Upload
an-ninh-mang
View
219
Download
0
Embed Size (px)
Citation preview
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
1/198
LOGOwww.themegallery.com
Ging vin:
Chng III Cc giao thcmng ring o ti tng 3
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
2/198
LOGO
Mc tiu
Chng ny tp trung nghin cu cc giao thcmng ring o ti tng 3Nghin cu chi tit v giao thc IPSecIPSec l g?
Kh nng m bo an ton ca IPSec chocc giao dch trong khi truyn d liu
M hnh ng hm, khun dng gi d liu,cc ch hot ng ca IPSec
8/4/2014 2
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
3/198
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
4/198
LOGO
Gii thiu v xc thc &m ha
www.themegallery.com
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
5/198
LOGO5
BO MT TRONG VPN
XC THC NGUN GC
BO MT TRONG VPN BAO GM HAI QU TRNH:XC THC
GUN GC
TON VN
XC THC MT KHU - PAP
XC THC YU CU BT TAY- CHAP H THNG IU KHIN TRUY CP U CUI -TACACS XC THC NGI DNG QUAY S T XA - RADIUS CC H THNG PHN CNG NH SMART CARD
H THNG SINH TRC HC
GIN LC THNG IP - MD
M XC THC THNG BO - MACCH K S - DS
Xc thc
V M HA
XC THC TNH TON VN
XC THC TNH TON VN
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
6/198
LOGO6
BO MT TRONG VPN
MD (Message Digest) l phng php s dng pht hinli truyn dn da trn hm bm (hash) mt chiu. Cc hmbm mt chiu c s dng tnh MD.
Ti liu hoc
bn tin
MD5 SHA-1
160 bit128 bit
Ti liu hoc
bn tin
Hm hash
Message Digest
Xc thc: Ton vn
GIN LC THNG IP
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
7/198LOGO7
Ti liu hoc bn tin Padding Length
Block N
512 bit
Block 2
512 bit
Block 1
512 bit
Hash HashHm hash
MD5/SHA
Hm hash
MD5/SHA
I
V
Hm hash
MD5/SHAHash
512bit XN
MD ca
bn tin
BO MT TRONG VPN Xc thc: Ton vn
Cu trc c bn ca MD5/SHA
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
8/198
LOGO8
BO MT TRONG VPN
MAC (Message Authentication Code) l phng php bo vchng sa i bt hp php ni dung ca bn tin. MAC cthc hin da trn hm bm mt chiu kt hp vi kha bmt
Ti liu hoc
bn tin
Key Hash
Function
Key Hash
Function
Key
MAC
MAC
MAC
Ti liu hoc
bn tin
Pha pht Pha thu
Key
So Snh
Knh truyn dn
Xc thc: Ton vn
M XC THC THNG BO
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
9/198
LOGO9
BO MT TRONG VPN
Ti liuhoc bn tin
Ch k
M ho vikho cng cng
M ho vikho ring
Hm hash
Gi tr hash
Ti liuhoc bn tin
Ch k
Gi tr hash
Gi tr hash
Pha pht Pha thu
Knh
truyn dn
So
snh
Xc thc: Ton vn
CH K SChk scthchinbngcch m ha gi trhash thu cthm bmmtchiu. Gi trhash (MD5 hay SHA) cabntin cm ha vikha b mtcapha pht tothnh chk sv ctruynicng vibntin tngn
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
10/198
LOGO10
BO MT TRONG VPN
EncryptEncrypt DecryptDecryptEcryption
Message
Clear
Message
Clear
Message
Shared
Secret Key
Shared
Secret Key
HAI PHNG PHP M HOM HO KHO B MT
M ho
M HO KHO CNG KHAI
B MT
CNG KHAI
THUT TON M HO KHO CNG KHAI
EncryptEncrypt DecryptDecrypt
Encrypted
Messageclear
Message
clear
Message
Transfers
Public Key
Receives
Public Key
Thut ton m ha kha b mt: s dng chung mt kha m ha vgii m bn tin.
Thut ton m ha kha cng khai: s dng kha cng khai m ha v kha bmt gii m nhng hai kha ny c lin quan vi nhau to thnh mt cp khaduy nht ca mt bn tin, ch c hai kha ny mi c th m ha v gii m chonhau
ReceiversPublic Key
ReceiversPrivate Key
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
11/198
LOGO11
BO MT TRONG VPN
Li-1 Ri-1 Khoi-1
Li Ri Khoi
S-Box (Thay th)
Hon v m rng
Hon v nn
DchDch
P-Box (Hon v)
32
56
48
48
56
32
32 32
32
Mng Fiestel
Key (64 bt)
Round 1
Paintext Block(64 bit)
Hon v khi to
(IP)
Round 2
Round 16
B Parity (56bit)
Hon v o (RP)
Ciphertext Block(64 bits)
Chun m ho d liu DES l s kt hp ca hai kthut c bn trong mt m l thay th (hp S) vhon v (P)
L m khi c cu trc Fiestel
S thut tonMng Fiestel
THUT TON DESM ho kho b mt
Key (64 bt)
Round 1
Paintext Block(64 bit)
Hon v khi to
(IP)
Round 2
Round 16
B Parity (56
bit)
Hon v o (RP)
Ciphertext Block
(64 bits)
CHUN M HO D LIU DES
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
12/198
LOGO
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
13/198
LOGO
3.1. Gii thiu chung
IPSec = Internet Protocol Securityc pht trin bi IETF
Thc hin vic bo mt cc gi IP
Cung cp kh nng: Xc thc ngun thng tin Kim tra tnh ton vn
B mt ni dung thng tin
8/4/2014 13
->3.2
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
14/198
LOGO
3.1. Gii thiu chung
IPSec cung cp mt khung bo mt ti tng 3ca m hnh OSI
8/4/2014 14
Application Layer
Presentation LayerSession Layer
Transport Layer
Data Link Layer
Physical Layer
IPSecNetwork Layer
->3.2
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
15/198
LOGO
Ni dung:3.1. Gii thiu
3.2. Kin trc IPSec
3.3. Trao i kho Internet
3.4. Qu trnh hot ng ca IPSec
3.5. X l h thng IPSec/IKE
8/4/2014 15
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
16/198
LOGO
3.2. Kin trc IPSec
3.2.1. Gii thiu chung v cc chun Thc hin vic bo mt ti tng IP
Cc giao thc tng trn v cc ng dng cth dng IPSec m bo an ton mkhng cn phi thay i g
8/4/2014 16
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
17/198
LOGO
3.2. Kin trc IPSec
3.2.1. Gii thiu chung v cc chun Cc gi IP s c bo v m khng ph
thuc vo cc ng dng to ra n
IPSec hon ton trong sut vi ngi dng
8/4/2014 17
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
18/198
LOGO
3.2. Kin trc IPSec
3.2.1. Gii thiu chung v cc chun IPSec c cc c trng sau:
Cung cp tnh bo mt, xc thc v ton vn dliu
Cung cp kh nng to v t ng lm ti khomt m mt cch an ton
8/4/2014 18
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
19/198
LOGO
3.2. Kin trc IPSec
3.2.1. Gii thiu chung v cc chun IPSec c cc c trng sau
S dng cc thut ton mt m mnh cung cptnh bo mt
Cung cp kh nng xc thc da trn chng ch Cung cp tnh nng bo mt cho cc giao thc
nh L2TP, PPTP,/.
8/4/2014 19
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
20/198
LOGO
3.2. Kin trc IPSec
3.2.1. Gii thiu chung v cc chun IPSec bao gm 2 giao thc: Tiu xc thc (AHAuthentication Header)
m bo tnh ton vn,
Cung cp kh nng bo v chng li s gi mo, Cung cp ch xc thc i vi my ch
ng gi ti bo mt (ESPEnscapsulatingSecurity Payload)
Thc hin cc chc nng nh AH, nhng c thm tnhnng bo mt d liu./.
8/4/2014 20
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
21/198
LOGO
3.2. Kin trc IPSec
3.2.1. Gii thiu chung v cc chun IPSec mang li 3 kh nng chnh:
m bo tnh xc thc v ton vn d liu
Tnh b mt
Qun l kha
8/4/2014 21
->3.2.2
AH & ESP
IKE
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
22/198
LOGO
3.2. Kin trc IPSec
3.2.1. Gii thiu chung v cc chun IPSec mang li 3 kh nng chnh
m bo tnh ton vn v xc thc IPSec cung cp mt c ch mnh m m bo
tnh xc thc ca ngi gi (Ai l ngi gi dliu?)
Ngi nhn: c th kim chng bt k s thay ino v ni dung ca gi d liu nhn c.
Giao thc IPSec mang li s bo v mnh chng
li cc dng tn cng: Gi mo, do thm hoc tchi dch v.
8/4/2014 22
->3.2.2
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
23/198
LOGO
3.2. Kin trc IPSec
3.2.1. Gii thiu chung v cc chun (c) IPSec mang li 3 kh nng chnh Tnh b mt:
IPSec m ho d liu bng cc thut ton mt m
mnh, ngn cn ngi cha chng thc truy cpd liu trn ng truyn.
S dng c ch to ng hm n a ch IPngun v ch, trnh nhng k nghe trm.
