Phn I Gii thiu v c ch hot ng ca b giao thc IPSec

1. Giao thc Ipsec Ipsec c 3 tng giao thc chnh - Internet Key Exchange ( IKE ) : Gip cho cc thit b tham gia VPN trao i vi nhau v thng tin an ninh nh m ha th no ? M ha bng thut ton g ? Bao lu m ha 1 ln . IKE c tc dng t ng tha thun cc chnh sch an ninh gia cc thit b tham gia VPN . Do IKE gip cho Ipsec c th p dng cho cc h thng mng m hnh ln . Trong qu trnh trao i key IKE dng thut ton m ha bt i xng gm b Public key v Private Key bo v vic trao i key gia cc thit b tham gia VPN . - Encapsulation Security Payload (ESP) : C tc dng xc thc ( authentication ) , m ha ( encrytion ) v m bo tnh trn vn d liu ( securing of data ) . y l giao thc c dng ph bin trong vic thit lp IPSec . Authentication Header ( AH ) : C tc dng xc thc , AH th thng t c s dng v n c trong giao thc ESP 2. Ipsec c 2 dng l : - Transports mode : D liu (Layer4 Payload) c m ha s nm trong ESP header v ESP s chn vo gia Layer 2 header v layer 3 header - Tunnel mode : D liu s c m ha v ng gi thnh 1 IP Header mi vi source v des IP mi .

IPSec c nhng phng php m ha nh DES (Data Encrution Standard) , 3DES , AES (Advance Encrytion Standar) IPSec c nhng phng php xc thc nh HMAC , MD5 , SHA-1

3. Trc khi trao i key thit lp 1 knh truyn o (VPN-Ipsec) IPSEC s lm nhim v l xc thc xem mnh ang trao i vi ai ? Cc phng php Peer Authentication : Username password

OTP (One time password) Biometric (Xc thc bng sinh hc) Preshared keys Digital certificate (ch k s) phng php ny thng c dng trong chnh ph in t .

4. C ch hot ng ca Internet Key Exchange ( IKE )

Nh ni trn giao thc IKE s c chc nng trao i key gia cc thit b tham gia VPN v trao i chnh sch an ninh gia cc thit b . V nu khng c giao thc ny th ngi qun tr phi cu hnh th cng . V nhng chnh sch an ninh trn nhng thit b ny c gi l SA (Security Associate) Do cc thit b trong qu trnh IKE s trao i vi nhau tt c nhng SA m n c . V gia cc thit b ny s t tm ra cho mnh nhng SA ph hp vi i tc nht Nhng key c trao i trong qu trnh IKE cng c m ha v nhng key ny s thay i theo thi gian (generate key) trnh tnh trng bruteforce ca Attacker . V doi y l cc giao thc xc thc cng nh m ha key trong qu trnh IKE Oakley (Tham khao thm trn RFC 2412) , ISAKMP (RFC 2408) , Skeme . Giao thc IKE s dng UDP port 500

5. Cc giai on hot ng ca IKE (IKE Phases) - IKE Phases 1 (Bt buc xy ra trong qu trnh IKE) Bc 1 : Xc thc gia cc thit b tham gia VPN (Authentication the peers) Bc 2 : Trao i cc SA V Phases 1 ny c 2 ch hot ng l Main mode (Cn 6 mess hon thnh cc bc 1&2) v Aggressive mode (Cn 3 mess n hon thnh cc bc 1&2) IKE Phases 1.5 (Khng bt buc)

Giao on ny c tc dng cp pht a ch IP LAN , DNS thng qua DHCP v xc thc User (Authentication User ) . Giao thc c gi trong qu trnh ny l Xauth (Extended Authentication)

IKE Phases 2 (Bt buc phi xy ra )

Sau khi tri qua Phase 1& 1.5 lc ny gia cc thit b c y cc thng tin v nhau nh chnh sch m ha , xc thc ( SA ) v key . V nh IKE th gia cc thit b xy dng c 1 knh truyn o an ninh . n y gia cc thit b li tip tc trao i cho nhau 1 SA khc ( mi ngi ch khc ny ) . Ci SA c trao i lc ny l chnh sch ca giao thc Ipsec (chnh sch an ninh ng gi d liu ) n khc vi SA ca giao thc IKE ( lm th no xy dng 1 knh an ton ) . Ci SA ca Ipsec ny n s trao i vi nhau vic m ha ng gi d liu theo ESP hay AH , n hot ng theo dng tunel mode hay transports mode , thi gian m ha l bao lu ? . y l m ha d liu ch khng cn l m ha trao i kha (key) nh din ra trong qu trnh IKE . n lc ny nu mun trao i vi ai th n s trao i SA IPSec vi ngi v d liu c gi trn ng truyn c m ha da vo SA Ipsec ny

