Scribd Logo
Upload

Welcome to Scribd!

  • Cơ Chế Hoạt Động Của Giao Thức AH Và ESP

    Uploaded by

    Tâm Tồ
    165 views4 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    165 views4 pages

    Cơ Chế Hoạt Động Của Giao Thức AH Và ESP

    Uploaded by

    Tâm Tồ

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    Forum CCNP v CCDP ISCW C ch hot ng ca giao thc AH v ESP

    Thread: C ch hot ng ca giao thc AH v ESP




    User Name Password Log in
    Remember Me?
    Register Help
    Home Kha hc Cisco ti VnPro Blog VnPro Video hc mng Xem phim hay - Phim.biz
    New Posts FAQ Calendar Community Forum Actions Quick Links Advanced Search
    Results 1 to 2 of 2
    Thread Tools Display
    12-05-2008, 03:56 PM
    Join Date:
    Location:
    Posts:
    Oct 2005
    HCM City
    921
    C ch hot ng ca giao thc AH v ESP
    C ch hot ng ca giao thc AH v ESP
    Tc gi: Vi Th Mu
    1. Khi qut :
    Giao thc ESP v giao thc AH l hai giao thc chnh trong vic m ho v xc thc d liu.
    - ESP s dng IP Protocol number l 50 (ESP c ng gi bi giao thc IP v trng protocol trong IP l 50)
    - AH s dng IP Protocol number l 51 ( AH c ng gi bi giao thc IP v trng protocol trong IP l 51)
    B giao thc IPSec hot ng trn 2 mode chnh : Tunnel Mode v Transports Mode.
    - Khi giao thc IPSec hot ng Tunnel Mode th sau khi ng gi d liu, giao thc ESP m ho ton b Payload, frame Header, IP Header th n s thm mt IP Header
    mi vo gi tin trc khi forward i.
    - Khi giao thc IPSec hot ng Transport Mode th IP Header vn c gi nguyn v lc ny giao thc ESP s chn vo gia Payload v IP Header ca gi tin.
    2. Tng quan v ESP Header v AH Header
    - Trong trng hp dng giao thc ESP : th giao thc ny s lm cng vic m ha (encryption), xc thc (authentication), bo m tnh ton vn d liu ( integrity
    protection). Sau khi ng gi xong bng ESP, mi thng tin v m ho v gii m s nm trong ESP Header.
    - Cc thut ton m ho s dng trong giao thc nh : DES, 3DES, AES
    - cc thut ton hash nh : MD5 hoc SHA-1
    - Trong trng hp dng giao thc AH : th AH ch lm cng vic xc thc (Authentication), v m bo tnh ton vn d liu. Giao thc AH khng c tnh nng m ho d
    liu.
    3. Authentication Header (AH)
    AH l mt trong nhng giao thc bo mt, cung cp tnh nng m bo ton vn packet headers v data, xc thc ngun gc d liu. N c th tu chn cung cp dch v
    replay protection v access protection. AH khng m ho bt k phn no ca cc gi tin. Trong phin bn u ca IPSec, giao thc ESP ch c th cung cp m ho, khng
    xc thc. Do , ngi ta kt hp giao thc AH v ESP vi nhau cung cp s cn mt v m bo ton vn d liu cho thng tin.
    a. AH Mode
    AH c hai mode : Transport v Tunnel.
    Trong Tunnel mode, AH to 1 IP Header mi cho mi gi tin
    Trong Transport mode, AH khng to IP Header mi
    Trong cu trc IPSec m s dng gateway , a ch tht ca IP ngun v ch ca cc gi tin phi thay i thnh a ch IP ca gateway. V trong Transport Mode khng
    thay i IP Header ngun hoc to mt IP Header mi, Transport Mode thng s dng trong cu trc host-to-host.
    AH cung cp tnh nng m bo tnh ton vn cho ton b gi tin, bt k mode no c s dng .
    Figure 3-3: AH Tunnel Mode Packet
    Figure 3-4: AH Transport Mode Packet
    a.AH xc thc v m bo tnh ton vn d liu
    B1: AH s em gi d liu (packet ) bao gm : Payload + IP Header + Key cho chy qua gii thut Hash 1 chiu v cho ra 1 chui s. v chui s ny s c gn vo AH
    Header.
    B2: AH Header ny s c chn vo gia Payload v IP Header v chuyn sang pha bn kia.