8/4/2014 23
->3.2.2
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
24/198
LOGO
3.2. Kin trc IPSec
3.2.1. Gii thiu chung v cc chun IPSec mang li 3 kh nng chnh
Qun l kho: IPSec s dng mt giao thc th ba IKE
(Internet Key Exchange) tha thun:+ Giao thc bo mt
+ V thut ton m ha
Quan trng hn, IPSec phn phi, kim sot
kho v cp nht cc kho ny khi c yucu.
8/4/2014 24
->3.2.2
trc v trong mt phin lm vic.
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
25/198
LOGO
3.2. Kin trc IPSec
3.2.2. Lin kt bo mt IPSec (IPSec SA) SA (Security Associations) l mt khi nim c
bn ca b giao thc IPSec.
SA l mt kt ni logic theo mt hng duy nht
gia hai thc th s dng cc dch v IPSec. C hai kiu SA:
ISAKMP SA (hay IKE SA)
IPSec SA
8/4/2014 25
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
26/198
LOGO
3.2. Kin trc IPSec
3.2.2. Lin kt bo mt IPSec (IPSec SA) Mt IPSec SA s xc nh cc thng tin sau:
Dng giao thc bo mt no: AH hay ESP
Thut ton m ha/gii m & kha no: DES | 3 DES
Phng php v kha xc thc no c dng choAH | ESP: Hm bm (HMAC, MD5, SHA1), ch k s(RSA), chng ch s, Diffie-Hellman qun l kha
Thng tin lin quan n kho nh: khong thi gian
thay i v khong thi gian lm ti ca kho. Thng tin lin quan n chnh SA, bao gm: a chngun SA, khong thi gian lm ti.
8/4/2014 26
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
27/198
LOGO
3.2. Kin trc IPSec
3.2.2. Lin kt bo mt IPSec (IPSec SA) Mt SA gm 3 phn:
8/4/2014 27
SercurityProtocol
SPI Destination
IP Address
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
28/198
LOGO
3.2. Kin trc IPSec
3.2.2. Lin kt bo mt IPSec (IPSec SA)
SPI
L mt trng 32 bit, dng xc nh mt SA gnvi mt gi d liu
L mt ch s duy nht cho mi bn ghi ca c s dliu SADB (ging kha chnh).
c nh ngha bi ngi to SA, c la chn bih thng ch khi thng lng SA.
SPI nhn cc gi tr trong khong t 1255
8/4/2014 28
SercurityProtocol
SPI Destination
IP Address
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
29/198
LOGO
3.2. Kin trc IPSec
3.2.2. Lin kt bo mt IPSec (IPSec SA)
a ch IP ch:
L a ch IP ca Node ch Giao thc bo mt:
M t giao thc bo mt IPSec c dng, c th lAH hoc ESP
8/4/2014 29
SercurityProtocol
SPI Destination
IP Address
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
30/198
LOGO
3.2. Kin trc IPSec
3.2.2. Lin kt bo mt IPSec (IPSec SA)
Vi hai im lin lc: cn mt SA cho mi hng.
SA c th cung cp cc dch v bo mt cho mtphin VPN (c bo v bi AH hay ESP)
Nu mt phin VPN c bo v kp bi c AH v ESPth mi hng kt ni cn nh ngha 2 SA.
8/4/2014 30
SercurityProtocol
SPI Destination
IP Address
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
31/198
LOGO
3.2. Kin trc IPSec3.2.2. Lin kt an ton IPSec (IPSec SA) Mt SA s dng 2 c s d liu
C s d liu lin kt bo mt (SAD - SecurityAssociation Database)
Duy tr thng tin lin quan ti mi SA, bao gm: cc kho,
thut ton, thi gian c hiu lc ca SA, chui s tun t. C s d liu chnh sch bo mt (SPD - Security
Policy Database) Lu cc chnh sch thit lp cc SA
Duy tr thng tin v cc dch v bo mt km theo vi mtdanh sch chnh sch cc im vo v ra.
nh ngha lung lu lng c x l/b qua
8/4/2014 31
->3.2.3
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
32/198
LOGO
SPI: cc kho, thut ton,thi gian c hiu lc ca SA,chui s tun t.
3.2. Kin trc IPSec3.2.2. Lin kt an ton IPSec (IPSec SA)
8/4/2014 32
->3.2.3
SAD SPD
SercurityProtocol
SPI Destination
IP Address
SPI:- Danh sch chnh sch ccim vo v ra.- Lung lu lng c xl/b qua
SAD, SPDc lu trongmi my tnh
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
33/198
LOGO
3.2. Kin trc IPSec3.2.2. Lin kt an ton IPSec (IPSec SA)
www.themegallery.com
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
34/198
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
35/198
LOGO
3.2. Kin trc IPSecThchin: (Host1)
1. Host 1: To2 file CSDL cho SA l: Test.sad v Test.spd (2 file trng).2. Host 1: Thm mtsecurity policy vo Test.spd mboan ton lu
lnggiaHost 1 v Host 2
www.themegallery.com
Tn trngcafile Test.spd Gi tr v d
Policy 2
RemoteIPAddr FE80::2AA:FF:FE92:D0F1LocalIPAdrr - *
Protocol - *
RemotePort - *
LocalPort -*
IPSecProtocol AHIPSecMode Transport
SABundleIndex NONE
Direction BIDIRECT
Action APPLY
InterfaceIndex 0RemoteGWIPAdrr *
/c Host 2
Giao thcIPSec = AHCh hotng =Transport
Khng sdng kp:c AH vESP
Gi tr nyphi c t
theo th tgim dn(kha chnh)
Test.spd
Thc hin: (Host1)
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
36/198
LOGO
Thchin: (Host1)3. Host 1: Thm 2 SA vo file Test.sad mboan ton ttclulng
giaHost 1 v Host 2
+ SA1 (SPI=3001) mboan ton lulngtHost1 -> Host2 (Outbound
+ SA2 (SPI=3000) mboan ton lulngtHost2 -> Host1 (Inbound)
www.themegallery.com
SPI=3001
Cc trngny theopolicy slide trc
Gi tr nytheo th tgim dn(kha chnh)
Test.sad
Tn trng ca file Test.sad Gi tr v d
SAEntry 2
SPI 3001
SADestIPAddr FE80::2AA:FF:FE92:D0F1
SADestIPAddr Policy
SrcIPAddr Policy
Protocol Policy
DestPort PolicySrcPort Policy
AuthAlg HMAC-MD5
KeyFile Test.key
Direction OUTBOUND
SetPolicyIndex 2
SA1
Thut tonxc thc lHMAC-MD5
Fijle chakha lTest.KeyTham chiun chnhsch = 2
a chHost2
Thc hin: (Host1)
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
37/198
LOGO
Thchin: (Host1)3. Host 1: Thm 2 SA vo file Test.sad mboan ton ttclulng
giaHost 1 v Host 2
+ SA1 (SPI=3001) mboan ton lulngtHost1 -> Host2 (Outbound
+ SA2 (SPI=3000) mboan ton lulngtHost2 -> Host1 (Inbound)
www.themegallery.com
SPI=3000
Cc trngny theopolicy slide trc
Gi tr nytheo th tgim dn(kha chnh)
Test.sad
Tn trng ca file Test.sad Gi tr v d
SAEntry 1
SPI 3000
SADestIPAddr FE80::2AA:FF:FE53:A92C
SADestIPAddr Policy
SrcIPAddr Policy
Protocol Policy
DestPort PolicySrcPort Policy
AuthAlg HMAC-MD5
KeyFile Test2.key
Direction INBOUND
SetPolicyIndex 2
SA2
Thut tonxc thc lHMAC-MD5
Fijle chakha lTest2.Key
Tham chiun chnhsch = 2
a chHost1
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
38/198
LOGO
3.2. Kin trc IPSecThchin(Host 2):
1. Host 2: To2 file CSDL cho SA l: HTest.sad v HTest.spd (2 file trng).2. Host 2: Thm mtsecurity policy vo HTest.spd mboan ton lu
lnggiaHost 2 v Host 1
www.themegallery.com
Tn trngcafile HTest.spd Gi tr v d
Policy 2
RemoteIPAddr FE80::2AA:FF:FE53:A92C
LocalIPAdrr - *
Protocol - *
RemotePort - *
LocalPort -*
IPSecProtocol AHIPSecMode Transport
SABundleIndex NONE
Direction BIDIRECT
Action APPLY
InterfaceIndex 0RemoteGWIPAdrr *
/c Host 1
Giao thcIPSec = AHCh hotng =Transport
Khng sdng kp:c AH vESP
Gi tr nyphi c t
theo th tgim dn(kha chnh)
HTest.spd
Thc hin: (Host2)
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
39/198
LOGO
Thchin: (Host2)3. Host 2 Thm 2 SA vo file HTest.sad mboan ton ttclulng
giaHost 2 v Host 1
+ HSA1 (SPI=2001) mboan ton lulngtHost2 -> Host1 (Outbound
+ HSA2 (SPI=2000) mboan ton lulngtHost1 -> Host2 (Inbound)
www.themegallery.com
SPI=3001
Cc trngny theopolicy slide trc
Gi tr nytheo th tgim dn(kha chnh)
Test.sad
Tn trng ca file Test.sad Gi tr v d
SAEntry 2
SPI 2001
SADestIPAddr FE80::2AA:FF:FE53:A92C
SADestIPAddr Policy
SrcIPAddr Policy
Protocol Policy
DestPort Policy
SrcPort Policy
AuthAlg HMAC-MD5
KeyFile HTest.key
Direction OUTBOUND
SetPolicyIndex 2
HSA1
Thut tonxc thc lHMAC-MD5
Fijle chakha lHTest.KeyTham chiun chnhsch = 2
a chHost1
Thc hin: (Host2)
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
40/198
LOGO