Vy l trong phn 5 ti trnh by 3 bc chnh to ra 1 knh truyn o an ninh (VPN Ipsec)

6 .Cc chc nng khc ca IKE gip cho IKE hot ng ti u hn bao gm : - Dead peer detection ( DPD ) and Cisco IOS keepalives l nhng chc nng b m thi gian . Ngha l sau khi 2 thit b to c VPN IPsec vi nhau ri th n s thng xuyn gi cho nhau gi keepalives kim tra tnh trng ca i tc . Mc ch chnh pht hin hng hc ca cc thit b . Thng thng cc gi keepalives s gi mi 10s - H tr chc nng NAT-Traversal : Chc nng ny c ngha l nu trn ng truyn t A ti B nu c nhng thit b NAT or PAT ng gia th lc ny IPSec nu hot ng ch tunel mode v enable chc nng NAT- Trasersal s vn chuyn gi tin i c bnh thng . Ti sao IPSec ch hot ng tunel mode m khng hot ng tranports mode th ti s gii thch k trong nhng on sau . Lu : Chc nng NAT-T bt u c Cisco h tr t phin bn IOS Release 122.2(13)T

Ti sao phi h tr chc nng NAT-T th cc packet mi tip tc i c ?

Cc bn ch phn trn ti trnh by . Khi thc hin qu trnh m ha bng ESP th lc ny cc source IP , port v destination IP, port u c m ha v nm gn tron ESP Header . Nh vy khi tt c cc thng tin IP v Port b m ha th knh truyn IPSec khng th din ra qu trnh NAT . Do NAT Traversal ra i trong qu trnh hot ng ca IKE nhm pht hin v h tr NAT cho Ipsec . Cc d liu s khng b ng gi trc tip bi giao thc IP m n s ng gi thng qua giao thc UDP . V lc ny cc thng tin v IP v Port s nm trong gi UDP ny . Chc nng Mode Configuration :

Chc nng ny c tc dng pushing cc chnh sch bo mt cng nh thng tin v IP , DNS , Gateway cho ngi dng di ng khi h quay VPN vo h thng . Ngoi ra Cisco c cung cp gii php cho vic ny l Easy VPN . Nhng trong phm vi bi ny ti s khng i su v vn ny . Chc nng cui cng IKE h tr m ti mun gii thiu vi cc bn l Xauth ( Ti gii thiu s trong phares 1.5 ) Xauth s cho php phng thc AAA (Authentication , Authorization , Accounting) hot ng i vi vic xc thc user . Cc bn cng nn lu phn ny . Xauth khng ln IKE m vic xc thc ca giao thc Xauth ny l xc thc ngi dng ch khng phi qu trnh xc thc din ra trong Phares 1

Nh vy trong phn I ti gii thiu c ch hot ng ca VPN Ipsec v i su vo b giao thc u tin l IKE . Trong cc phn k tip ti s trnh by k hn v c ch hot ng ca ESP v AH . Sau l cu hnh Router trong 1 s c th . Hy vng bi vit ny s gip cc bn hiu hn phn no v giao thc IP Sec v cch thit lp VPN Ipsec s c trnh by cc phn k tip ...... ~o)

Phn II C ch hot ng ca 2 protocol ESP v AH

B giao thc Ipsec th ngoi IKE cn c ESP v AH l 2 giao thc chnh trong vic m ha&xc thc d liu .

1.