    B3: Router ch sau khi nhn c gi tin ny bao gm : IP Header + AH Header + Payload s c cho qua gii thut Hash mt ln na cho ra mt chui s.
    B4: so snh chui s n va to ra v chui s ca n nu ging nhau th n chp nhn gi tin .
    C. AH Header
    #1
    Administrator
    Elite
    danghoangkhanh
    C ch hot ng ca giao thc AH v ESP http://vnpro.org/forum/showthread.php/16059-co-che-hoat-dong-cua-gia...
    1 trong 4 9/16/2014 5:39 AM
    Figure 3-5 : AH Header
    -Next Header : Trng ny di 8 bits , cha ch s giao thc IP. Trong Tunnel Mode, Payload l gi tin IP , gi tr Next Header c ci t l 4. Trong Transport Mode ,
    Payload lun l giao thc Transport-Layer. Nu giao thc lp Transport l TCP th trng giao thc trong IP l 6. Nu giao thc lp transport l UDP th trng giao thc
    trong IP l 17.
    -Payload Length : Trng ny cha chiu di ca AH Header.
    -Reserved : gi tr ny c dnh s dng trong tng lai ( cho n thi im ny n c biu th bng cc ch s 0).
    -Security parameter Index (SPI) : mi u cui ca mi kt ni IPSec tu chn gi tr SPI. Hot ng ny ch c dng nhn dng cho kt ni. Bn nhn s dng
    gi tr SPI cng vi a ch IP ch v loi giao thc IPSec (trng hp ny l AH) xc nh chnh sch SA c dng cho gi tin (C ngha l giao thc IPSec v cc thut
    ton no c dng p cho gi tin).
    -Sequence Number : ch s ny tng ln 1 cho mi AH datagram khi mt host gi c lin quan n chnh sch SA. Gi tr bt u ca b m l 1. chui s ny khng bao
    gi cho php ghi ln l 0. v khi host gi yu cu kim tra m n khng b ghi v n s tho thun chnh sch SA mi nu SA ny c thit lp. Host nhn s dng
    chui s pht hin replayed datagrams. Nu kim tra bn pha host nhn, bn nhn c th ni cho bn gi bit rng bn nhn khng kim tra chui s, nhng i hi n
    phi lun c trong bn gi tng v gi chui s.
    -Authentication Data: Trng ny cha kt qu ca gi tr Integrity Check Value (ICV). Trng ny lun l bi ca 32-bit (t) v phi c m vo nu chiu di ca
    ICV trong cc bytes cha y.
    d. Hot ng ca giao thc AH
    -Hng tt nht hiu AH lm vic nh th no, ta s xem v phn tch cc gi tin AH.
    Figure 3-6: Sample AH Transport Mode Packet.
    Hnh trn cho thy cc thnh phn ca gi tin AH tht s. Mi section ca AH Packet gm : Ethernet header , IP header , AH header v Payload. Da trn cc trng ca
    phn AH mode, ta thy y l gi tin Transport Mode v n ch cha IP Header. Trong trng hp ny, payload cha ICMP echo request (hay l Ping). Ping gc cha chui
    mu t c miu t trong gi tin tng dn bi gi tr Hex ( vd : 61, 62, 63). Sau khi giao thc AH c applied, ICMP Payload khng thay i. V AH ch cung cp dch v
    m bo ton vn d liu, khng m ho.
    Figure 3-7 : AH Header Fields from Sample Packet.
    Cc trng trong AH Header t 4 gi tin u tin trong AH session gia host A v host B. Cc trng trong header u tin ch l nhn, p ng trong vic nhn dng AH
    mode.
    -SPI : host A s dng gi tr s Hex cdb59934 cho SPI trong c cc gi tin ca n. Trong khi host B s dng gi tr s Hex a6b32c00 cho SPI trong c cc gi tin. iu
    ny phn nh c rng kt ni AH tht s gm hai thnh phn kt ni mt chiu.
    -Sequence Number : c hai host bt u thit lp ch s bng 1, v c hai tng ln l 2 cho gi tin th hai ca chng.
    -Authentication information : Xc thc (m bo ton vn ) thng tin , l mt keyed hash da trn hu nh tt c cc bytes trong gi tin.
    e. AH version 3
    Mt chun mi ca AH l Version 3, phin bn c pht trin da trn phin bn phc tho. Tnh nng khc nhau gia Version 2 v Version 3 l mi quan h th yu
    cc qun tr vin IPSec v ngi dng - mt vi s thay i n SPI, v tu chn ch s di hn.
    chun phc tho version 3 cng ch n mt chun phc tho khc rng lit k thut ton m ho yu cu cho AH. Bn phc tho u nhim h tr cho HMAC-SHA1-96, gii
