IPSec Guide. ISAKMP & IKE Formats

Similar documents
CSC/ECE 574 Computer and Network Security. Outline. Key Management. Key Management. Internet Key Management. Why do we need Internet key management

Outline. CSC/ECE 574 Computer and Network Security. Key Management. Security Principles. Security Principles (Cont d) Internet Key Management

Outline. Key Management. Security Principles. Security Principles (Cont d) Escrow Foilage Protection

Outline. Key Management. CSCI 454/554 Computer and Network Security. Key Management

CSCI 454/554 Computer and Network Security. Topic 8.2 Internet Key Management

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

Cryptography and Network Security Chapter 16. Fourth Edition by William Stallings

CIS 6930/4930 Computer and Network Security. Topic 8.2 Internet Key Management

IPsec (AH, ESP), IKE. Guevara Noubir CSG254: Network Security

show crypto group summary, page 1 show crypto ikev2-ikesa security-associations summary spi, page 2

INFS 766 Internet Security Protocols. Lectures 7 and 8 IPSEC. Prof. Ravi Sandhu IPSEC ROADMAP

Chapter 6. IP Security. Dr. BHARGAVI H. GOSWAMI Department of Computer Science Christ University

Network Working Group. Category: Standards Track August The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX

Internet Engineering Task Force Mark Baugher(Cisco) Expires: April, 2003 October, 2002

Table of Contents 1 IKE 1-1

Securify, Inc. M. Schneider. National Security Agency. J. Turner RABA Technologies, Inc. November 1998

CSC Network Security

Chapter 6/8. IP Security

CSCE 715: Network Systems Security

Lecture 12 Page 1. Lecture 12 Page 3

IPSec Network Applications

Lecture 13 Page 1. Lecture 13 Page 3

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

IPSec. Overview. Overview. Levente Buttyán

Configuration of Shrew VPN Client on RV042, RV042G and RV082 VPN Routers through Windows

Virtual Private Network

CSC Network Security

Sample excerpt. Virtual Private Networks. Contents

Crypto Templates. Crypto Template Parameters

Virtual Private Networks

8. Network Layer Contents

L2TP Over IPsec Between Windows 2000 and VPN 3000 Concentrator Using Digital Certificates Configuration Example

The IPSec Security Architecture for the Internet Protocol

Configuring Internet Key Exchange Security Protocol

Chapter 11 The IPSec Security Architecture for the Internet Protocol

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Digi Application Guide Configure VPN Tunnel with Certificates on Digi Connect WAN 3G

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

IEEE Broadband Wireless Access Working Group < Privacy key management for BSs and BSISs in LE Systems

Advanced IPSec Algorithms and Protocols

Cryptography and Network Security

draft-ietf-ipsec-nat-t-ike-01.txt W. Dixon, B. Swander Microsoft V. Volpe Cisco Systems L. DiBurro Nortel Networks 23 October 2001

draft-ietf-ipsec-isakmp-oakley-00.txt June 1996 Expire in six months The resolution of ISAKMP with Oakley <draft-ietf-ipsec-isakmp-oakley-00.

Secure channel, VPN and IPsec. stole some slides from Merike Kaeo

Implementing Internet Key Exchange Security Protocol

draft-ietf-ipsec-nat-t-ike-00.txt W. Dixon, B. Swander Microsoft V. Volpe Cisco Systems L. DiBurro Nortel Networks 10 June 2001

IKE and Load Balancing

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

Configuring Security for VPNs with IPsec

Internet Engineering Task Force (IETF) Category: Informational March 2016 ISSN:

IP Security Discussion Raise with IPv6. Security Architecture for IP (IPsec) Which Layer for Security? Agenda. L97 - IPsec.

The IPsec protocols. Overview

The EN-4000 in Virtual Private Networks

AIT 682: Network and Systems Security

IP Security Protocol Working Group (IPSEC) draft-ietf-ipsec-nat-t-ike-03.txt. B. Swander Microsoft V. Volpe Cisco Systems 24 June 2002

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

Network Security IN2101

Best Practices: Provisioning of Mobile VPN certificate based policy from Nokia DM server for accessing Nokia IP VPN gateway

IPSec Transform Set Configuration Mode Commands

NCP Secure Client Juniper Edition Release Notes

IP Security Part 1 04/02/06. Hofstra University Network Security Course, CSC290A

IPSec Site-to-Site VPN (SVTI)

Network Security (NetSec) IN2101 WS 16/17

L13. Reviews. Rocky K. C. Chang, April 10, 2015

NCP Secure Client Juniper Edition (Win32/64) Release Notes

Implementation Agreement: Security Extension for UNI and NNI - SEP-01.1

Crypto Template Configuration Mode Commands

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Configuration of an IPSec VPN Server on RV130 and RV130W

Chapter 5: Network Layer Security

VPN, IPsec and TLS. stole slides from Merike Kaeo apricot2017 1

IP Security II. Overview

Internet security and privacy

This version of the des Secure Enterprise MAC Client can be used on Mac OS X 10.7 Lion platform.