Khi qut

ESP s dng IP protocol number l 50 (ESP c ng gi bi giao thc IP v trng protocol trong IP l 50 ) AH s dng IP protocol number l 51 (AH c ng gi bi giao thc IP v trng protocol trong IP l 51 )

B giao thc Ipsec hot ng trn 2 mode chnh l Tunel Mode v Transport Mode - Tunel Mode Khi b giao thc Ipsec hot ng mode ny th sau khi ng gi d liu v giao thc ESP m ha ton b payload , frame header , ip header th n s thm 1 IP header mi v gi packet trc khi forward i . - Transports Mode Khi b giao thc Ipsec hot ng mode ny th IP header vn c gi nguyn v lc ny giao thc ESP s chn vo gia payload v IP header ca gi tin . Giao thc ny rt hay c s dng khi nhng ngi qun tr mng c to thm 1 tunnel GRE (Generic Routing Encapsulation) . Cn tunnel GRE l g ti s gii thch trong mt TUT khc . Tt c gi tin c m ha bi Ipsec u l kha i xng (symetric key)

2. Tng quan ESP v AH Header

[Ch c thnh vin kch hot c th thy lin kt. ]

y l hnh minh ha vic ng gi d liu bng 2 protocol Esp v AH . Trn cng l gi d liu nguyn thy bao gm Data v Ip Header .

Nu s dng giao thc ESP :

Th giao thc ESP s lm cng vic l m ha ( encryption ) , xc thc ( authentication ) , bo m tnh trn vn ca d liu ( Securing of data ) . Sau khi ng gi xong bng ESP mi thng tin v m ha v gii m s nm trong ESP Header . Cc thut ton m ha bao gm DES , 3DES , AES Cc thut ton xc thc bao gm MD5 hoc SHA-1 ESP cn cung cp tnh nng anti-relay bo v cc gi tin b ghi ln n.

Nu s dng giao thc AH

Th giao thc AH ch lm cng vic xc thc ( authentication ) v bo m tnh trn vn d liu . Giao thc AH khng c chc nng m ha d liu . Do AH t c dng trong IPSec v n khng m bo tnh an ninh .

3 . AH xc thc v m bo tnh trn vn d liu

Di y l hnh minh ha v c ch xc thc ca giao th AH

[Ch c thnh vin kch hot c th thy lin kt. ]

Bc th 1 : Giao thc AH s em gi d liu ( packet ) bao gm payload + Ip header + Key Cho chy qua 1 gii thut gi l gii thut Hash v cho ra 1 chui s . Cc bn nh y l gii thut 1 chiu , ngha l t gi d liu + key = chui s . Nhng t chui s khng th hash ra = d liu + key V chui s ny s uc gn vo AH header .

Bc th 2 : AH Header ny s c chn vo gia Payload v Ip Header v chuyn sang pha bn kia .

ng nhin cc bn cng nh cho rng vic truyn ti gi d liu ny ang chy trn 1 tunel m trc qu trnh IKE sau khi trao i kha to ra .

Bc th 3 : Router ch sau khi nhn c gi tin ny bao gm IP header + AH header + Payload s c chy qua gii thut Hash 1 ln na cho ra 1 chui s .

Bc th 4 : So snh chui s n va to ra v chui s ca n nu ging nhau th n s chp nhn gi tin . Nu trong qu trnh truyn gi d liu 1 attacker sniff ni tin v chnh sa n dn n vic gi tin b thay i v kch c , ni dung th khi i qua qu trnh hash s cho ra 1 chui s khc chui s ban u m router ch ang c . Do gi tin s b drop

Thut ton hash bao gm MD5 v SHA-1 V trong trong hp ny IPSec ang chy ch trasports mode .

4 . Giao thc ESP Pha di y l c ch m ha gi d liu bng giao thc ESP

[Ch c thnh vin kch hot c th thy lin kt. ]

Esp l giao thc h tr c xc thc v m ha .

Pha trn l gi d liu ban u v ESP s dng 1 ci key m ha ton b d liu ban u . V trng hp trn l Ipsec ang chy ch Tunel mode nn ngoi ESP header ra n s sinh ra 1 Ip Header mi khng b m ha c th truyn i trong mng Internet .

Nh vy trong phn ny ti gii thiu vi cc bn v c ch hot ng ca 2 protocol ESP v AH . Cc bn lu qu trnh xc thc v m ha ca ESP v AH ch din ra sau khi qu trnh IKE han thnh. chng ny ti khng mun i su vo phn tch cc thut ton m ha v mc ch ca ti trong TUT ny l trnh by cho cc bn hiu c ch hot ng ca IPSEC v cch cu hnh IPSEC VPN trn Router Cisco .