    thiu thut ton h tr mnh hn l AES-XCBC-MAC-96, v cng gii thiu thut ton : HMAC-MD5-96.
    f. AH Summary
    -AH cung cp dch v m bo ton vn cho tt c cc header v data gi tin. Ngoi tr mt s trng IP Header m nh tuyn thay i trong chuyn tip.
    -AH bao gm a ch ngun v a ch ch trong dch v m bo ton vn. AH thng khng tng thch vi NAT.
    -Hin nay, hu ht IPSec b sung h tr phin bn th hai ca IPSec m ESP c th cung cp dch cc v m bo ton vn d liu qua s xc thc.
    -AH cung cp mt li ch m ESP khng c, l : m bo ton vn cho outermost IP Header.
    4. Encapsulaton Secutity Payload (ESP)
    ESP l giao thc bo mt chnh th hai. Trong phin bn u ca IPSec , ESP chi cung cp m ho cho packet payload data. Khi cn, giao thc AH cung cp dch v m
    bo ton vn. Trong phin bn th hai ca IPSec, ESP tr nn mm do hn. N c th thc hin xc thc cung cp dch v m bo ton vn, mc d khng h tr cho
    outermost IP header. S m ho ca ESP c th b v hiu ho qua thut ton m ho Null ESP algorithm. Do , ESP c th cung cp ch m ho; m ho v m bo ton
    vn d liu; hoc ch m bo ton vn d liu.
    a. ESP Mode
    ESP c hai mode : Transport Mode v Tunnel Mode.
    Trong Tunnel Mode : ESP to mt IP Header mi cho mi gi tin. IP Header mi lit kt cc u cui ca ESP Tunnel ( nh hai IPSec gateway) ngun v ch ca gi tin. V
    Tunnel mode c th dng vi tt c 3 m hnh cu trc VPN.
    Figure 3-8: ESP Tunnel Mode Packet
    ESP Tunnel Mode c s dng thng xuyn nhanh hn ESP Transport Mode.
    Trong Tunnel Mode, ESP dng IP header gc thay v to mt IP header mi.
    Trong Transport Mode, ESP c th ch m ho v/hoc bo m tnh ton vn ni dung gi tin v mt s cc thnh phn ESP, nhng khng c vi IP header.
    Giao thc AH, ESP trong Transport mode thng s dng trong cu trc host-to-host. Trong Transport mode khng tng thch vi NAT.
    Figure 3-9: ESP Transport Mode Packet
    b. ESP Packet Fields
    Figure 3-10: ESP Packet Fields
    ESP thm mt header v Trailer vo xung quanh ni dung ca mi gi tin. ESP Header c cu thnh bi hai trng : SPI v Sequence Number.
    -SPI (32 bits) : mi u cui ca mi kt ni IPSec c tu chn gi tr SPI. Pha nhn s dng gi tr SPI vi a ch IP ch v giao thc IPSec xc nh chnh sch SA
    duy nht m n c p cho gi tin.
    -Sequence Number : thng c dng cung cp dch v anti-replay. Khi SA c thit lp, ch s ny c khi u v 0. Trc khi mi gi tin c gi, ch s ny lun
    tng ln 1 v c t trong ESP header. chc chn rng s khng c gi tin no c cng nhn, th ch s ny khng c php ghi ln bng 0. Ngay khi ch s 232-1
    c s dng , mt SA mi v kha xc thc c thit lp.
    Phn k tip ca gi tin l Payload, n c to bi Payload data (c m ho) v IV khng c m ho). Gi tr ca IV trong sut qu trnh m ho l khc nhau trong
    mi gi tin.
    phn th ba ca gi tin l ESP Trailer, n cha t nht l hai trng.
    -Padding ( 0-255 bytes) : c thm vo cho kch thc ca mi gi tin.
    -Pad length: chiu di ca Padding
    -Next header : Trong Tunnel mode, Payload l gi tin IP, gi tr Next Header c ci t l 4 cho IP-in-IP. Trong Transport mode, Payload lun l giao thc lp 4. Nu giao
    thc lp 4 l TCP th trng giao thc trong IP l 6, giao thc lp 4 l UDP th trng giao thc IP l 17. Mi ESP Trailer cha mt gi tr Next Header.
    -Authentication data : trng ny cha gi tr Integrity Check Value (ICV) cho gi tin ESP. ICV c tnh ln ton b gi tin ESP cng nhn cho trng d liu xc thc ca
    n. ICV bt u trn ranh gii 4-byte v phi l bi s ca 32-bit (n v t).
    C. Qu trnh m ho v hot ng ca giao thc ESP
    C ch hot ng ca giao thc AH v ESP http://vnpro.org/forum/showthread.php/16059-co-che-hoat-dong-cua-gia...