Thchin: (Host2)3. Host 2 Thm 2 SA vo file Test.sad mboan ton ttclulng
giaHost 2 v Host 1
+ HSA1 (SPI=2001) mboan ton lulngtHost2 -> Host1 (Outbound)
+HSA2 (SPI=2000) mboan ton lulngtHost1 -> Host2 (Inbound)
www.themegallery.com
SPI=3000
Cc trngny theopolicy slide trc
Gi tr nytheo th tgim dn(kha chnh)
Test.sad
Tn trng ca file Test.sad Gi tr v d
SAEntry 1
SPI 2000
SADestIPAddr FE80::2AA:FF:FE92:D0F1
SADestIPAddr Policy
SrcIPAddr Policy
Protocol Policy
DestPort Policy
SrcPort Policy
AuthAlg HMAC-MD5
KeyFile HTest2.key
Direction INBOUND
SetPolicyIndex 2
HSA2
Thut tonxc thc lHMAC-MD5
Fijle chakha lHTest2.KeyTham chiun chnhsch = 2
a chHost2
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
41/198
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
42/198
LOGO
3.2. Kin trc IPSec
www.themegallery.com
ICMP Echo Request
SA1 (SPI = 3001, /c ch = MAC
(Host2), IPSecprotocol =AH,IPSecMode = Transport,Authen=HMAC-MD5, Key (Test.key)
Host 1:Bc 1: Tm trong 2 CSDL: Test.spd, Test.sad tm mt SA thch hp cho gi tin (kt ni 2 CSDL)Bc 2: Tm c SA1
Host1 Host2
Gi tin ny c baobi AH Header, vc p dng bi SA1
Host 2:Bc 1: Nhn c gi tin RequestBc 2: Tm trong 2 CSDL: HTest.spdHTest.sad thy HSA2 (SPI=2000) phhp vi gi tin ny,Bc 3: Dng HSA2 xc thc gi
tinHSA2(SPI = 2000, /c ch = MAC(Host1), IPSecprotocol =AH,IPSecMode = Transport,Authen=HMAC-MD5, Key (HTest2.key)
Cc SA v Khaphin c thathun trc quaIKE
ICMP Echo Response
Qu trnh thchin tng t
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
43/198
LOGO
3.2. Kin trc IPSec3.2.2. Lin kt an ton IPSec (IPSec SA)
V d v SA
Reference:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ip_v6_imp_cont5.mspx?mfr=true
www.themegallery.com
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ip_v6_imp_cont5.mspx?mfr=truehttp://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ip_v6_imp_cont5.mspx?mfr=truehttp://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ip_v6_imp_cont5.mspx?mfr=truehttp://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ip_v6_imp_cont5.mspx?mfr=truehttp://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ip_v6_imp_cont5.mspx?mfr=truehttp://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ip_v6_imp_cont5.mspx?mfr=truehttp://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ip_v6_imp_cont5.mspx?mfr=truehttp://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ip_v6_imp_cont5.mspx?mfr=true8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
44/198
LOGO
IKE (Internet Key Exchange)
- RFC 2409
3.2. Kin trc IPSec
8/4/2014 44
AH (Authentication Header)-RFC 2402
ESP (Encapsulating Security Payload)- RFC 2406
IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
45/198
LOGO
3.2. Kin trc IPSec
8/4/2014 45
AH (AuthenticationHeader)
ESP (EncapsulatingSecurity Payload)
IPSec
AH c ng gibi giao thc IP(trng protocoltrong IP l 51)
ESP c nggi bi giao thcIP (trng protocoltrong IP l 50)
B giao thc IPSechot ng 2 modechnh: Tunnel Modev Transport Mode
Tunnel Mode: To thm mt IP
Header mi cho gi tin
Transport Mode: Khng tothm mt IP Header mi
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
46/198
LOGO
3.2. Kin trc IPSec
8/4/2014 46
AH (AuthenticationHeader)
ESP (EncapsulatingSecurity Payload)
IPSec
B giao thc IPSechot ng 2 modechnh: Tunnel Modev Transport Mode
Xc thc
Ton vn
Xc thc
Ton vn
M ha
-Thut ton m ha: DES, 3DES,AES, -Thut ton bm: MD5, SHA-1,
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
47/198
LOGO
3.2. Kin trc IPSec
3.2.3. Cc giao thc ca IPSec
Giao thc AH
8/4/2014 47
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
48/198
LOGO
3.2. Kin trc IPSec
3.2.3.1. Giao thc AH: Giao thc AH thm mt tiu vo gi IP
Xc thc ngi gi: Tiu ny dng cho vic xcthc gi d liu IP gc ti ngi nhn (Ai l ngi gigi tin?)
Ton vn gi tin: Tiu ny cng gip nhn bit btk s thay i no v ni dung ca gi d liu.
AH khng m ha bt k phn no ca gi tin.
8/4/2014 48
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
49/198
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
50/198
LOGO
3.2. Kin trc IPSec
3.2.3.1. Giao thc AH Giao thc AH c cc c trng c bn sau y:
Cung cp tnh ton vn v xc thc
S dng m xc thc thng ip c bm (HMAC)
Ni dung cc gi tin khng c m ho.
8/4/2014 50
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
51/198
LOGO
3.2. Kin trc IPSec
3.2.3.1. Giao thc AH
8/4/2014 51
Cc ch hot ng ca AH
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
52/198
LOGO
3.2. Kin trc IPSec
3.2.3.1. Giao thc AH Ch hot ng:
AH c th s dng c 2 ch :Truyn ti (TransportMode) v ng hm (Tunnel Mode)
Ch Transport: Trong ch ny tiu AH c chn vosau tiu IP v trc mt giao thc lp trnnh TCP hoc UDP.
Khng to mt IP Header mi
8/4/2014 52
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
53/198
LOGO
3.2. Kin trc IPSec
3.2.3.1. Giao thc AH Ch Transport:
8/4/2014 53
Gi tin IP
ban u
Gi tin AH trong ch transport
IP Hdr TCP| UDP Header Data
IP Hdr TCP| UDP Header DataAH Hdr
Bo v ton vn xc thc
Payload
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
54/198
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
55/198
LOGO
3.2. Kin trc IPSec
3.2.3.1. Giao thc AH Ch Tunnel:
8/4/2014 55
Gi tin IP
ban u
Gi tin AH trong ch Tunnel
IP Hdr TCP| UDP Header Data
Bo v ton vn xc thc
New IP Hdr IP Hdr TCP| UDP Header DataAH Hdr
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
56/198
LOGO
3.2. Kin trc IPSec
3.2.3.1. Giao thc AH
8/4/2014 56
Khun dng gi tin AH
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
57/198
LOGO
3.2. Kin trc IPSec3.2.3.1. Giao thc AH
Khun dng gi tin: Cc trng trong AH Header u l bt buc
8/4/2014 57
Authentication Data (ICV -Integrity Check Value)
Next HeaderPayloadLength Reserved
Security Parameter Index(SPI)
Sequence Number
IP Header PayloadAH Header
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
58/198
LOGO
3.2. Kin trc IPSec3.2.3.1. Giao thc AH
8/4/2014 58
Authentication Data
(Integrity Check Value)
Next HeaderPayloadLength Reserved
Security Parameter Index(SPI)
Sequence Number
IP Header PayloadAH HeaderNext Header:-Di 8 bit-Cha ch sgiao thc IP
Trong TunnelMode: Payload
l gi tin IP nngi tr NextHeader c cit l 4
Trong Transport Mode:- Payload lun l giao thc tngTransport.+ Nu giao thc tng Transport lTCP, th Next Header =6+ Nu l UDP th Next Header = 17
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
59/198
LOGO
3.2. Kin trc IPSec3.2.3.1. Giao thc AH
8/4/2014 59
Authentication Data (ICV
Integrity Check Value)
Next HeaderPayloadLength Reserved
Security Parameter Index(SPI)
Sequence Number
IP Header PayloadAH Header
PayloadLength:-Cha chiudi ca thngip sau AHHeader.
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
60/198
LOGO
3.2. Kin trc IPSec3.2.3.1. Giao thc AH
8/4/2014 60
Authentication Data (ICV
Integrity Check Value)
Next HeaderPayloadLength Reserved
Security Parameter Index(SPI)
Sequence Number
IP Header PayloadAH Header
Reserved:- di 16 bit- trng nykhng cs dng- Cc bit ubng 0.
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
61/198
LOGO
3.2. Kin trc IPSec3.2.3.1. Giao thc AH
8/4/2014 61
Authentication Data (ICV
Integrity Check Value)
Next HeaderPayloadLength Reserved
Security Parameter Index(SPI)
Sequence Number
IP Header PayloadAH Header
SPI- C di 32bt- Mi u cui cakt ni IPSec ty chn gi tr SPI.
