IPsec IP

IP

"
!

IP security IPsec
!
"

!
IP

"
IPsec
IPsec

"

#
$
!

!"

MAC
!
#
MAC
!" " !

"
%

!
replay attack !

$IPsec
!
!
gateways !

"
&
'

#
!

IPsec

# !
Transport Mode
IPsec
Tunnel Mode

$#
IPsec
Encapsulating Security Payload ESP
!
!
Authentication Header AH
!

" IPsec
!"

#
IPsec
IKE #

$#
IPsec
Security Association Database SAD
'
(
Security Policy Database SPD
#
IPsec
IPsec

"

IPsec IP

%"

IPsec
! header
!
IP
ESP/AH Header "
!

!
%"

Tunnel Mode

" IPsec #
ESP IPsec
#

AH

!
IPsec

"

'

Transport Mode $IPsec

IPsec

Transport Mode
y
y

x
y

' !

" #
y

'

'

#
A
#

Network A

Transport Mode
x
!
IPsec
x
y
B A
'
Network B

Internet

"

'
$

! "

Application
TCP/UDP
IP
MAC
TCP/UDP Header

IP Header

IPsec
$'

"

Transport Mode
x

Application
TCP/UDP
IPsec
IP: x
y
MAC

IPsec IP

Tunnel Mode * *
!

"

'

IPsec

(
#

#
IPsec
GWB

#
A

security gateways

#
'
#
x !

A
#
y
x#
security gateways #
GWB GWA
y
x
IPsec
GWA GWA
GWB GWB

Network A

!
%"

Network B

Internet

GWA

GWB

GWB

GWA

! '
GWA GWB !
#
% " GWA ' '
y !
GWA % " %"
GWB
! GWA
!
$'

!
IP
GWB

IPsec
GWA !

#
GWB
! IP Header

Application
TCP/UDP
IP: x
y
IPsec
IP: GWA GWB
MAC
IP
IP

' "

GWB GWB

GWB
!
Next Protocol ! ' "
!
IP Header
IP
GWB
GWB
IPsec
IPsec
GWB '
y
!
%" IP Header
IPsec
y
#!
IP
x
!
!
y
%"

header

IPsec IP

$'
Network A

Internet

GWA

GWB

"

'

"

Network B

GWA-GWB Tunnel
Application
TCP/UDP
IP: x
y
MAC

Application
TCP/UDP
IP: x
y
IPsec
IP: GWA GWB
MAC

IPsec

!
#

%
#

$Transport Mode
#
'
#
security gateways

IPsec

IPsec
IPsec

#
# !

'

"
ESP
'

Application
TCP/UDP
IP: x
y
MAC

Transport Mode

Tunnel Mode
'
"
!
#
#
!

!
Tunnel Mode

IPsec IP

*
"
"

Tunnel Mode
#

"

#
#

! -*

Virtual Private Network VPN

" "
"
#
# "
#

"
"

IPsec !
% "
gateway
gateways
% "
# "

$Tunnel Mode

% "
% "
'

IPsec

"

GWE
Europe branch

Europe-Asia Tunnel
Internet

GWA

Europe-USA Tunnel

Asia branch
USA-Asia Tunnel

GWU
USA branch
'
!

!
% "

#
!

% "
#

"
GWM
$

!
#
GWA

% "

tunnels "
M#
A
#

"

!
Tunnel in Tunnel
# #
#
'
A#
#

Network A

m
Subnet M

Network B

GWM
GWA

Internet

+,

GWB

IPsec IP

%"
GWA
M
GWA
B

$
!

M
tunnel
z

Subnet M

A
'
M#

Network A

GWM

' #
Tunnel Mode
GWM

M-B Tunnel
Application
TCP/UDP
IP: m z
MAC

IPsec
'

gateway

w
gateways

GWB

Network B

Application
TCP/UDP
IP: m z
IPsec
IP: GWM GWB
IPsec
IP: GWA GWB
MAC

gateway
#
!
w
#
w
Tunnel mode

!
#
IPsec

Application
TCP/UDP
IP: m z
MAC

Tunnel Mode
!
m
gateways
gateway

Network A

GWM
GWA

Subnet M

Internet

!
GWB

w
#

!
z#

A-B Tunnel

Application
TCP/UDP
IP: m z
IPsec
IP: GWM GWB
MAC

IPsec
GWM
Tunnel Mode IPsec
tunnel
$
tunnel
m
$'
GWB

Internet

GWA

m
w

IP Headers

IPsec IP

SAD #
SAD
(
!
'

IPsec

Security Association Database

'
Security Association SA
IPsec
MAC
#
Sequence Number
Lifetime
" !
Security Parameter Index SPI
#

#
$

SA

!
!