    2 trong 4 9/16/2014 5:39 AM
    ESP s dng mt m i xng cung cp s mt ho d liu cho cc gi tin IPSec. Cho nn, kt ni ca c hai u cui u c bo v bi m ho ESP th hai bn
    phi s dng key ging nhau mi m ho v gii m c gi tin .
    Khi mt u cui m ho d liu, n s chia d liu thnh cc block nh, v sau thc hin thao tc m ho nhiu ln s dng cc block d liu v key. Thut ton m
    ho hot ng trong chiu ny c xem nh blocks cipher algorithms.
    Khi mt u cui khc nhn c d liu m ho, n thc hin gii m s dng key ging nhau v qu trnh thc hin tng t, nhng trong bc ny ngc vi thao tc
    m ho.
    V d : ESP s dng thut ton m ho l AES-Cipher Block Chaining (AES-CBC), AES Counter Mode (AES-CTR), v Triple DES ( 3DES).
    Khi so snh vi gi tin AH , gi tin ESP c dng ging vi gi tin AH. chui mu t c th xc nh c trong AH-protected Payload nhng khng xc nh c trong
    ESP-protected payload, v trong ESP n c m ho.
    Gi tin ESP c cha 5 on : Ethernet Header , IP Header, ESP Header, Encrypted Data (Payload v ESP Trailer), v (option) authentication information . D liu c m
    ho khng th xc nh c d gi tin truyn trong Transport Mode hay Tunnel Mode. Tuy nhin, v IP Header khng c m ho, trng giao thc IP trong Header vn
    pht hin c giao thc dng cho Payload ( trong trng hp ny l ESP).
    Hnh trn cho thy, cc trng ESP Header t 4 gi tin u trong ESP session gia host A v host B . Cc trng SPI v Sequence Number trong ESP lm vic mt chiu
    nh chng thc hin trong AH . Mi host s dng mt gi tr SPI khc nhau cho cc gi tin ca n, tng thch vi kt ni ESP gm hai thnh phn kt ni mt chiu.
    C hai host cng bt u thit lp sequence number l 1, v s tng dn ln l 2 cho gi tin th hai.
    d. ESP Version 3
    Mt chun mi cho ESP l phin bn 3, mt phin bn va c b sung, c da trn chun phc tho. Tm ra c chc nng chnh cho thy s khc nhau gia
    version 2 v version 3 , bao gm nhng iu sau :
    -Chun ESP version 2 i hi ESP b sung h tr ESP ch s dng cho m ho (khng c tnh nng bo v ton vn d liu). Do , chun ESP version 3 c a ra
    nhm h tr cho s la chn ny.
    -ESP c th dng chui s di hn, ging vi chun AH version 3.
    -ESP version 3 h tr trong vic s dng kt hp cc thut ton ( EAS Counter vi CBC-MAC [EAS-CMC]. Nh vy kt qu m ho v tnh bo v ton vn d liu t c
    s nhanh hn l s dng tch ri thut ton.
    e. ESP Summary
    -Trong Tunnel Mode, ESP cung cp s m ho v s m bo an ton cho ng gi IP Packet, cng xc thc tt ging nh ca ESP Header , ESP c th tng thch vi NAT.
    -Trong Transport Mode, ESP cung cp s m ho v m bo an ton cho Payload ca gi tin IP , cng m bo an ton tt ging nh ca ESP Header. Transport Mode th
    khng tng thch vi NAT.
    -ESP Tunnel Mode thng s dng ph bin trong IPSec , v n m ho IP Header gc, n c th giu a ch source v des tht ca gi tin. ESP cng c th thm vt m
    vo gi tin.
    -ESP thng c dng cung cp cho m ho hoc m bo an ton ( hoc c hai ).
    5. Cc mode chnh ca giao thc IPSec:
    a. Transport Mode :
    -Transport mode bo v giao thc tng trn v cc ng dng. Trong transport mode, phn IPSec header c chn vo gia phn IP header v phn header ca giao thc
    tng trn.
    -v vy, ch c ti (IP payload) l c m ha v IP header ban u l c gi nguyn vn. Transport mode c th c dng khi c hai host h tr IPSec.
    Figure 3-13: IPSec Transport-mode a generic representation
    Transport mode c dng bo mt kt ni gia hai host:
    hot ng ca ESP trong Transport mode c s dng bo v thng tin gia hai host c nh. Bo v cc giao thc lp trn ca IP datagram.
    Figure 3-14: Transport Mode Tunnel