SPI- Bn nhn da trngi trSPI cng viIP ch v loai giaothc IPSec ( y
l AH) => Xc nhc chnh sch SAdng cho gi tin
SA:- Loi giao thc IPSec noc chn (AHhay ESP)- Cc thut ton no cdng p cho gi tin
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
62/198
LOGO
3.2. Kin trc IPSec3.2.3.1. Giao thc AH
8/4/2014 62
Authentication Data (ICV
Integrity Check Value)
Next HeaderPayloadLength Reserved
Security Parameter Index(SPI)
Sequence Number
IP Header PayloadAH Header
SequenceNumber:- C di 32bit.- S tun tca gi AH.
SequenceNumber:
Ch s ny tngln 1 cho mi
AH datagramkhi mt hostgi c lin
quan n chnhsch SA tngng.
3 2 i
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
63/198
LOGO
3.2. Kin trc IPSec3.2.3.1. Giao thc AH
8/4/2014 63
Authentication Data (ICV
Integrity Check Value)
Next HeaderPayloadLength Reserved
Security Parameter Index(SPI)
Sequence Number
IP Header PayloadAH Header
AuthenticationData (ICV):
- C di lbi ca 32 bit.- Phi cpadding nuchiu di caICV trong ccbyte cha y.
AuthenticationData (ICV):
-c dng kim tra tnhxc thc ngigi.- Tnh ton vn
ca thng ip
Authentication Data (ICV):ICV = Hash (IP Header + Payload + Key)
3 2 Ki t IPS
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
64/198
LOGO
3.2. Kin trc IPSec
3.2.3.1. Giao thc AH
8/4/2014 64
X l gi AH u vo & u ra
3 2 Ki t IPS
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
65/198
LOGO
3.2. Kin trc IPSec
3.2.3.1. Giao thc AH Cc thut ton xc thc:
Cc thut ton xc thc c xc nh bi SA
Thch hp l MD5, SHA1.
8/4/2014 65
3 2 Ki t IPS
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
66/198
LOGO
3.2. Kin trc IPSec
3.2.3.1. Giao thc AH X l gi u vo:
Ghp mnh: Nu cn thit, s tin hnh ghp mnh gi d
liu trc khi x l AH
8/4/2014 66
3 2 Ki t IPS
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
67/198
LOGO
3.2. Kin trc IPSec
3.2.3.1. Giao thc AH X l gi u vo
Tm kim SA Khi nhn mt gi tin cha tiu AH, pha thu s xc nh
mt SA ph hp vi a ch IP ch, AH v SPI
Khi nhn c mt gi tin cha AH Header, pha thu s xcnh mt SA ph hp vi a ch IP ch, AH v SPI. (da vo 2c s d liu: SAD & SPD)
Thng tin trong SA cho bit:
C cn kim tra trng Sequence Number(SN) hay khng,
c cn thm trng Authentication Data hay khng Cc thut ton v kho gii m ICV.
Nu khng c SA no ph hp th pha thu s loi b gi tin.
8/4/2014 67
3 2 Ki t IPS
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
68/198
LOGO
3.2. Kin trc IPSec
3.2.3.1. Giao thc AH X l gi u vo
Kim tra SN (Sequence Number): Nu bn thu khng s dng dch v chng lp
th khng cn kim tra SN. Nu bn thu c s dng th b m gi thu
phi c khi to =0 khi thit lp SA
Vi mi gi tin vo khi pha thu tip nhn, s
kim tra gtr SN c trng vi gi no trc hay khng.
8/4/2014 68
3 2 Ki t IPS
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
69/198
LOGO
3.2. Kin trc IPSec
3.2.3.1. Giao thc AH X l gi u ra:
Tm SA AH c thc hin trn mt gi tin khi xc nh
gi tin c lin kt vi mt SA
Do , cn tm mt SA (SPI, IP ch, AH) gnvi gi tin ny.
SA s yu cu x l gi tin (chng hn: dnghm bm l SHA1, Kha =K1, giao thc IPSec l
AH,)
8/4/2014 69
3 2 Ki t IPS
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
70/198
LOGO
3.2. Kin trc IPSec
3.2.3.1. Giao thc AH X l gi u ra
To SN (Sequence Number): B m pha pht c khi to =0 khi thit lp SA
Khi truyn mt gi tin, b m c tng ln 1 vchn gi tr ny vo trng SN.
Nu pha pht la chn dch v AntiReplay, n skim tra m bo khng b lp trc khi chnmt gi tr mi vo trng SN.
8/4/2014 70
3 2 Ki t IPS
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
71/198
LOGO
3.2. Kin trc IPSec
3.2.3.1. Giao thc AH
X l gi u ra Tnh ICV: ICV c tnh da trn cc gi tr sau
Cc trng trong tiu IP
D liu ca cc giao thc lp trn./.
8/4/2014 71->3.2.3.2
3 2 Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
72/198
LOGO
3.2. Kin trc IPSec
3.2.3.1. Giao thc AH
X l gi u ra Padding: c hai kiu chn
Authenticaiton Data: Nu u ra ca HMAC
(ICV) l 96 bit th khng cn chn, nhng nu ICVc kch thc khc th phi chn thm d liu voICV.
8/4/2014 72->3.2.3.2
3 2 Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
73/198
LOGO
3.2. Kin trc IPSec
3.2.3.1. Giao thc AH
X l gi u ra Padding: c hai kiu chn
Implicit Packet Padding (chn ngm nh):
i vi mt s thut ton xc thc, chui byte tnh ICV phi l mt s nguyn ln ca khi n byte.
Nu di gi IP khng tho mn iu kin thImplicit Packet Padding s c thm vo phacui ca gi. Cc byte ny bng 0 v khng c
truyn i cng gi.
8/4/2014 73->3.2.3.2
3 2 Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
74/198
LOGO
3.2. Kin trc IPSec
3.2.3.1. Giao thc AH
X l gi u ra Phn mnh
Khi cn thit, phn mnh gi tin s c thc hin
8/4/2014 74->3.2.3.2
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
75/198
3 2 Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
76/198
LOGO
3.2. Kin trc IPSec3.2.3.1. Giao thc AH
8/4/2014 76
ICV
Data l phn Payload
AH m bo ton vn,xc thc cho c Payloadv IP Header
3 2 Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
77/198
LOGO
3.2. Kin trc IPSec
3.2.3.1. Giao thc AH
8/4/2014 77
PHN TCH GI TIN AH
3 2 Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
78/198
LOGO
3.2. Kin trc IPSec3.2.3.1. Giao thc AH
8/4/2014 78
V d: gi tin AH trong ch Transport
1. y l mt gi AH ch Transport (chc mt IP Header)
2. Phn Payload cha ICMP echo Request(Ping). Ping gc cha chui mu t tng dnbi gi tr Hex
3. Sau khi p dng AH, phn ICMP Payloadkhng thay i (khng c m ha)V AH ch cung cp ton vn, xc thc.
4. Phn tch cctrng trong AHHeader
3 2 Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
79/198
LOGO
3.2. Kin trc IPSec
3.2.3.1. Giao thc AH
8/4/2014 79
4 gi tin u tin trong phin AH gia host A v host B
Next Header (1B)=1 => ICMP
Payload Length(1B) =4, phn
Payload c 4Byte
Reserved (2B)
=0000, khng sdng.
SPI ca A (4B)
=cdb59934
SPI ca B (4B)=a6be2c00
Nh vy mi kt
ni AH s dngmt SA ring (ktni mt chiu)
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
80/198
3 2 Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
81/198
LOGO
3.2. Kin trc IPSec
3.2.3.1. Giao thc AH
8/4/2014 81
4 gi tin u tin trong phin AH gia host A v host B
Authentication
Information:phn ICV cbm m botnh ton vn, xcthc ca mi gitin
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
82/198
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
83/198
3 2 Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
84/198
LOGO
3.2. Kin trc IPSec
3.2.3.2. Giao thc ESP
Mc ch ca ESP l m bo tnh:
Ton vn
Xc thc B mt (m ha)
8/4/2014 84
3 2 Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
85/198
LOGO
3.2. Kin trc IPSec
3.2.3.2. Giao thc ESP Trong IPSec version 1, ESP ch cung cp m ha
cho phn Payload.
Trong IPSec version 2, ESP cung cp c: xcthc, ton vn, m ha.
Gi IP sau khi tiu ESP c thm vo nhtrong hnh v
8/4/2014 85
IP Header ESP Header ESPTrailer ESPAuthenticationPayLoad
3 2 Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
86/198
LOGO
3.2. Kin trc IPSec
3.2.3.2. Giao thc ESP
8/4/2014 86
Cc ch hot ng ca ESP
3 2 Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
87/198
LOGO
3.2. Kin trc IPSec
3.2.3.2. Giao thc ESP Ch hot ng:
ESP cng c s dng 2 ch :
Transport :
Dng IP Header gcCh m ha v/hoc m bo ton vn
cho ni dung gi tin v mt s thnh
phn ESP, nhng khng c IP Header.
8/4/2014 87
3 2 Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
88/198
LOGO
3.2. Kin trc IPSec
3.2.3.2. Giao thc ESP Ch hot ng:
ESP cng c s dng 2 ch :
Tunnel:
To mt IP Header mi: lit k cc ucui ca ESP Tunnel (nh 2 IPSecGateway)
M ha v/hoc m bo ton vn choni dung gi tin, c c IP Header v mts thnh phn ESP.