IEEE C802.16h-05/021r2

Virtual Tunnel Interface

Configure IKEv1 IPsec Site-to-Site Tunnels with the ASDM or CLI on the ASA

IPSec Transform Set Configuration Mode Commands

Network Security: IPsec. Tuomas Aura

Virtual Tunnel Interface

Some optimizations can be done because of this selection of supported features. Those optimizations are specifically pointed out below.

Quick Note 65. Configure an IPSec VPN tunnel between a TransPort WR router and an Accelerated SR router. Digi Technical Support 7 June 2018

Numerics I N D E X. 3DES (Triple Data Encryption Standard), 48

Glenda Whitbeck Global Computing Security Architect Spirit AeroSystems

Advanced IKEv2 Protocol Jay Young, CCIE - Technical Leader, Services. Session: BRKSEC-3001

Data Sheet. NCP Secure Entry Mac Client. Next Generation Network Access Technology

Security for VPNs with IPsec Configuration Guide, Cisco IOS XE Release 3S

BCRAN. Section 9. Cable and DSL Technologies

Lecture 9: Network Level Security IPSec

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

NCP Secure Enterprise macos Client Release Notes

Configuring IPsec and ISAKMP

draft-ietf-ipsec-isakmp-oakley-03.txt February 1997 Expire in six months The resolution of ISAKMP with Oakley <draft-ietf-ipsec-isakmp-oakley-03.

Configuring a Hub & Spoke VPN in AOS

NCP Secure Entry macos Client Release Notes

BiGuard C01 BiGuard VPN Client Quick Installation Guide (BiGuard series VPN enabled devices) Secure access to Company Network

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

IKE. Certificate Group Matching. Policy CHAPTER

IP Security IK2218/EP2120

Transcription:

http://www.tech-invite.com IPSec Guide This document illustrates message formats. These formats result from ISAKMP framework definition (RFC 2408) refined by IPSec DOI (domain of interpretation, defined in RFC2407) for phase 2 attributes, and finally appendix A of RFC 2409 () for phase 1 attributes. Color codes are used consistently throughout this document for relevant information sources. ISAKMP & Formats V1.0 March 2, 2005 17 pages

IPSec / Structure RFC 2409 IPsec DOI RFC 2407 OAKLEY RFC 2412 ISAKMP RFC 2408 SKEME

IPSec / ISAKMP Header Format Cookie of entity that initiated SA establishment, SA notification, or SA deletion Initiator Cookie HDR Type of exchange being used. This dictates the message and payload orderings in the ISAKMP exchanges: Cookie of entity that is responding to an SA establishment request, SA notification, or SA deletion Responder Cookie NONE 0 Base 1 Identity Protection 2 Authentication Only 3 Aggressive 4 Informational 5 Type of the first payload in the message: NONE 0 SA Security Association 1 P Proposal 2 T Transform 3 KE Key Exchange 4 ID Identification 5 CERT Certificate 6 CR Certificate Request 7 HASH Hash 8 SIG Signature 9 NONCE Nonce 10 N Notification 11 D Delete 12 VID Vendor 13 Next Payload Set to: 1 (RFC2408) Set to: 0 (RFC2408) Major Version Minor Version Message ID Length Length of total message (header + payloads) in octets. Encryption can expand the size of an ISAKMP message. Exchange Type Unique Message Identifier used to identify protocol state during Phase 2 negotiations. This value is randomly generated by the initiator of the Phase 2 negotiation. Flags With (XCHG values): Main Mode 2 Aggressive Mode 4 Quick Mode 32 New Group Mode 33 E (Encryption bit) If set, all payloads following the header are encrypted using the encryption algorithm identified in the ISAKMP SA C (Commit bit) A (Authentication Only bit)

