思科网络学习空间 - clnchina.com.cnimg.clnchina.com.cn/docs/wezaSAoFci2Es.pdf · MD5 (message digest v5) ‒Takes input message of any length, and processes in 512-bit blocks

Cisco Confidential 1© 2010 Cisco and/or its affiliates. All rights reserved.

思科网络学习空间

CCNA技术讲座


Part ɪ

2011年IT网络行业就业形势回顾

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3

123,463 113,571 201,321 244,202

1,016,026 921,943

1,764,111

2,236,892285,211

318,901

512,655

617,236

0

500,000

1,000,000

1,500,000

2,000,000

2,500,000

3,000,000

3,500,000

2008 2009 2010 2011

网络工程师

软件工程师

硬件工程师

+60.6%

-9.3%

+91.4%

2011年软硬件类人才需求增长依然迅猛，网络工程师涨幅20.4%

+11.8%

+60.8%

-8.01%

+20.4%

+26.8%

+21.3%


5,234

8,690

3,627

5,584

9,037

3,268

0

1,000

2,000

3,000

4,000

5,000

6,000

7,000

8,000

9,000

10,000

≤2 年工作经验 3-5年工作经验＞5 年工作经验

软件工程师

网络工程师

4

+11%

vs 软件工程师

+6.7%

vs 软件工程师

+4%

vs 软件工程师

2011年网络工程师的平均薪资比软件工程师高出4%-11%


432,485 430,230

287,575

232,792

99,340 97,468

48,327 46,46792,986 77,31153,804 45,785

30,040 28,781 16,642 14,730

0

50,000

100,000

150,000

200,000

250,000

300,000

350,000

400,000

450,000

500,000

上海北京深圳广州

IT从业人员

IT人才缺口

网络从业人员

网络人才缺口

5


184,831

152,808144,021

128,758 126,511

113,315

15,41714,035 12,333

9,317 9,549 7,856

37,834

32,588 29,017 26,091 25,106 24,974

9,6048,831 7,321 5,487

6,0834,596

0

20,000

40,000

60,000

80,000

100,000

120,000

140,000

160,000

180,000

200,000

成都武汉杭州西安南京重庆

IT从业人员

IT人才缺口

网络从业人员

网络人才缺口

6


未来5年内,全球的

● 无线领域网络专家的需求将从现在的36%增长到66%

● 安全专家的需求从现在的46%增长到80%

● 语音专家的需求从现在的40%增长到65%


Part ɪɪ

技术讲解 ---张国清老师


Understanding to

OSPF Database


Types of LSA

● LSA类型1 —— 路由器链路状态条目（router link states）。由各路由器产生，描述在特定区域内的接口的状态。

● LSA类型2 —— 网络链路状态条目（net link states）。在广播型多路访问网络中由DR产生，用以代表该网络上的所有路由器。

● LSA类型3 —— 概括的网络链路状态条目（summary net link states）。由ABR产生，把非骨干区域的路由信息概括后传递到区域0，也把区域0的路由信息概括后传递到非完全末节区域的其他区域。

● LSA类型4 —— 概括的ASB链路状态条目（summary ASB link states）。由ABR产生，用来描述ASBR的可达性。以图3-1为例，R2为区域5生成LSA4，因此区域5中的路由器就知道R4是到达自治系统外的出口。ASBR所在区域的链路状态数据库中不含有该类型的LSA。完全末节区域不接受该类型的LSA


Types of LSA

●LSA类型5 —— 自治系统外链路状态条目（AS external link states）。由ASBR产生，描述到达自治系统之外的路由信息。末节区域、完全末节区域和次末节区域不接受该类型的LSA

●LSA类型7 —— 次末节区域自治系统外部链路状态条目（NSSA external linkstates）。由NSSA中的ASBR产生，只在NSSA中传播。在ABR上它被转换成类型5并且被扩散到骨干区域。



Show ip ospf database

BSCI Charpter 3


IPSec VPN


● Encryption

● Key management

● Authentication

Cryptograph Fundamentals


Secret Key Encryption Algorithms

●DES (data encryption standard)

●Triple DES

●Others: IDEA, Blowfish, CAST-128, ...