8/4/2014 88
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
89/198
LOGO
3.2. Kin trc IPSec
3.2.3.2. Giao thc ESP Ch Transport:
8/4/2014 89
Gi tin IP ban u
Gi ESP trong ch Transport
IP Hdr DataTCP|UDP Hdr
IP Hdr PayloadESP Hdr ESP Trl ESP AuthDataTCP|UDP Hdr
c m hoc xc thc
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
90/198
LOGO
3.2. Kin trc IPSec
3.2.3.2. Giao thc ESP Ch Transport:
Cho php bo v giao thc lp trn nhng khngbo v tiu IP
Gi IP ban u c chn thm tiu ESP vogia phn tiu IP v d liu c ti (Payload =TCP|UDP Header + Data))
8/4/2014 90
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
91/198
LOGO
3.2. Kin trc IPSec
3.2.3.2. Giao thc ESP Ch Tunnel:
8/4/2014 91
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
92/198
LOGO
3.2. Kin trc IPSec
3.2.3.2. Giao thc ESP Ch Tunnel:
8/4/2014 92
Gi tin IP ban u
Gi ESP trong ch Tunnel
IP Hdr DataTCP|UDP Hdr
c m hoc xc thc
New IP Hdr Payload ESP Trl ESP AuthESP Hdr DataIP Hdr TCP|UDP Hdr
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
93/198
LOGO
3.2. Kin trc IPSec
3.2.3.2. Giao thc ESP Ch Tunnel:
Gi IP mi c xy dng cng vi mt tiu IPmi
ESP bo v c gi tin ban u, bao gm c tiu IPv Payload = TCP|UDP Header + Data
8/4/2014 93
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
94/198
LOGO
3.2. Kin trc IPSec
3.2.3.2. Giao thc ESP
8/4/2014 94
Khun dng gi tin ESP
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
95/198
LOGO
3.2. Kin trc IPSec
3.2.3.2. Giao thc ESP Khun dng gi d liu da trn ESP:
Cc trng trong ESP u l bt buc
8/4/2014 95
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
96/198
LOGO
3.2. Kin trc IPSec
3.2.3.2. Giao thc ESP
Khun dng gi d liu ESP:
8/4/2014 96
32 32 0-255 8 8 Bits
IP Hdr PayloadESPHdr
ESPTrl
ESPAuth
SecurityParameters
Index (SPI)
Sequence
Number Padding
Pad
Length
Next
Header
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
97/198
LOGO
3.2. Kin trc IPSec
8/4/2014 97
32 32 0-255 8 8 Bits
IP Hdr PayloadESP
Hdr
ESP
Trl
ESP
Auth
SecurityParameters
Index (SPI)
Sequence
NumberPadding
Pad
Length
Next
Header
SPI:
-Mi bn lin lc ty chn gtri SPI-Bn nhn da vo SPI, /c IPch, gthc IPSec (ESP) => xmt SA duy nht p cho gi tinnhn c.
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
98/198
LOGO
3 t c Sec
8/4/2014 98
32 32 0-255 8 8 Bits
IP Hdr PayloadESP
Hdr
ESP
Trl
ESP
Auth
SecurityParameters
Index (SPI)
Sequence
NumberPadding
Pad
Length
Next
Header
Sequence Number:
- Khi to bng 0- Tng ln 1 nu mi gi tin cgi- chng trng lp gi tin
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
99/198
LOGO8/4/2014 99
32 32 0-255 8 8 Bits
IP Hdr PayloadESP
Hdr
ESP
Trl
ESP
Auth
SecurityParameters
Index (SPI)
Sequence
NumberPadding
Pad
Length
Next
Header
Payload:
- L phn payload data c mha
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
100/198
LOGO8/4/2014 100
32 32 0-255 8 8 Bits
IP Hdr PayloadESP
Hdr
ESP
Trl
ESP
Auth
SecurityParameters
Index (SPI)
Sequence
NumberPadding
Pad
Length
Next
Header
Padding (0-255 bytes):
-L phn d liu c thm vo gi tin (trckhi m ha) on d liu c m ho lmt s nguyn ln ca mt khi cc byte- N cng c dng che du di thcca Payload
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
101/198
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
102/198
LOGO8/4/2014 102
32 32 0-255 8 8 Bits
IP Hdr PayloadESP
Hdr
ESP
Trl
ESP
Auth
SecurityParameters
Index (SPI)
Sequence
NumberPadding
Pad
Length
Next
Header
Next Header:
- Trong Tunnel Mode, Payload lgi tin IP, th Next Header =4 (IPin-IP)
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
103/198
LOGO8/4/2014 103
32 32 0-255 8 8 Bits
IP Hdr PayloadESP
Hdr
ESP
Trl
ESP
Auth
SecurityParameters
Index (SPI)
Sequence
Number PaddingPad
Length
Next
Header
Next Header:
-Trong Transport Mode, Payloadl giao thc tng 4 Transport.+ Nu l TCPth Next Header = 6+ Nu l UDPth Next Header =17
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
104/198
LOGO8/4/2014 104
32 32 0-255 8 8 Bits
IP Hdr PayloadESP
Hdr
ESP
Trl
ESP
Auth
SecurityParameters
Index (SPI)
Sequence
Number PaddingPad
Length
Next
Header
Authentication Data:
- Cha gi trICV (Integrity Check Value)ICV = HMAC(ESP Hdr + Payload + ESPTrl + Key)- ICV phi l bi ca 32 bit
c xc thc
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
105/198
LOGO8/4/2014 105
32 32 0-255 8 8 Bits
IP Hdr PayloadESP
Hdr
ESP
Trl
ESP
Auth
SecurityParameters
Index (SPI)
Sequence
Number PaddingPad
Length
Next
Header
Lu : trong AH, xc thc c c phn IP Header,
trong ESP th khng
c xc thc
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
106/198
LOGO
3.2.3.2. Giao thc ESP
8/4/2014 106
X l gi tin ESP u vo & u ra
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
107/198
LOGO
3.2.3.2. Giao thc ESP Cc thut ton s dng:
Thut ton m ha:AES-CBC, AES-CTR, 3DES
Thut ton m ha: MD5, SHA1
8/4/2014 107
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
108/198
LOGO
3.2.3.2. Giao thc ESP X l gi tin u ra:
Tm kim SA Ging nh AH, ESP ch x l gi tin gn vi SA
Cn tm mt SA ph hp cho mi gi tin trc khigi i
8/4/2014 108
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
109/198
LOGO
3.2.3.2. Giao thc ESP
X l gi tin u ra: M ho gi tin: Tu thuc vo ch Tunnel hay Transport m
ESP ng gi ton b gi tin hay ch phn d liu
ti Thm Padding nu cn.
M ho:
Nu l Transport: cc trng Payload, ESP
Trailer (Padding, PadLength, NextHeader). Nu l Tunnel: cc trng IP Header,
Payload, ESP Trailer (Padding, PadLength,NextHeader).
8/4/2014 109
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
110/198
LOGO
3.2.3.2. Giao thc ESP
X l gi tin u ra: To SN
Qu trnh ny c thc hin ging vi AH
8/4/2014 110
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
111/198
LOGO
3.2.3.2. Giao thc ESP X l gi tin u ra:
Tnh ICV
Nu dch v xc thc c la chn th pha pht
s tnh gi tr ICV trn gi d liu ESP: ESPHeader, Payload, ESP Trailer
Bao gm cc trng: SPI, SN, Payload, Padding,Padlength v NextHeader.
(Lu : khng c trng IP Header)
8/4/2014 111
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
112/198
LOGO
3.2.3.2. Giao thc ESP X l gi tin u ra:
Phn mnh
Nu cn thit th tin hnh phn mnh gi
tin sau khi x l ESP./.
8/4/2014 112
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
113/198
LOGO
3.2.3.2. Giao thc ESP X l gi tin u vo:
Ghp mnh
Qu trnh ghp mnh c thc hin trc khi x
l ESP Tm kim SA
Khi nhn c mt gi tin cha tiu ESP, phathu s xc nh mt SA ph hp da trn: SPI, IP
ch, giao thc IPSec (l ESP)=> X chnh sch SA ph hp gii m, xc thc
gi tin ny.
8/4/2014 113
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
114/198
LOGO
3.2.3.2. Giao thc ESP
X l gi tin u vo: Kim tra SN
Ging vi kim tra SN trong giao thc AH.
8/4/2014 114
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
115/198
LOGO
3.2.3.2. Giao thc ESP
X l gi tin u vo: Kim tra ICV
Nu dch v xc thc c la chn, pha thu s
tnh ICV ca gi ESP ri so snh vi ICV ca gitin nhn c
8/4/2014 115 ->3.3
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
116/198
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
117/198
LOGO
3.2.3.2. Giao thc ESP
8/4/2014 117
ESP: m ha d liu
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
118/198
LOGO
3.2.3.2. Giao thc ESP
8/4/2014 118
ESP s dngm ha ixng m
ha cc gi tin
M ha ch Tunnel
ESP s dngthut ton mha: AES-CBC, AES-
CTR, 3DES
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
119/198
LOGO
3.2.3.2. Giao thc ESP
8/4/2014119
Phn tch gi tin ESP
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
120/198
LOGO
3.2.3.2. Giao thc ESP
8/4/2014120
ESP HeaderSPI=df30de3c,Sequence Number=00000001Phn d liu khngth xc nh c,v c m ha
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
121/198
LOGO
Tm lc v Giao thc ESP ESP l giao thc m bo tnh ton vn, xc thc v b
mt, chng replay gi tin c.
Hot ng trong 2 ch : Transport v Tunnel
ESP version1 ch m ha cho phn Payload data.
