Forum CCNP v CCDP ISCW C ch hot ng ca giao thc AH v ESP
Thread: C ch hot ng ca giao thc AH v ESP
User Name Password Log in Remember Me? Register Help Home Kha hc Cisco ti VnPro Blog VnPro Video hc mng Xem phim hay - Phim.biz New Posts FAQ Calendar Community Forum Actions Quick Links Advanced Search Results 1 to 2 of 2 Thread Tools Display 12-05-2008, 03:56 PM Join Date: Location: Posts: Oct 2005 HCM City 921 C ch hot ng ca giao thc AH v ESP C ch hot ng ca giao thc AH v ESP Tc gi: Vi Th Mu 1. Khi qut : Giao thc ESP v giao thc AH l hai giao thc chnh trong vic m ho v xc thc d liu. - ESP s dng IP Protocol number l 50 (ESP c ng gi bi giao thc IP v trng protocol trong IP l 50) - AH s dng IP Protocol number l 51 ( AH c ng gi bi giao thc IP v trng protocol trong IP l 51) B giao thc IPSec hot ng trn 2 mode chnh : Tunnel Mode v Transports Mode. - Khi giao thc IPSec hot ng Tunnel Mode th sau khi ng gi d liu, giao thc ESP m ho ton b Payload, frame Header, IP Header th n s thm mt IP Header mi vo gi tin trc khi forward i. - Khi giao thc IPSec hot ng Transport Mode th IP Header vn c gi nguyn v lc ny giao thc ESP s chn vo gia Payload v IP Header ca gi tin. 2. Tng quan v ESP Header v AH Header - Trong trng hp dng giao thc ESP : th giao thc ny s lm cng vic m ha (encryption), xc thc (authentication), bo m tnh ton vn d liu ( integrity protection). Sau khi ng gi xong bng ESP, mi thng tin v m ho v gii m s nm trong ESP Header. - Cc thut ton m ho s dng trong giao thc nh : DES, 3DES, AES - cc thut ton hash nh : MD5 hoc SHA-1 - Trong trng hp dng giao thc AH : th AH ch lm cng vic xc thc (Authentication), v m bo tnh ton vn d liu. Giao thc AH khng c tnh nng m ho d liu. 3. Authentication Header (AH) AH l mt trong nhng giao thc bo mt, cung cp tnh nng m bo ton vn packet headers v data, xc thc ngun gc d liu. N c th tu chn cung cp dch v replay protection v access protection. AH khng m ho bt k phn no ca cc gi tin. Trong phin bn u ca IPSec, giao thc ESP ch c th cung cp m ho, khng xc thc. Do , ngi ta kt hp giao thc AH v ESP vi nhau cung cp s cn mt v m bo ton vn d liu cho thng tin. a. AH Mode AH c hai mode : Transport v Tunnel. Trong Tunnel mode, AH to 1 IP Header mi cho mi gi tin Trong Transport mode, AH khng to IP Header mi Trong cu trc IPSec m s dng gateway , a ch tht ca IP ngun v ch ca cc gi tin phi thay i thnh a ch IP ca gateway. V trong Transport Mode khng thay i IP Header ngun hoc to mt IP Header mi, Transport Mode thng s dng trong cu trc host-to-host. AH cung cp tnh nng m bo tnh ton vn cho ton b gi tin, bt k mode no c s dng . Figure 3-3: AH Tunnel Mode Packet Figure 3-4: AH Transport Mode Packet a.AH xc thc v m bo tnh ton vn d liu B1: AH s em gi d liu (packet ) bao gm : Payload + IP Header + Key cho chy qua gii thut Hash 1 chiu v cho ra 1 chui s. v chui s ny s c gn vo AH Header. B2: AH Header ny s c chn vo gia Payload v IP Header v chuyn sang pha bn kia. B3: Router ch sau khi nhn c gi tin ny bao gm : IP Header + AH Header + Payload s c cho qua gii thut Hash mt ln na cho ra mt chui s. B4: so snh chui s n va to ra v chui s ca n nu ging nhau th n chp nhn gi tin . C. AH Header #1 Administrator Elite danghoangkhanh C ch hot ng ca giao thc AH v ESP