PlaintextDES/3DES

Encryption

Secret Key

DES/3DES

Decryption

Secret Key

Sender Receiver Transmitted

CiphertextPlaintext

Secret Key Exchange Requirement

● A secure and manageable scheme of secret key exchange and renewal is needed in actual implementation


● Encryption

● Key management

● Authentication

Cryptography Fundamentals


Symmetric Key


Asymmetric Key


● Sender and Receiver preselect two public values

‒p—a prime number; g—a primitive root of p

● Sender selects private Xs

● Sender calculates and sends public YS = g mod p

● Rcvr selects private XR

● Rcvr calculates and sends public YR = g mod p

● Secret key = YS mod p = YR mod p

‒= g mod p

Diffie-Hellman Key Exchange (1976)

Secret Key Exchange

Xs

XR

Xs

Xs

XR

XR


Public Key Infrastructure (PKI)

● Certificate authority (CA)—an entity who issues public key certificates, and is trusted by all communicating parties

● CA can be public (VeriSign, Entrust, and so on) or private (in-house certificate servers)

● Public key certificate—an authenticated and verifiable (using CA’s public key) copy of one’s public key and other identity information

● Certificate revocation list (CRL)—a list of certificates that have been revoked (this list is maintained by CA)


● Encryption

● Key management

● Authentication

Cryptography Fundamentals


Authentication

● Fundamental objectives—to verify that:

‒The received message comes from the alleged source

‒The received message has not been altered

● Techniques are available to guard against packet insertion, deletion, delay, and replay

● Digital signatures can be used to prove the transmission and/or receipt of messages

● Authentication and encryption are different functions


Basic Authentication Techniques

§ Encryption—message encryptedby private key can serve as the authenticator

§ Message Authentication Code (MAC)

§ Hash functions


Message Authentication Code (MAC)

●A keyed public function that maps a message of any length into a fixed-length value

●Requires a secret key

●MAC can be built using encryption technology or hash functions


MAC(M)

Message

M

Message

M

MAC

MAC

Same? YN

Reject AcceptKey

KeySender ReceiverTransmitted

Message Authentication Code

●Match of received and computed MACs at receiving end verifies that the message has not been altered after being transmitted

●Only the sender could have generated it, because of the secret key


Hash Functions

●A public function that maps a message of any length into a fixed-length hash value

●No keys are involved in hash functions

●Hash by itself is not an authentication of originality

●Hash combined with encryption can provide authentication


Hash Functions

H(M)

Message

M

Message

M

Hash

Hash

Same? YN

Reject Accept

Sender ReceiverTransmitted

●Match of received and computed hash values at receiving end verifies that the message has not been altered after being transmitted

●Anyone could have generated it, because the hash function itself is public and keyless


Hash Algorithms

● MD5 (message digest v5)

‒Takes input message of any length, and processes in 512-bit blocks successively

‒Outputs 128-bit message digest

● SHA-1 (secure hash function)

‒Based on MD4

‒Outputs 160-bit message digest

‒Stronger and computationally moreexpensive than MD5

● Others


HMAC (Hash-Based MAC)

● A popular class of MAC using hash functions such as MD5 and SHA-1, because

‒ Computationally more efficient than encryption

‒ Hash functions have no export restrictions

● A secret key is incorporated into

the hash algorithm to produce HMAC


Digital Signatures

● To offer authentication, and

● To protect sender and receiver against one another for possible disputes as follows:

‒Receiver may forge/alter message (common key)

‒Sender may deny message transmission (repudiation)

● Digital signature standard (DSS)

‒Digital signature algorithm (DSA)

‒DSA uses SHA and public key technique for signature generation and verification


IPsec

§ security Architecture for the Internet Protocol, commonly known as IP Security (IPsec)

§ Internet Engineering Task Force (IETF) standard RFC 2764

§ IPsec presents a comprehensive set of Layer 3 VPN components for IP networks.