SA $ #
# SA

# SA
#
%" SA
# SA
# SA

#
#

"
!
SAD
' !
Outgoing SAD
Incoming SAD

$#
"

session

session

User As SAD

User Bs SAD

Outgoing SAD
SPI User
SA data
1

17
B
, SPI=22

38
Y , SPI=5

Outgoing SAD
SPI User
SA data
1

24
A , SPI=13
25
X , SPI=20

Incoming SAD
SPI User
SA data
1

13
B

44
Y

Incoming SAD
SPI User
SA data
1

22
A

23
X

Outgoing SAD
A
IPsec
A
SA
!
SA
SPI
ESP/AH Header
B
Incoming SAD - SA
" !
SA
'
#
SPI
SA

B#
IPsec

+*

IPsec

A
#

%"
SAD
B
Incoming SAD
IPsec IP

SA
! *.
#

IPsec

$#
IPsec
Encapsulating Security Payload ESP

&

Authentication Header AH

ESP
!

&
$'

ESP
ESP Header

Encrypted

Authenticated

ESP
SPI
Sequence Number
IV

Data
Padding Pad Length Next Protocol
Authentication Data

$ESP Header
!
Ingoing SAD
SA
" !
SPI
&
!
!
!"
"
Sequence Number
#
SA
#
&
Sequence Number
replay attack
#
!
Sequence Number
#
# !!
#
SA
#
"
Initialization Vector IV
'
&
CBC Mode
AES
IV
'
IV
!
!
# " '
!
Padding
#
#
*
!
AES
! '
! '
!
#
#
!
'
" #
" !
!
Padding
"
#
"
Pad Length
#
IPsec
!
ESP
#
Next Protocol
TCP/UDP
#
Tunnel Mode
IP
! '
#
%"
Transport Mode
Next Protocol ! ' "
!
" IPsec
ESP
Data
#
Data
"

+-

IPsec IP

TCP/UDP
Tunnel Mode

ESP Header
'

IPsec

IP

"

%
" IPsec
Authentication Data

MAC

"

#
#!
'"

'

!"

'

'
!
' !

'
$

" #
#
# ESP
Packet Filtering Firewall
" #
TCP
ESP
IP
#
Tunnel Mode # ESP
!
#
"
Packet Filtering Firewall
ESP !
#
default
!
"
Tunnel Mode
ESP
#
'
IP
IPsec
gateway
!
Authentication Data
trailer # ESP Header %"
% " ESP

AH * .
AH

$'
AH
Next Protocol Payload Length Reserved
SPI
Sequence Number
Authentication Data
ESP Header

'

Authentication Data

"

AH #
!
TTL

header
#
# "

:
AH
AH Header

AH Header

!
" #
!

AH Header

!
! gateway
!
Checksum

'

AH
!

'

+.

IP Header
ESP #

IP Header

!
! # "

Header

#
Time To Live
,
!

IPsec IP

ESP
0ESP !
ESP

AH

!
AH

ESP

A
A
#
IP
A

AH

A
!

"
A

AH

!
A

NAT

IP
!

! #
!
"

'
IP

%
%"
!

#
' #

#
#
AH
Network Address Translation NAT
IP
" # !
!
|A| > N
IP
N
#
|A|
!
IP
A
#
!
'
!
NAT
'
!
!
!
A
IP

#
A

ESP
"

AH

A
#
NAT
A

Network A
x

Internet

NAT

$'

IPA

Network A

IPx
A

y
NAT
#
y

IPx

AH !