http://vnpro.org/forum/showthread.php/16059-co-che-hoat-dong-cua-gia... 1 trong 4 9/16/2014 5:39 AM Figure 3-5 : AH Header -Next Header : Trng ny di 8 bits , cha ch s giao thc IP. Trong Tunnel Mode, Payload l gi tin IP , gi tr Next Header c ci t l 4. Trong Transport Mode , Payload lun l giao thc Transport-Layer. Nu giao thc lp Transport l TCP th trng giao thc trong IP l 6. Nu giao thc lp transport l UDP th trng giao thc trong IP l 17. -Payload Length : Trng ny cha chiu di ca AH Header. -Reserved : gi tr ny c dnh s dng trong tng lai ( cho n thi im ny n c biu th bng cc ch s 0). -Security parameter Index (SPI) : mi u cui ca mi kt ni IPSec tu chn gi tr SPI. Hot ng ny ch c dng nhn dng cho kt ni. Bn nhn s dng gi tr SPI cng vi a ch IP ch v loi giao thc IPSec (trng hp ny l AH) xc nh chnh sch SA c dng cho gi tin (C ngha l giao thc IPSec v cc thut ton no c dng p cho gi tin). -Sequence Number : ch s ny tng ln 1 cho mi AH datagram khi mt host gi c lin quan n chnh sch SA. Gi tr bt u ca b m l 1. chui s ny khng bao gi cho php ghi ln l 0. v khi host gi yu cu kim tra m n khng b ghi v n s tho thun chnh sch SA mi nu SA ny c thit lp. Host nhn s dng chui s pht hin replayed datagrams. Nu kim tra bn pha host nhn, bn nhn c th ni cho bn gi bit rng bn nhn khng kim tra chui s, nhng i hi n phi lun c trong bn gi tng v gi chui s. -Authentication Data: Trng ny cha kt qu ca gi tr Integrity Check Value (ICV). Trng ny lun l bi ca 32-bit (t) v phi c m vo nu chiu di ca ICV trong cc bytes cha y. d. Hot ng ca giao thc AH -Hng tt nht hiu AH lm vic nh th no, ta s xem v phn tch cc gi tin AH. Figure 3-6: Sample AH Transport Mode Packet. Hnh trn cho thy cc thnh phn ca gi tin AH tht s. Mi section ca AH Packet gm : Ethernet header , IP header , AH header v Payload. Da trn cc trng ca phn AH mode, ta thy y l gi tin Transport Mode v n ch cha IP Header. Trong trng hp ny, payload cha ICMP echo request (hay l Ping). Ping gc cha chui mu t c miu t trong gi tin tng dn bi gi tr Hex ( vd : 61, 62, 63). Sau khi giao thc AH c applied, ICMP Payload khng thay i. V AH ch cung cp dch v m bo ton vn d liu, khng m ho. Figure 3-7 : AH Header Fields from Sample Packet. Cc trng trong AH Header t 4 gi tin u tin trong AH session gia host A v host B. Cc trng trong header u tin ch l nhn, p ng trong vic nhn dng AH mode. -SPI : host A s dng gi tr s Hex cdb59934 cho SPI trong c cc gi tin ca n. Trong khi host B s dng gi tr s Hex a6b32c00 cho SPI trong c cc gi tin. iu ny phn nh c rng kt ni AH tht s gm hai thnh phn kt ni mt chiu. -Sequence Number : c hai host bt u thit lp ch s bng 1, v c hai tng ln l 2 cho gi tin th hai ca chng. -Authentication information : Xc thc (m bo ton vn ) thng tin , l mt keyed hash da trn hu nh tt c cc bytes trong gi tin. e. AH version 3 Mt chun mi ca AH l Version 3, phin bn c pht trin da trn phin bn phc tho. Tnh nng khc nhau gia Version 2 v Version 3 l mi quan h th yu cc qun tr vin IPSec v ngi dng - mt vi s thay i n SPI, v tu chn ch s di hn. chun phc tho version 3 cng ch n mt chun phc tho khc rng lit k thut ton m ho yu cu cho AH. Bn phc tho u nhim h tr cho HMAC-SHA1-96, gii thiu thut ton h tr mnh hn l AES-XCBC-MAC-96, v cng gii thiu thut ton : HMAC-MD5-96. f. AH Summary -AH cung cp dch v m bo ton vn cho tt c cc header v data gi tin. Ngoi tr mt s trng IP Header m nh tuyn thay i trong chuyn tip. -AH bao gm a ch ngun v a ch ch trong dch v m bo ton vn. AH thng khng tng thch vi NAT. -Hin nay, hu ht IPSec b sung h tr phin bn th hai ca IPSec m ESP c th cung cp dch cc v m bo ton vn d liu qua s xc thc. -AH cung cp mt li ch m ESP khng c, l : m bo ton vn cho outermost IP Header. 