IPSec

● A set of IP security architectureand protocol standards

● Two IP security protocols

‒Authentication header (AH)

‒Encapsulating security payload (ESP)

● Internet key exchange (IKE)

‒Negotiates IPSec attributesbetween peers


IP HDR

IP HDR Data

IPsec HDR Data

IP HDR Data

IPsec HDR IP HDRNew IP HDR

To Be Protected

Data

Tunnel Mode

Transport Mode

IPsec Modes

To Be Protected


IP HDR

Authenticated Except for Mutable Fields

AH Data

IP HDR Data

AH IP HDRNew IP HDR

Authenticated Except for Mutable Fields in New IP Header

Data

Tunnel Mode

Transport Mode

Authentication Header


IP HDR

Encrypted

ESP HDR Data

IP HDR Data

ESP HDR IP HDRNew IP HDR Data

Tunnel Mode

Transport Mode

ESP

Trailer

ESP

Auth

ESP

Trailer

ESP

Auth

Authenticated

Encrypted

Authenticated

Encapsulating Security Payload


AH versus ESP

●ESP encrypts; AH does not encrypt

●In transport mode, AH authenticates the entire packet; ESP authenticates only the data but not the IP header

●In tunnel mode, AH authenticates the entire packet (inner + outer); ESP authenticates only the inner packet but not the outer IP header


Internet Key Exchange (IKE)● A hybrid protocol to negotiate keys and SAs in an authenticated and

protected manner

● Two components:

‒A framework for authentication and key exchange (ISAKMP), specifying packet formats for SA negotiations, but not dictating any specific key exchange algorithms

‒An authenticated key exchange algorithm (based on Diffie-Hellman, with added authentication and security features from Oakley and SKEME techniques)


Attributes Negotiated by IKE

●Encryption algorithm

●Hash algorithm

●Authenticated method

●Diffie-Hellman group info

●IKE SA lifetime

●These are ISAKMP SA attributes, for setting up a secured IKE link, of which IPSec SAs are negotiated


Six Basic Steps of IPSec VPN Configuration

●Define IKE policy

●Configure CA support or manual keys

●Define transform sets

●Create crypto access-list

●Create crypto maps

●Apply crypto maps to interfaces


IKE Policy

●A set of security parameters for protecting IKE negotiations and exchanging IPSec session keys


● Router(config)#Crypto isakmp policy priority

● Router(config-isakmp)# encryption des /* default */

● Router(config-isakmp)# hash [sha | md5] /* def = sha */

● Router(config-isakmp)# authentication [rsa-sig | rsa-encr | pre-share] /* def = rsa-sig */

● Router(config-isakmp)# group [1 | 2] /* def = 1 */

● Router(config-isakmp)# lifetime seconds /* def = 86400 */

● Router(config-isakmp)# exit

● Group 1 is 768-bit modulus for Diffie-Hellman, Group 2 is 1024-bit modulus

IKE Policy Command Syntax


● IKE identity used during negotiation can be either IP address or hostname (default is IP address)

● To set ISAKMP identity:

‒Router(config)#crypto isakmp identity [address | hostname]

● If hostname is used, make sure DNS mapping or ip host config is

in place

● Address option (default) is recommended

● All peering routers should be set the same way

ISAKMP Identity


● Router(config)#Crypto isakmp key key-string address peer-address

● OR

● Router(config)#Crypto isakmp key key-string hostname peer-hostname

Configure ISAKMP Key


●Router(config)#Crypto ipsec transform-set name transform1 [transform2] [transform3] /*up to 3*/

●mode [tunnel | transport] /*def = tunnel*/

●exit

●(Please refer to Cisco IOS doc for additional configuration commands, options, explanations, and examples)

