$rity Policy
Encapsulatin Security Payload
Autentication Header
Te Internet &ey E*cane
8/18/2019 Internet Protocol Security (IPSec) – Transport.pptx
http://slidepdf.com/reader/full/internet-protocol-security-ipsec-transportpptx 7/19
IP#ec Architect$re
• IP#ec pro,ides sec$rity in three sit$ations1
• Host-to-host, host-to-gateway andgateway-to-gateway
•IP#ec operates in two odes1• Transport +ode (for end-to-end)
• Tunnel +ode (for VPN)
8/18/2019 Internet Protocol Security (IPSec) – Transport.pptx
http://slidepdf.com/reader/full/internet-protocol-security-ipsec-transportpptx 8/19
IP#ec Architect$re (%$nnel and %ransport.ode)
Tunnel Mode
Ro$ter Ro$ter
Transport Mode
8/18/2019 Internet Protocol Security (IPSec) – Transport.pptx
http://slidepdf.com/reader/full/internet-protocol-security-ipsec-transportpptx 9/19
Vario$s Pac!ets
IP Header T,PHeader
ata
IP
Header
IPSecHead
er
T,PHead
er IP
Header
IPSecHead
er
IPHead
er
T,PHead
er
Original
Transport
ModeTunnelMode
8/18/2019 Internet Protocol Security (IPSec) – Transport.pptx
http://slidepdf.com/reader/full/internet-protocol-security-ipsec-transportpptx 10/19
A$thentication Header
• Pro,ides so$rce a$thentication• Protects against so$rce spoong
• Pro,ides data integrity
• Protects against replay attac!s• 2se onotonically increasing se3$ence n$4ers
• Protects against denial of ser,ice attac!s
• %here is #O protection for condenti
8/18/2019 Internet Protocol Security (IPSec) – Transport.pptx
http://slidepdf.com/reader/full/internet-protocol-security-ipsec-transportpptx 11/19
A$thentication Header (AH) Pac!et Detai
Authentication ata
!e"uence Nu#$er
!ecurity Para#eters %nde& (!P%)
Ne&theader
Payloadlength
'esered
Old IP header (only in Tunnel mode)
TP header
New %P header
Authenticated
ata
*ncapTP or %
Hash of eerythingelse
8/18/2019 Internet Protocol Security (IPSec) – Transport.pptx
http://slidepdf.com/reader/full/internet-protocol-security-ipsec-transportpptx 12/19
/ncaps$lating #ec$rity Payload (/#P)
• Pro,ides all that AH o5ers& and
• In addition pro,ides data condentiality
• 2ses syetric !ey encryption
8/18/2019 Internet Protocol Security (IPSec) – Transport.pptx
http://slidepdf.com/reader/full/internet-protocol-security-ipsec-transportpptx 13/19
/ncaps$lating #ec$rity Payload (/#P) Pac#tr$ct$re
A$thentication Data
#e3$ence *$4er
#ec$rity Paraeters Inde6 (#PI)
*e6theader
Payloadlength
Reser,ed
%P header
A$thenticated
IP header
Initialiation ,ector
Data
Pad Pad length *e6t
/ncrypted pac!et
8/18/2019 Internet Protocol Security (IPSec) – Transport.pptx
http://slidepdf.com/reader/full/internet-protocol-security-ipsec-transportpptx 14/19
IP#ec TRA#SPORT MOE
• IP#ec %ransport ode is $sed for end9to9eco$nications& for e6aple& forco$nication 4etween a client and a seor 4etween a wor!station and a gateway'
•
A good e6aple wo$ld 4e an encrypted %eor Reote Des!top session fro a wor!stto a ser,er'
8/18/2019 Internet Protocol Security (IPSec) – Transport.pptx
http://slidepdf.com/reader/full/internet-protocol-security-ipsec-transportpptx 15/19
:ig$re for IP#ec /ncrypted %ransport
8/18/2019 Internet Protocol Security (IPSec) – Transport.pptx
http://slidepdf.com/reader/full/internet-protocol-security-ipsec-transportpptx 16/19
ontin$e;
• %ransport ode pro,ides the protection of o$r data& al!nown as IP Payload& and consists of %P-2DP header <thro$gh an AH or /#P header'
• %he payload is encaps$lated 4y the IP#ec headers andtrailers'
• %he original IP headers reain intact& e6cept that the protocol eld is changed to /#P (=0) or AH (=>)& and thoriginal protocol ,al$e is sa,ed in the IPsec trailer to 4restored when the pac!et is decrypted'
• IP#ec transport ode is $s$ally $sed when another t$nprotocol (li!e +R/) is $sed to rst encaps$late the IP dpac!et& then IP#ec is $sed to protect the +R/ t$nnel p
• IP#ec protects the +R/ t$nnel tra?c in transport ode
8/18/2019 Internet Protocol Security (IPSec) – Transport.pptx
http://slidepdf.com/reader/full/internet-protocol-security-ipsec-transportpptx 17/19
%he pac!et diagra 4elow ill$strates IP#e %ransport ode with /#P header1
8/18/2019 Internet Protocol Security (IPSec) – Transport.pptx
http://slidepdf.com/reader/full/internet-protocol-security-ipsec-transportpptx 18/19
%he pac!et diagra 4elow ill$strates IP#e %ransport ode with AH header1
8/18/2019 Internet Protocol Security (IPSec) – Transport.pptx
http://slidepdf.com/reader/full/internet-protocol-security-ipsec-transportpptx 19/19
ontin$e;• %he AH can 4e applied alone or together with
/#P when IP#ec is in transport ode'
• AHs jo4 is to protect the entire pac!et& howeIP#ec in transport ode does not create a neheader in front of the pac!et 4$t places a copthe original with soe inor changes to theprotocol ID therefore not pro,iding essential
protection to the details contained in the IPheader (#o$rce IP& destination IP etc)'
• AH is identied in the *ew IP header with anIP protocol ID of =>'
•In 4oth /#P and AH cases with IP#ec %ranspo