" #
A
Internet

NAT Server

Application
TCP/UDP
IP: IPx IPy
MAC
'

x
x

Application
TCP/UDP
IP: IPA IPy
MAC
x

AH
AH
IPx x
#

IPA
IP
"

NAT
' #
IPsec
%
x
y

+/

NAT

IPsec IP

SPD
!

SPDs

!
Firewall
Firewall
% #
!
$

Security Policy Database SPD

IPsec
%"
IPsec
!
! SPD
(Incoming SPD)
"
#
SPD
(Outgoing SPD)
selectors
Packet Filtering Firewalls
#
#
!
SPD
%"
Ack Direction !
username
!
#
Firewalls
!
Firewall !
Action ! SPD
deny permit
Firewalls deny
!
drop
IPsec
'
forward
Firewalls permit
IPsec
secure

AH
ESP
Outgoing SAD SA
"
!

#
#
SPI #
SA

#
#

wildcards

SPD

SPD

#
SPI

secure
# #
'

!
IKE

# Packet Filtering Firewalls

Packet Filtering Firewall

"
SPD

' !

SPD
$Packet Filtering Firewall
forward
SPD
drop
SPD
0
#
secure

drop

IPsec

#
#

!
!

SPD
!
" ! IPsec

# SA
#

SPD

' !
IPsec ' !
IPsec
"
SPD
forward
'
"
IPsec

IPsec IP

SA -

#
#

SA

'
#

IPsec
#
SPD
IPsec
drop
#
forward
#
$ secure
SPI
#
SA #
#
IKE
#
SA #
!
AH ESP SPD
#
#
SPD
!
SPI
# SAD
IPsec
'
#
SA
SAD
'
#
& #
SA
#
IP
$

*
-

.
/

"

Upper Layer
1: packet
4: SPI

SAD

5: SA

2: packet

IPsec

3: SPI
secure

: protected packet

SPD
drop

forward

IP Layer

*
$
IP
!
SPIpacket
SPIpacket
#
#
#
Next Protocol !

+)

IPsec
SPI
# SAD
IPsec
!
SPI
"
SA
SAD
& #
SA
# SPD #
SPI
SPD
SPISPD
"
#
#
SPI packet SPI SPD
#
IPsec IP

*
.
/

"

Upper Level
SPI packet

SPI SPD

6: packet

SPI packet

2: SPIpacket

SAD

SPISPD

4: packet

IPsec

3: SA

SPD

5: SPISPD
secure

1: protected packet
IP Layer

SPIpacket
#
SA
SPISPD
'
SPD
#
SPI
SPD
#
#
TCP/UDP Header

#
#
#

&
#
"

SPI packet

'

"

"
#
#

#
Tunnel Mode

SPI SPD

#
!

!
!

IP spoofing
%"
x

%"

SPI
$'

x y
%

x
x

IP
SA
%

SA
SPIx-w

telnet
y
x
w
!
/ .#
w
IP spoofing
x
y
#
SPI
IPsec
#
w
x %
SPI
" #

Internet

telnet data
TCP
IPsec: SPI = SPIx-w
IP: y w
MAC

IPsec IP

SPIx-w
y
w

0
SPI
SPIx-w SPIy-w

SA

#
TCP

x
!

!
SPD
.
SPIy-w

"

#
x

%
w

x
%
$'

!
http
SA
w

/
.#
telnet
/ .#
# SPD
w
y
#
SA
x

$#
w
w telnet
w http
w

SPD
http

SPItelnet

Internet

w#

SPD
x
" x
w#

.#

w #
SPI
x

!
w
SPI

" #

x
telnet

http data
TCP: destination port = 80
IPsec: SPI = SPItelnet
IP: x w
MAC
w

TCP

http
SPD

' !
SPD
w

w
TCP

#
,
.

http

"

.#

#
1. Security Architecture for the Internet Protocol, RFC 2401
Available at: http://www.ietf.org/rfc/rfc2401.txt
2. IP Authentication Header, RFC 2402
Available at: http://www.ietf.org/rfc/rfc2402.txt
3. IP Encapsulating Security Payload (ESP), RFC 2406
Available at: http://www.ietf.org/rfc/rfc2406.txt

++

IPsec IP