4. Encapsulaton Secutity Payload (ESP) ESP l giao thc bo mt chnh th hai. Trong phin bn u ca IPSec , ESP chi cung cp m ho cho packet payload data. Khi cn, giao thc AH cung cp dch v m bo ton vn. Trong phin bn th hai ca IPSec, ESP tr nn mm do hn. N c th thc hin xc thc cung cp dch v m bo ton vn, mc d khng h tr cho outermost IP header. S m ho ca ESP c th b v hiu ho qua thut ton m ho Null ESP algorithm. Do , ESP c th cung cp ch m ho; m ho v m bo ton vn d liu; hoc ch m bo ton vn d liu. a. ESP Mode ESP c hai mode : Transport Mode v Tunnel Mode. Trong Tunnel Mode : ESP to mt IP Header mi cho mi gi tin. IP Header mi lit kt cc u cui ca ESP Tunnel ( nh hai IPSec gateway) ngun v ch ca gi tin. V Tunnel mode c th dng vi tt c 3 m hnh cu trc VPN. Figure 3-8: ESP Tunnel Mode Packet ESP Tunnel Mode c s dng thng xuyn nhanh hn ESP Transport Mode. Trong Tunnel Mode, ESP dng IP header gc thay v to mt IP header mi. Trong Transport Mode, ESP c th ch m ho v/hoc bo m tnh ton vn ni dung gi tin v mt s cc thnh phn ESP, nhng khng c vi IP header. Giao thc AH, ESP trong Transport mode thng s dng trong cu trc host-to-host. Trong Transport mode khng tng thch vi NAT. Figure 3-9: ESP Transport Mode Packet b. ESP Packet Fields Figure 3-10: ESP Packet Fields ESP thm mt header v Trailer vo xung quanh ni dung ca mi gi tin. ESP Header c cu thnh bi hai trng : SPI v Sequence Number. -SPI (32 bits) : mi u cui ca mi kt ni IPSec c tu chn gi tr SPI. Pha nhn s dng gi tr SPI vi a ch IP ch v giao thc IPSec xc nh chnh sch SA duy nht m n c p cho gi tin. -Sequence Number : thng c dng cung cp dch v anti-replay. Khi SA c thit lp, ch s ny c khi u v 0. Trc khi mi gi tin c gi, ch s ny lun tng ln 1 v c t trong ESP header. chc chn rng s khng c gi tin no c cng nhn, th ch s ny khng c php ghi ln bng 0. Ngay khi ch s 232-1 c s dng , mt SA mi v kha xc thc c thit lp. Phn k tip ca gi tin l Payload, n c to bi Payload data (c m ho) v IV khng c m ho). Gi tr ca IV trong sut qu trnh m ho l khc nhau trong mi gi tin. phn th ba ca gi tin l ESP Trailer, n cha t nht l hai trng. -Padding ( 0-255 bytes) : c thm vo cho kch thc ca mi gi tin. -Pad length: chiu di ca Padding -Next header : Trong Tunnel mode, Payload l gi tin IP, gi tr Next Header c ci t l 4 cho IP-in-IP. Trong Transport mode, Payload lun l giao thc lp 4. Nu giao thc lp 4 l TCP th trng giao thc trong IP l 6, giao thc lp 4 l UDP th trng giao thc IP l 17. Mi ESP Trailer cha mt gi tr Next Header. -Authentication data : trng ny cha gi tr Integrity Check Value (ICV) cho gi tin ESP. ICV c tnh ln ton b gi tin ESP cng nhn cho trng d liu xc thc ca n. ICV bt u trn ranh gii 4-byte v phi l bi s ca 32-bit (n v t). C. Qu trnh m ho v hot ng ca giao thc ESP C ch hot ng ca giao thc AH v ESP http://vnpro.org/forum/showthread.php/16059-co-che-hoat-dong-cua-gia... 2 trong 4 9/16/2014 5:39 AM ESP s dng mt m i xng cung cp s mt ho d liu cho cc