Set Ipsec Transform Command Syntax


● Each transform-set can have AH and/or ESP (with optional ESP authentication)

● For AH, select one out of:

‒ah-md5-hmac, ah-sha-hmac, ah-rfc1828

● For ESP, select one out of:

‒esp-des, esp-3des, esp-rfc1829

● For optional ESP auth, select one out of:

‒esp-md5-hmac, esp-sha-hmac

Allowed Transforms


●Same syntax as IP extended ACLs

‒Permit = Protect: IPSec-transform the packet before transmit

‒Deny = No-protect: Just transmit the packet

Crypto Access-Lists


Crypto Map Command Syntax

● Router(config)#Crypto map map-name seq# ipsec-isakmp

● Router(config-crypto-map)# set peer [ip-address | hostname]

● Router(config-crypto-map)# set transform-set name1 [name2 … name6]

● Router(config-crypto-map)# match address [crypto ACL#]

● Router(config-crypto-map)# exit

● (Please refer to IOS doc for additional commands, ipsec-manual and ipsec-dynamic options, further explanations, and examples)


● Router(config)#interface [type] /[number]

● Router(config-if)#crypto map [map-name]

● Router(config-if)# exit

Apply Crypto Map to Interface


Example

crypto isakmp policy 1

authentication pre-share

group 2

crypto isakmp key sharedkey address 20.20.20.20

crypto ipsec transform-set auth2 esp-des esp-sha-hmac

crypto map test 10 ipsec-isakmp

set peer 20.20.20.20

set transform-set auth2

match address 133

interface Serial0 ip address 20.20.20.21 255.255.255.0

crypto map test

access-list 133 permit ip 50.50.50.0 0.0.0.255 60.60.60.0 0.0.0.255


Verifying

wan2811#show crypto map tag test

Crypto Map "test" 10 ipsec-isakmp

Peer = 20.20.20.20

Extended IP access list 133

access-list 133 permit ip

source: addr = 50.50.50.0/0.0.0.255

dest: addr = 60.60.60.0/0.0.0.255

Current peer: 20.20.20.20

Session key lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform proposals={ auth2, }


verifying

wan2811#show crypto isakmp policy

Protection suite of priority 1

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Pre-Shared Key

Diffie-Hellman group: #2 (1024 bit)

lifetime: 240 seconds, no volume limit

Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit


wan2811#show crypto ipsec sa

interface: Serial0

Crypto map tag: test, local addr. 20.20.20.21

local ident (addr/mask/prot/port): (50.50.50.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (60.60.60.0/255.255.255.0/0/0)

current_peer: 20.20.20.20

PERMIT, flags={origin_is_acl,ident_is_ipsec,}

#pkts encaps: 320, #pkts encrypt: 320, #pkts digest 320

#pkts decaps: 320, #pkts decrypt: 320, #pkts verify 320

#send errors 0, #recv errors 0

local crypto endpt.: 20.20.20.21, remote crypto endpt.: 20.20.20.20

path mtu 1500, media mtu 1500

current outbound spi: 6625CD


inbound esp sas:

spi: 0x1925112F(421859631)

transform: esp-des esp-sha-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 11, crypto map: test

sa timing: remaining key lifetime (k/sec): (4607971/3354)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

spi: 0x12050DD2(302321106)

transform: ah-sha-hmac ,






outbound esp sas:

spi: 0x3262313(52830995)

transform: esp-des esp-sha-hmac ,




IV size: 8 bytes


outbound ah sas:

spi: 0x6625CD(6694349)

transform: ah-sha-hmac ,






Part ɪɪɪ

技术问答时间-15分钟


感谢参与思科网络学习空间CCNA技术讲座

www.clnchina.com.cn

Documents

思科网络学习空间 - clnchina.com.cnimg.clnchina.com.cn/docs/wezaSAoFci2Es.pdf · MD5 (message digest v5) ‒Takes input message of any length, and processes in 512-bit blocks