    Trong Transport Mode, AH header c chn vo trong IP datagram sau IP header v cc tu chn.
    Figure 3-15: Transport Mode Packet
    -ch transport ny c thun li l ch thm vo vi bytes cho mi packets v n cng cho php cc thit b trn mng thy c a ch ch cui cng ca gi.
    a.Tunnel mode :
    Figure 3-16: A Tunne Mode AH Tunnel
    Figure 3-17 : An ESP Tunnel Mode VPN
    -khng ging nh transport mode, Tunnel mode bo v ton b gi d liu. Ton b gi d liu IP c ng gi trong mt gi d liu IP khc. V mt IPSec header c
    chn vo gia phn u nguyn bn v phn u mi ca IP .
    Figure 3-18: IPSec Tunnel Mode a generic representation
    -Ton b gi IP ban u s b ng gi bi AH hoc ESP v mt IP header mi s c bao bc xung quanh gi d liu. Ton b gi IP s c m ho v tr thnh d liu
    mi ca gi IP mi. ch ny cho php cc thit b mng, chng hn nh Router, hot ng nh mt IPSec proxy thc hin chc nng m ha thay cho host. Router
    ngun s m ha cc packets v truyn chng dc theo tunnel. Router ch s gii m gi IP ban u v chuyn n v h thng cui.
    -vi tunnel hot ng gia hai security gateway, a ch ngun v ch c th c m ha.
    V d : Lung gi tin c gi t host A2 n host B3:
    Figure 3-19: Packet Flow from Host A2 to Host B3
    -Gi s rng host A2 gi TCP segment n host B3. IP datagram ri khi host A2 i n host B3. khi IP datagram ri khi host A2, n c a ch ngun l 10.0.1.2 v a ch
    ch l 10.0.2.3. Trng giao thc trong IP header l 6 (ch rng giao thc lp di l TCP). Host A2 c default route n GWA hoc nh tuyn n mng 10.0.2.0/24 vi
    GWA l next hop, th datagram c nh tuyn n GWA.
    -Khi datagram n GWA, gateway kim tra SPD ca n v thng bo n ch r chnh sch bt k datagram t mng 10.0.1.0/24 n mng 10.0.2.0/24 nn c ng
    gi vi mode-tunnel ESP v gi n GWB ti 2.2.2.2. Sau khi GWA ng gi IP datagram, IP header bn ngoi c a ch ngun 1.1.1.1 (GWA) v a ch ch 2.2.2.2
    (GWB). trng giao thc ca IP header bn ngoi l 50 ( ch r giao thc ESP c dng). Trng giao thc ca gi tin ESP l 4 ( ch ra gi tin ESP ang ng gi IP
    datagram). V IP header bn trong khng thay i.
    -Khi ng gi IP datagram n ti GWB, gateway thy rng n cha gi tin ESP v xc thc li v key m ho t SA thch hp, thc hin kim tra xc thc v gii m ESP
    Payload. IP header bn ngoi, ESP header v Trailer, v ICV c tch ra khi, v IP datagram bn trong c forward n ch ca n (10.0.2.3).
    C ch hot ng ca giao thc AH v ESP http://vnpro.org/forum/showthread.php/16059-co-che-hoat-dong-cua-gia...
    3 trong 4 9/16/2014 5:39 AM
    Previous Thread | Next Thread
    Website game in thoi:Bigone

    All times are GMT +7. The time now is 05:33 AM.
    Powered by vBulletin Version 4.2.2
    Copyright 2014 vBulletin Solutions, Inc. All rights reserved.
    Bng so snh gia giao thc AH v ESP
    ng Hong Khnh
    Email: danghoangkhanh@vnpro.org
    ---------------------------
    VnPro - Cisco Authorised Training
    Discuss about Networking, especially Cisco technology: http://vnpro.org
    Discuss about Wireless: http://wifipro.org or http://wimaxpro.org
    Reply With Quote
    29-11-2009, 01:03 AM
    Join Date:
    Posts:
    May 2009
    51
    Vn IPSec v NAT-T
    Anh c th gii thch dm s khc nhau gia UDP-Encapsulated Transport mode v UDP-Encapsulated Tunnel mode khng? Ti sao UDP-Encapsulated Transport mode li
    dng c trong NAT-T? em tng transport mode khng tng thch vi NAT ch?Cm n anh
    #2
    Member
    Member
    sato
    Reply With Quote

    C ch hot ng ca giao thc AH v ESP http://vnpro.org/forum/showthread.php/16059-co-che-hoat-dong-cua-gia...
    4 trong 4 9/16/2014 5:39 AM

    You might also like