ESP version 2: m bo c ton vn v xc thc
ESP version 3: h tr thm thut ton EAS Counter
ESP Tunnel thng s dng ph bin trong IPSec v nm ha IP Header gc, c th che giu /c source, desttht ca gi tin
8/4/2014121
->3.3
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
122/198
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
123/198
LOGO
Tm lc v IPSec vi AH v ESP
8/4/2014 123
->3.3
CC GIAO THC NG HM
GIAO THC BO MT IP (IPSec)
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
124/198
125
KHUNG GIAO THC IPSec
GIAO THC BO MT IP (IPSec)
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
125/198
LOGO
IPSec cung cp an ton cho 3 tnh hung:
Hosttohost Hosttogateway
Gatewayto gateway
IPSec hot ng 2 ch : Ch Transport (end- toend)
Ch Tunnel (cho VPN)
8/4/2014 126
->3.3
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
126/198
3.2. Kin trc IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
127/198
LOGO
Cc ch hot ng ca giao thc IPSec
Ch Transport : Ch ny dng bo mt kt ni gia 2 host: bo v thng tin v ccgiao thc lp trn ca IP datagram. Ch c IP Payload c m ha
8/4/2014 128
->3.3IPSec Transport Mode
3.2. Kin trc IPSecC h h t i th IPS
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
128/198
LOGO
Cc ch hot ng ca giao thc IPSec Ch Tunnel :
Ch ny bo v ton b gi d liu, ton b gi IP c nggi trong mt gi IP khc. Router thc hin m ha thay cho host.
8/4/2014 129
->3.3IPSec Tunnel Mode
Ni dung
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
129/198
LOGO
3.1. Gii thiu3.2. Kin trc IPSec
3.3. Trao i kho Internet
3.4. Qu trnh hot ng ca IPSec3.5. X l h thng IPSec/IKE
8/4/2014 130
3.3. Trao i kho Internet (IKE)
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
130/198
LOGO
3.3.1 Gii thiu chung Bn thn IPSec khng c kh nng thit lp SA
8/4/2014 131
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
131/198
3.3. Trao i kho Internet (IKE)
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
132/198
LOGO
3.3.1 Gii thiu chung Giao thc IKE (Internet Key Exchange RFC
2409): L giao thc qun l kha trong IPSec
Cho php thng lng v to t ng ccIPSec SA gia cc bn lin lc IPSec.
8/4/2014 133
3.3. Trao i kho Internet (IKE)
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
133/198
LOGO
3.3.1 Gii thiu chung
IKE cng chu trch nhim xo cc kho, SAsau khi mt phin truyn tin kt thc
IKE khng nhanh nhng hiu qu v mt s
lng ln SA c thng lng ch vi mts thng ip va phi./.
8/4/2014 134
3.3. Trao i kho Internet (IKE)
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
134/198
LOGO
3.3.1 Gii thiu chung Lch s IKE IKE c a ra u tin vo nm 1998 bi IETF c xy dng da trn nn tng ca hai giao thc:
Giao thc tha thun kha Oakley(Key Distribution)RFC 2412
Giao thc qun l kha ISAKMP(Key Management)RFC 2408
(SKEME, mt giao thc trao i kha khc)
IKE C th c s dng bn ngoi IPSec
8/4/2014 135
3.3. Trao i kho Internet (IKE)
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
135/198
LOGO
ISAKMP (Internet Security Association and Key ManagementProtocol):
Thit lp mt phin an ton gia cc bn lin lc IPSec.
Thng lng cc SA gia cc bn lin lc IPSec
Oakley:
Xc nh cc c ch trao i kha trn phin IKE
Xc nh kha cho AH/ESP mt cch t ng cho miIPSec SA.
Mc nh s dng Diffie-Hellman trao i kha
SKEME:
Mt giao thc trao i kha nh ngha cch a ra cckha c xc thc, vi tc lm ti kha nhanh.
www.themegallery.com
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
136/198
3.3. Trao i kho Internet (IKE)
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
137/198
LOGO8/4/2014 138
Mi quan h gia IKE v IPSec
3.3. Trao i kho Internet (IKE)
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
138/198
LOGO
Mi quan h gia IPSec v IKE:
IPSec cn cc SA bo v lu lng Nu cha c cc SA, IPSec s yu cu IKE
cung cp cc IPSec SA.
IKE m mt phin qun l vi cc bn thamgia, v thng lng tt c cc SA v cckha cho IPSec.
IPSec bt u thc hin bo v lu lng.
www.themegallery.com
3.3. Trao i kho Internet (IKE)
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
139/198
LOGO
Mi quan h gia IPSec v IKE
www.themegallery.com
3.3. Trao i kho Internet (IKE)
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
140/198
LOGO
Giao thc IKE:
Mt phin IKE chy trn giao thc UDP vicc cng ngun v ch c thit lp = 500.
Kt qu ca phin IKE = cc IKE SA ( bov phin IKE hot ng an ton)
Sau , IKE thit lp tt c cc IPSec SAc yu cu
www.themegallery.com
3.3. Trao i kho Internet (IKE)V d SA:
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
141/198
LOGO
V dSA: Lu: c 2 loiSA l
IKE SAs (cthitlptrong IKE session) IPSec SAs (cc SA ny cIKE thnglng)
Mt SA c thcha mtsthng tin sau:
3.3. Trao i kho Internet (IKE)
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
142/198
LOGO8/4/2014 143
Yu cu qun l kha ca IPSec
3.3. Trao i kho Internet (IKE)
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
143/198
LOGO
3.3.2 Cc yu cu qun l kho i vi IPSec
Cc giao thc AH v ESP yu cu phi c khob mt c chia s gia cc bn lin lc
Kho c th c yu cu th cng hoc bng phnphi kho
Vn t ra l kho c th b mt, b l, hoc ngin l b ht hn
8/4/2014 144
3.3. Trao i kho Internet (IKE)
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
144/198
LOGO
3.3.2 Cc yu cu qun l kho i vi IPSec
K thut th cng khng mm do khi c nhiuSA cn c thit lp v qun l
Cn phi c c ch phn phi v qun l kho mtcch hiu qu./.
8/4/2014 145
3.3. Trao i kho Internet (IKE)
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
145/198
LOGO
3.3.2 Cc yu cu qun l kho i vi IPSec
C ch phn phi v qun l kho phi p ngcc yu cu c bn sau:
c lp vi cc thut ton mt m c th
c lp vi cc giao thc trao i kho c th
Xc thc cc thc th qun l kho S dng hiu qu cc ti nguyn
IKE c thit k p ng cc yu cu ./.
8/4/2014 146
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
146/198
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
147/198
3.3. Trao i kho Internet (IKE)
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
148/198
LOGO
3.3.2 Cc yu cu qun l kho i vi IPSec
IKE gm 2 pha: 2 pha trao i kho s to raIKE SA v mt ng hm an ton gia 2 hthng
Mt bn s a ra mt trong cc thut ton, pha kias chp nhn hoc loi b kt ni.
Khi 2 bn thng nht c thut ton s dng ths to kho cho IPSec
Kho ny c c nh s dng thut ton Diffie-Hellman./.
8/4/2014 149
->3.3.2
3.3. Trao i kho Internet (IKE)3 3 2 Cc yu cu qun l kho i vi IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
149/198
LOGO
3.3.2 Cc yu cu qun l kho i vi IPSec
IKE hot ng trn 2 pha:Pha 1:+ Mc tiu: Xc thc cc bn tham gia v cung cp bo
v cho vic thng lng pha 2.
+ S dng Diffie-Hellman sinh mt kha b mt chias cho vic m ha sau ny.
+ Kt qu l mt IKE SA (2 hng)
Pha 2:
+ Mc ch chnh l tha thun c cc kha mt ms dng bo v ng truyn cho cc thc th, vcc SA cho trao i d liu
8/4/2014 150
->3.3.3
3.3. Trao i kho Internet (IKE)
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
150/198
LOGO
3.3.2 Cc yu cu qun l kho i vi IPSec
IKE gm 2 pha: IKE pha 1:
S dng Main mode hocaggressive mode.
Thng lng IKE SA thit lp mt phin IKA an ton
IKE pha 2: S dng Quick mode
Thng lng cc IPSec SAs
8/4/2014 151
->3.3.2
3.3. Trao i kho Internet (IKE)
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
151/198
LOGO
3.3.3. Pha IKE th 1
IKE pha 1
8/4/2014 152
->3.3.2
3.3. Trao i kho Internet (IKE)
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
152/198
LOGO
3.3.3. Pha IKE th 1
IKE pha 1 (Bo v IKE sesion) Xc thc cc bn tham gia phin IKE
M ha phin IKE
Ton vn phin IKE
8/4/2014 153
->3.3.2
3.3. Trao i kho Internet (IKE)3 3 3 Pha IKE th 1
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
153/198
LOGO
3.3.3. Pha IKE th 1
IKE pha 1 (Bo v IKE sesion) Xc thc cc bn tham gia phin IKE: thit lp IKE SA, cc bn tham gia phi xc
thc ln nhau (2-chiu)
Cc phng php xc thc: Dng kha b mt chia s trc
Dng cc s Nonce c m ha RSA
Ch k s RSA
Chng ch s -certificate
.