gi tin IPSec. Cho nn, kt ni ca c hai u cui u c bo v bi m ho ESP th hai bn phi s dng key ging nhau mi m ho v gii m c gi tin . Khi mt u cui m ho d liu, n s chia d liu thnh cc block nh, v sau thc hin thao tc m ho nhiu ln s dng cc block d liu v key. Thut ton m ho hot ng trong chiu ny c xem nh blocks cipher algorithms. Khi mt u cui khc nhn c d liu m ho, n thc hin gii m s dng key ging nhau v qu trnh thc hin tng t, nhng trong bc ny ngc vi thao tc m ho. V d : ESP s dng thut ton m ho l AES-Cipher Block Chaining (AES-CBC), AES Counter Mode (AES-CTR), v Triple DES ( 3DES). Khi so snh vi gi tin AH , gi tin ESP c dng ging vi gi tin AH. chui mu t c th xc nh c trong AH-protected Payload nhng khng xc nh c trong ESP-protected payload, v trong ESP n c m ho. Gi tin ESP c cha 5 on : Ethernet Header , IP Header, ESP Header, Encrypted Data (Payload v ESP Trailer), v (option) authentication information . D liu c m ho khng th xc nh c d gi tin truyn trong Transport Mode hay Tunnel Mode. Tuy nhin, v IP Header khng c m ho, trng giao thc IP trong Header vn pht hin c giao thc dng cho Payload ( trong trng hp ny l ESP). Hnh trn cho thy, cc trng ESP Header t 4 gi tin u trong ESP session gia host A v host B . Cc trng SPI v Sequence Number trong ESP lm vic mt chiu nh chng thc hin trong AH . Mi host s dng mt gi tr SPI khc nhau cho cc gi tin ca n, tng thch vi kt ni ESP gm hai thnh phn kt ni mt chiu. C hai host cng bt u thit lp sequence number l 1, v s tng dn ln l 2 cho gi tin th hai. d. ESP Version 3 Mt chun mi cho ESP l phin bn 3, mt phin bn va c b sung, c da trn chun phc tho. Tm ra c chc nng chnh cho thy s khc nhau gia version 2 v version 3 , bao gm nhng iu sau : -Chun ESP version 2 i hi ESP b sung h tr ESP ch s dng cho m ho (khng c tnh nng bo v ton vn d liu). Do , chun ESP version 3 c a ra nhm h tr cho s la chn ny. -ESP c th dng chui s di hn, ging vi chun AH version 3. -ESP version 3 h tr trong vic s dng kt hp cc thut ton ( EAS Counter vi CBC-MAC [EAS-CMC]. Nh vy kt qu m ho v tnh bo v ton vn d liu t c s nhanh hn l s dng tch ri thut ton. e. ESP Summary -Trong Tunnel Mode, ESP cung cp s m ho v s m bo an ton cho ng gi IP Packet, cng xc thc tt ging nh ca ESP Header , ESP c th tng thch vi NAT. -Trong Transport Mode, ESP cung cp s m ho v m bo an ton cho Payload ca gi tin IP , cng m bo an ton tt ging nh ca ESP Header. Transport Mode th khng tng thch vi NAT. -ESP Tunnel Mode thng s dng ph bin trong IPSec , v n m ho IP Header gc, n c th giu a ch source v des tht ca gi tin. ESP cng c th thm vt m vo gi tin. -ESP thng c dng cung cp cho m ho hoc m bo an ton ( hoc c hai ). 5. Cc mode chnh ca giao thc IPSec: a. Transport Mode : -Transport mode bo v giao thc tng trn v cc ng dng. Trong transport mode, phn IPSec header c chn vo gia phn IP header v phn header ca giao thc tng trn. -v vy, ch c ti (IP payload) l c m ha v IP header ban u l c gi nguyn vn. Transport mode c th c dng khi c hai host h tr IPSec. Figure 3-13: IPSec Transport-mode a generic representation Transport mode c dng bo mt kt ni gia hai host: hot ng ca ESP trong Transport mode c s dng bo v thng tin gia hai host c nh. Bo v cc giao thc lp trn ca IP datagram. Figure 3-14: Transport Mode Tunnel Trong Transport Mode, AH header c chn vo