8/4/2014 154
->3.3.2
3.3. Trao i kho Internet (IKE)3 3 3 Pha IKE th 1
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
154/198
LOGO
3.3.3. Pha IKE th 1
IKE pha 1 (Bo v IKE sesion) M ha phin IKE: Phin IKE c m ha bi DES hoc 3DES
Kha dng cho m ha c a ra bi trao i
kha DH. Trong Main mode, nh danh cc bn cng c
m ha
TrongAggressive mode, nh danh cc bn khng
c m ha
8/4/2014 155
->3.3.2
3.3. Trao i kho Internet (IKE)3 3 3 Pha IKE th 1
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
155/198
LOGO
3.3.3. Pha IKE th 1
IKE pha 1 (Bo v IKE sesion) Ton vn phin IKE IKE s dng cc hm HMAC m bo ton
vn phin IKE.
Thng la chn: SHA-1 hay MD5 Kha dng cho ton vn c ly t trao i kha
DH.
8/4/2014 156
->3.3.2
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
156/198
3.3. Trao i kho Internet (IKE) IKE pha 1 (Bo v IKE sesion):
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
157/198
LOGO
p ( ) Chi tit cc bc viMain mode:
8/4/2014 158
->3.3.2
MainMode
Bc 1: Thng tho chnh sch
- Mt bn s a ra mt danh sch ccthut ton, bn nhn s la chn hocc yu cu khc.
3.3. Trao i kho Internet (IKE) IKE pha 1 (Bo v IKE sesion):
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
158/198
LOGO
p ( ) Chi tit cc bc viMain mode:
8/4/2014 159
->3.3.2
MainMode
Bc 1: Thng tho chnh sch
-2 bn s thng lng 4 tham s sau:+ Thut ton m ha: DES | 3DES+ Thut ton ton vn: MD5 | SHA-1
+ Nhm DH c dng trao i kha+ Phng php xc thc:
Group 1: Modulo 768 bit
Group 2: Modulo 1024 bit
Group 3: Modulo 2048 bit
3.3. Trao i kho Internet (IKE) IKE pha 1 (Bo v IKE sesion):
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
159/198
LOGO
p ( ) Chi tit cc bc viMain mode:
8/4/2014 160
->3.3.2
MainMode
Bc 1: Thng tho chnh sch
-2 bn s thng lng 4 tham s sau:+ Thut ton m ha: DES | 3DES+ Thut ton ton vn: MD5 | SHA-1
+ Nhm DH c dng trao i kha+ Phng php xc thc:
1. Dng kha b mt chias trc
2. Dng chng ch
3. Kerberos V5
4. Dng ch k s RSA
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
160/198
3.3. Trao i kho Internet (IKE) IKE pha 1 (Bo v IKE sesion):
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
161/198
LOGO
p ( ) Chi tit cc bc viMain mode:
8/4/2014 162
->3.3.2
MainMode
Bc 3: Xc thc cc bn
- Kt hp:+ Kt qu bc 1 ->Thut ton bm +Phng php xc thc
+ Kt qu bc 2 -> Kha KM- Identity payload c bm sau c m ha bng KM
Identity payload= Identity
type+ port + protocol
Nu phng php xcthc = certificate
=> Identity type =name,general name
Nu phng php xcthc = kha b mt chias trc
=> Identity type = FQDN(Fully qualified domainname)
3.3. Trao i kho Internet (IKE)
3 3 3 Pha IKE th 1
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
162/198
LOGO
3.3.3. Pha IKE th 1
IKE pha 1 (Bo v IKE sesion): Chi tit cc bc viMain mode:
0tyytt
8/4/2014 163
->3.3.2
MainMode
Bc 1: Thng tho chnh sch
Bc 2: Trao i kha Diffie-Hellman
Bc 3: Xc thc cc bn
Kt qu pha 1:-2 bn thng lng c IKE SA (thutton xc thc, m ha, phng php xcthc, kha phin) => cho phin IKE-Bo mt phin IKE v xc thc c nhau.
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
163/198
3.3. Trao i kho Internet (IKE)
3 3 4 Pha IKE th 2
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
164/198
LOGO
3.3.4. Pha IKE th 2
IKE pha 2
8/4/2014 165
->3.3.2
3.3. Trao i kho Internet (IKE)3.3.4. Pha IKE th 2
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
165/198
LOGO
IKE pha 2 (thng lng IPSec SAs): Chi tit cc bc viQuick mode:
8/4/2014 166
->3.3.2
QuickMode
Bc 1: Thng tho chnh sch
Bc 2: Kha phin c lm tihoc trao i qua DH
Bc 3: Cc SA, Keys, cng vi SPIc truyn ti IPSec driver
3.3. Trao i kho Internet (IKE) IKE pha 1 (Bo v IKE sesion):
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
166/198
LOGO
Chi tit cc bc viQuick mode:
8/4/2014 167
->3.3.2
QuickMode
Bc 1: Thng tho chnh sch
- Mt bn s a ra mt danh sch ccgiao thc IPSec v cc thut ton, bnnhn s la chn hoc c yu cu khc.
3.3. Trao i kho Internet (IKE) IKE pha 2 (thng lng IPSec SAs):
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
167/198
LOGO
Chi tit cc bc viQuick mode:
8/4/2014 168
->3.3.2
QuickMode
Bc 1: Thng tho chnh sch
- Giao thc IPSec: AH | ESP- Hm bm ton vn & xc thc: SHA-1 | MD5- Thut ton m ha (nu yu cu: 3DES | DES
Sau khi thng lng xong. 2 SA c thit lpcho mi bn- Mt SA cho lu lng INBOUND- Mt SA cho lu lng OUTBOUND
3.3. Trao i kho Internet (IKE) IKE pha 2 (thng lng IPSec SAs):
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
168/198
LOGO
Chi tit cc bc viQuick mode:
8/4/2014 169
->3.3.2
QuickMode
Kha ny lm nhim v cho: xc thc, tonvn, m ha (nu cn) trong phin IPSec.
Bc 2: Kha phin c lm tihoc trao i qua DH
C 2 la chn:- Lm ti kha KMthu c bng DH trong pha 1- Thc hin trao i kha DH ln 2, thu c Ks
(rekey)
3.3. Trao i kho Internet (IKE) IKE pha 2 (thng lng IPSec SAs):
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
169/198
LOGO
Chi tit cc bc viQuick mode:
8/4/2014 170
->3.3.2
QuickMode
Kt qu pha 2:-L mt cp SA mi (inbound & outbound) c dng bov lu lng IP-Mi SA c SPI v key ring ca n
- Cc kha mi c to cho: xc thc, ton vn hay m ha.- Sau khi cp SA mi c to ra, cp SA c b xa, v lulng c bo v vi cp SA mi
Bc 3: Cc SA, Keys, cng vi SPIc truyn ti IPSec driver
3.3. Trao i kho Internet (IKE)
3 3 4 Pha IKE th 2
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
170/198
LOGO
3.3.4. Pha IKE th 2
IKE pha 2 - V d: (thng lng IPSec SA)
8/4/2014 171
->3.3.2
Hnh v tng qut ca 2 phin IKE
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
171/198
LOGO
Hnh v tng qut ca 2 phin IKE
www.themegallery.com
3.3. Trao i kho Internet (IKE)Reference:
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
172/198
LOGO
1.IKE Internet Key Exchange Pekka [email protected]
2.IKE ProtocolCopyright 2001, Cisco Systems, Inc
3.http://technet.microsoft.com/en-us/library/cc784994(WS.10).aspx
www.themegallery.com
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
173/198
3.3. Trao i kho Internet (IKE)
3 3 5 Cc ch IKE
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
174/198
LOGO
3.3.5. Cc ch IKE
3.3.5.1. Main Mode Hai thng ip u tin c dng thng lng
chnh sch bo mt
Hai thng ip tip theo c dng trao i kho
DH v Nonce Hai thng ip cui dng xc thc cc bn lin
lc./.
8/4/2014 175
3.3. Trao i kho Internet (IKE)3.3.5. Cc ch IKE
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
175/198
LOGO
3.3.5.1. Main Mode
M hnh
8/4/2014 176
`Sender Recipient
`
SA
NonceS
HeaderSAHeader
KE HeaderNonceRKEHeader
SigS [Cert] Header IDusSigR[Cert]IDuRHeader
->3 3 5 2
Tiu IKE-C thl s0-Hay l mtmessege digest
(1)(2)
(3)(4)
(6)(5)
SA mtds thuctnh an ton:-HMAC?-DH Group?-Key length?-Authen mothod?-
3.3. Trao i kho Internet (IKE)3.3.5. Cc ch IKE
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
176/198
LOGO
3.3.5.1. Main Mode
M hnh
8/4/2014 177
`Sender Recipient
`
SA
NonceS
HeaderSAHeader
KE HeaderNonceRKEHeader
SigS [Cert] Header IDusSigR[Cert]IDuRHeader
->3 3 5 2
(1)(2)
(3)(4)
(6)(5)
Bn nhn:-Lachncc thuctnh an ton trong dsSA nhnc.-Gilicho bn gi
2 gi ny chacm ha v chac
kha!
3.3. Trao i kho Internet (IKE)3.3.5. Cc ch IKE
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
177/198
LOGO
3.3.5.1. Main Mode
M hnh
8/4/2014 178
`Sender Recipient
`
SA
NonceS
HeaderSAHeader
KE HeaderNonceRKEHeader
SigS [Cert] Header IDusSigR[Cert]IDuRHeader
->3 3 5 2
(1)(2)
(3)(4)
(6)(5)
NonceS:-L mtsngunhin dng cho vick s( gi sau)
KE (Key Exchange) :-L kha cng khaidng cho trao ikha DH-(VD: yA= g
xA)
Bn nhn:-GiliNonceR- v KE (VD: yB= g
xB)
Header:- C thchatn CA(trung tm chngthc)m bn giyu cu- Hoc(0): any CA
2 gi ny chacmha v chac kha!
3.3. Trao i kho Internet (IKE)3.3.5. Cc ch IKE
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
178/198
LOGO
3.3.5.1. Main Mode
M hnh
8/4/2014 179
`Sender Recipient
`
SA
NonceS
HeaderSAHeader
KE HeaderNonceRKEHeader
SigS [Cert] Header IDusSigR[Cert]IDuRHeader
->3 3 5 2
(1)(2)
(3)(4)
(6)(5)
Sau 2 gi (3),(4), c2bn uc kha b mtchung l KM m ha
SigS:-L chk caSender- Tnh bng=EKRS[H(NonceS+DataS)]
CertS:-L chngchscaSender- Chakha cng khai caSender KUS(tngngviKRS dng tnh SigS)
IDUS:-nhdanh caSender- C thl: /c IP, FQDN /cemail,
Bn nhn:- Kimtra chk caSender+ Lykha cng khai KUS caSender trong [CertS]+ Kimtra chk:SigS=EKRS[H(NonceS+DataS)]
3.3. Trao i kho Internet (IKE)3.3.5. Cc ch IKE
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
179/198
LOGO
3.3.5.1. Main Mode
M hnh
8/4/2014 180
`Sender Recipient
`
SA
NonceS
HeaderSAHeader
KE HeaderNonceRKEHeader
SigS [Cert] Header IDusSigR[Cert]IDuRHeader
->3 3 5 2
2 gi ny ucm ha bikha KM
(1)(2)
(3)(4)
(6)(5)
Nu2 bn kimtrachk thnh cng=> Qu trnh xcthcthnh cng!
Ktthc Pha 1 IKE:-2 bn xc thccnhau.-Thu ckha KMm ha cc gi pha 2
3.3. Trao i kho Internet (IKE)3.3.5. Cc ch IKE
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
180/198
LOGO
Mt s kiu ID IPSec
www.themegallery.com
3.3. Trao i kho Internet (IKE)
3.3.5. Cc ch IKE
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
181/198
LOGO
3 3 5 Cc c
3.3.5.2. Agressive Modec thit lp tng t nh trong Main Mode
Khc ch l ch c 3 thng ip c trao i
Nhanh hn ch Main Mode./.
8/4/2014 182
3.3. Trao i kho Internet (IKE)
3.3.5. Cc ch IKE
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
182/198
LOGO
3.3.5.2. Agressive Mode Cc thng ip c trao i bao gm:
Thng ip th nht dng h tr chnh sch bomt, d liu to kho, s ngu nhin dng cho vic
k s v nh danh
8/4/2014 183
3.3. Trao i kho Internet (IKE)
3 3 5 2 Agressive Mode
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
183/198
LOGO
3.3.5.2. Agressive Mode
Cc thng ip c trao i bao gm: Thng ip th 2 p li thng ip th nht. N
xc thc ngi nhn v thng nht chnh sch bomt, d liu to kho
Thng ip cui dng xc thc ngi gi./.
8/4/2014 184
3.3. Trao i kho Internet (IKE)
3.3.5. Cc ch IKE
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
184/198
LOGO
3.3.5.2. Agressive Mode M hnh
8/4/2014 185
>3 3 5 3
`
Sender Recipient
SANonceS HeaderSAHeader
[KE]
Header
NonceR
[Cert]
IDusSigR[Cert][IDur][KE]
SigR
`
TngtnhMain Mode,nhngcc bccrt gihn, thng ipdi hn
3.3. Trao i kho Internet (IKE)
3.3.5. Cc ch IKE
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
185/198
LOGO
3.3.5.3. Quick Mode L ch pha IKE th 2
c dng thng lng SA cho cc dchv bo mt IPSec
N cng c th to kho mi nu cn thit./.
8/4/2014 186
3.3. Trao i kho Internet (IKE)3.3.5. Cc ch IKE3 3 5 3 Q i k M d
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
186/198
LOGO
3.3.5.3. Quick Mode
M hnh
8/4/2014 187
`
Sender Recipient
SANonceS Header
SAHeader
[KE]
Header
NonceR
[IDus] [IDur]
[KE]
`
Hash1
[IDus][IDur]Hash2
Hash3
>3 4
C3 gi u
cm habngkha KMpha 1
SA (ds cc thuctnh anton):-cipher?-HMAC?-Key length?
-IPSec protocol? (AH, ESP)?-
Ktthc pha 2:- Tora 2 SA:+ MtSA Inbound+ MtSA Outbound- MiSA c SPI v key ring.
KE:- Kha cng khai trao ikha DH (ln2)- Tora mtkha phin miKScho xc thc, m ha lulngIP thc(phin IPSec)- C thkhng cnkha ny,lylun kha KM pha trc
3 gi lm nhimv:-ThnglngSA-Xc thclnnhau- Rekey hocrefresh kha bngDH.
3.3. Trao i kho Internet (IKE)
3.3.5. Cc ch IKE
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
187/198
LOGO
Trong pha 1, c mt s mode nh: Main Mode, Aggressive Mode, Base Mode, New GroupMode
Base Mode v New Group Mode t c dng, cc nhcung cp thng khng h tr.
New Group Mode: Gip cho qtrnh trao i kha DH d dng hn
Thng lng theo nhm ring
8/4/2014 188
>3 4
3.3. Trao i kho Internet (IKE)
3.3.5. Cc ch IKE
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
188/198
LOGO
3.3.5.4. NewGroup Mode M hnh
8/4/2014 189
>3 4
`
Sender Recipient
SA Header SAHeader
`
Hash1 Hash2
Tng quan v giao thc IKEv2
Ra i 10/2005 trong RFC 4306.
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
189/198
LOGO
g
c pht trin nhm gii quyt nhng vn ca IKEv1 nh: Vn phc tp Mc an ton
Tnh hiu qu ca IKEv1.IKEv2 cng bao gm hai pha.
Pha 1 gm hai th tc IKE_SA_INIT vIKE_AUTH.
Pha 2 gm th tc CREAT_CHILD_SA v/ hocc thm th tc INFORMATION.
ng dng ca giao thc IKE.
c s dng rt rng ri.
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
190/198
LOGO
S dng nh mt phn ca b giao thcIPSec - c th trin khai trn Windows 2000,Windows XP, Windows Server 2003,Windows Vista, v Windows Server 2008.
Trong cc sn phm m ngun m. OpenIKEv2.
StrongSwan.
Openswan.
Racocon v Racocon2 ca d n KAM.
Ni dung:
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
191/198
LOGO
3.1. Gii thiu3.2. Kin trc IPSec
3.3. Trao i kho Internet
3.4. Qu trnh hot ng ca IPSec3.5. X l h thng IPSec/IKE
8/4/2014 192
3.4. Qa trnh hot ng ca IPSec
c thc hin nh sau:
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
192/198
LOGO
c thc hin nh sau:
Ban u, lung lu lng cn bo v c chra cho IPSec
Tip theo pha IKE th 1 s tho thun mt SA
Thit lp mt knh truyn thng an ton v xc thci tc
8/4/2014 193
3.4. Qa trnh hot ng ca IPSec
c thc hin nh sau:
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
193/198
LOGO
c thc hin nh sau: Pha IKE th 2 tho thun cc thng s ca
IPSec SA trn knh an ton va c thit lp Nhng thng s ny c s dng thng nht
vic trao i d liu gia 2 bn
Cc kho c lu tr trong csdl SAD./.
8/4/2014 194
3.4. Qa trnh hot ng ca IPSec
c thc hin nh sau:
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
194/198
LOGO
Sau cc gi d liu c x l AH hoc ESPvi cc thut ton m ho, xc thc v khoc ch ra bi SA
Cui cng, khi kt thc, ng hm IPSec s bxo./.
8/4/2014 195
>3 5
Ni dung
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
195/198
LOGO
3.1. Gii thiu3.2. Kin trc IPSec
3.3. Trao i kho Internet
3.4. Qu trnh hot ng ca IPSec3.5. X l h thng IPSec/IKE
8/4/2014 196
3.5. X l h thng IKE/IPSec
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
196/198
LOGO
(Gio trnh)
8/4/2014 197
>3 5
Tng kt chng III
trnh by chi tit v giao thc IPSecXem xt cc c s ca IPSec cc lin kt an ton
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
197/198
LOGO
Xem xt cc c s ca IPSec, cc lin kt an ton
SA Xc thc tiu (AH) v ng gi ti bo mt
(ESP) l 2 giao thc ch cht Trong khi AH khng m ho d liu th ESP m ho d
liu Ta cng xem xt cc ch s dng ca IPSec
Cui cng l trnh by v giao thc trao i vqun l kho IKE
N gi mt vai tr quan trng trong vic phn phi vqun l kho cho b giao thc IPSec./.
8/4/2014 198
8/12/2019 BI GING VPNChuong 3_cac Giao Thuc Tang 3
198/198
The End!