trong IP datagram sau IP header v cc tu chn. Figure 3-15: Transport Mode Packet -ch transport ny c thun li l ch thm vo vi bytes cho mi packets v n cng cho php cc thit b trn mng thy c a ch ch cui cng ca gi. a.Tunnel mode : Figure 3-16: A Tunne Mode AH Tunnel Figure 3-17 : An ESP Tunnel Mode VPN -khng ging nh transport mode, Tunnel mode bo v ton b gi d liu. Ton b gi d liu IP c ng gi trong mt gi d liu IP khc. V mt IPSec header c chn vo gia phn u nguyn bn v phn u mi ca IP . Figure 3-18: IPSec Tunnel Mode a generic representation -Ton b gi IP ban u s b ng gi bi AH hoc ESP v mt IP header mi s c bao bc xung quanh gi d liu. Ton b gi IP s c m ho v tr thnh d liu mi ca gi IP mi. ch ny cho php cc thit b mng, chng hn nh Router, hot ng nh mt IPSec proxy thc hin chc nng m ha thay cho host. Router ngun s m ha cc packets v truyn chng dc theo tunnel. Router ch s gii m gi IP ban u v chuyn n v h thng cui. -vi tunnel hot ng gia hai security gateway, a ch ngun v ch c th c m ha. V d : Lung gi tin c gi t host A2 n host B3: Figure 3-19: Packet Flow from Host A2 to Host B3 -Gi s rng host A2 gi TCP segment n host B3. IP datagram ri khi host A2 i n host B3. khi IP datagram ri khi host A2, n c a ch ngun l 10.0.1.2 v a ch ch l 10.0.2.3. Trng giao thc trong IP header l 6 (ch rng giao thc lp di l TCP). Host A2 c default route n GWA hoc nh tuyn n mng 10.0.2.0/24 vi GWA l next hop, th datagram c nh tuyn n GWA. -Khi datagram n GWA, gateway kim tra SPD ca n v thng bo n ch r chnh sch bt k datagram t mng 10.0.1.0/24 n mng 10.0.2.0/24 nn c ng gi vi mode-tunnel ESP v gi n GWB ti 2.2.2.2. Sau khi GWA ng gi IP datagram, IP header bn ngoi c a ch ngun 1.1.1.1 (GWA) v a ch ch 2.2.2.2 (GWB). trng giao thc ca IP header bn ngoi l 50 ( ch r giao thc ESP c dng). Trng giao thc ca gi tin ESP l 4 ( ch ra gi tin ESP ang ng gi IP datagram). V IP header bn trong khng thay i. -Khi ng gi IP datagram n ti GWB, gateway thy rng n cha gi tin ESP v xc thc li v key m ho t SA thch hp, thc hin kim tra xc thc v gii m ESP Payload. IP header bn ngoi, ESP header v Trailer, v ICV c tch ra khi, v IP datagram bn trong c forward n ch ca n (10.0.2.3). C ch hot ng ca giao thc AH v ESP http://vnpro.org/forum/showthread.php/16059-co-che-hoat-dong-cua-gia... 3 trong 4 9/16/2014 5:39 AM Previous Thread | Next Thread Website game in thoi:Bigone
All times are GMT +7. The time now is 05:33 AM. Powered by vBulletin Version 4.2.2 Copyright 2014 vBulletin Solutions, Inc. All rights reserved. Bng so snh gia giao thc AH v ESP ng Hong Khnh Email: danghoangkhanh@vnpro.org --------------------------- VnPro - Cisco Authorised Training Discuss about Networking, especially Cisco technology: http://vnpro.org Discuss about Wireless: http://wifipro.org or http://wimaxpro.org Reply With Quote 29-11-2009, 01:03 AM Join Date: Posts: May 2009 51 Vn IPSec v NAT-T Anh c th gii thch dm s khc nhau gia UDP-Encapsulated Transport mode v UDP-Encapsulated Tunnel mode khng? Ti sao UDP-Encapsulated Transport mode li dng c trong NAT-T? em tng transport mode khng tng thch vi NAT ch?Cm n anh #2 Member Member sato Reply With Quote
C ch hot ng ca giao thc AH v ESP http://vnpro.org/forum/showthread.php/16059-co-che-hoat-dong-cua-gia... 4 trong 4 9/16/2014 5:39 AM