IPSec / Generic Payload Header Format Generic Payload Header This field provides the "chaining" capability No Next Payload 0 SA Security Association 1 P Proposal 2 T Transform 3 KE Key Exchange 4 ID Identification 5 CERT Certificate 6 CR Certificate Request 7 HASH Hash 8 SIG Signature 9 NONCE Nonce 10 N Notification 11 D Delete 12 VID Vendor 13 Length in octets of the current payload, including the generic payload header

IPSec / Security Association (SA) Payload Format Must be 0 with first exchange of 's Phase 1 A DOI value of 0 during a Phase 1 exchange specifies a Generic ISAKMP SA which can be used for any protocol during the Phase 2 exchange. Payload # 1 Domain of Interpretation (DOI) Situation SA Length in octets of the entire Security Association payload, including the SA payload, all Proposal payloads, and all Transform payloads A DOI value of 1 is assigned to the IPSEC DOI. The Situation provides information that can be used by the responder to make a policy determination about how to process the incoming Security Association request. For the IPSEC DOI, the Situation field is a 4- octet bitmask with the following values: SIT_IDENTITY_ONLY 1 SIT_SECRECY 2 SIT_INTEGRITY 4

IPSec / Proposal (P) Payload Format "2" if there are additional Proposal payloads, "0" otherwise Must be 0 with first exchange of 's Phase 1 Payload # 2 Proposal # Protocol-Id SPI Size # of Transforms P Length of the entire Proposal payload, including all Transform payloads associated with this proposal Proposal Number for the current payload Security Parameter Index: SPI (variable) Specifies the number of transforms for the Proposal. Each of these is contained in a Transform payload. Protocol identifier for the current negotiation: PROTO_ISAKMP 1 For the IPSEC DOI PROTO_IPSEC_AH 2 PROTO_IPSEC_ESP 3 PROTO_IPCOMP 4 The sending entity's SPI. In the event the SPI Size is not a multiple of 4 octets, there is no padding applied to the payload, however, it can be applied at the end of the message. Length in octets of the SPI as defined by the Protocol-Id. In the case of ISAKMP, the Initiator and Responder cookie pair from the ISAKMP Header is the ISAKMP SPI, therefore, the SPI Size is irrelevant.

IPSec / Transform (T) Payload Format "3" if there are additional T payloads, "0" otherwise Payload # 3 T Identifies the Transform number for the current payload. If there is more than one transform proposed for a specific protocol within the Proposal payload, then each Transform payload has a unique Transform number Transform # Transform-Id SA Attributes Reserved Transform identifier for the current negotiation. For IPSEC DOI, depending on Protocol-Id in Proposal: - With PROTO_ISAKMP: KEY_ 1 - With PROTO_IPCOMP: IPCOMP_OUI 1 IPCOMP_DEFLATE 2 IPCOMP_LZS 3 - With PROTO_IPSEC_AH: AH_MD5 2 AH_SHA 3 AH_DES 4 - With PROTO_IPSEC_ESP: ESP_DES_IV64 1 ESP_DES 2 ESP_3DES 3 ESP_RC5 4 ESP_IDEA 5 ESP_CAST 6 ESP_BLOWFISH 7 ESP_3IDEA 8 ESP_DES_IV32 9 ESP_RC4 10 ESP_NULL 11 With, during phase 1, some important attribute types & values: Encryption Algorithm 1 Hash Algorithm 2 Authentication Method 3 Group Description 4 Life Type 5 Life Duration 12 Type Values ------------------------------------- -- DES-CBC 1 IDEA-CBC 2 3DES-CBC 5 MD5 1 SHA 2 Pre-Shared Key 1 DSS signatures 2 RSA signatures 3 Encryption with RSA 4 Revised Encryption with RSA 5 768-bit MODP 1 1024-bit MODP 2 EC2N group on GF[2^155] 3 EC2N group on GF[2^185] 4 seconds 1 kilobytes 2 With IPSec Protocols, during Quick Mode phase 2, some important attribute types & values: Type Values ------ ----------------------- SA Life Type 1 seconds 1 kilobytes 2 SA Life Duration 2 Group Description3 (PFS negotiation) 768-bit MODP 1 1024-bit MODP 2 2048-bit MODP 14... Encapsulation Mode 4 Tunnel 1 Transport 2 Authentication Algorithm 5 HMAC-MD5 1 HMAC-SHA 2 DES-MAC 3 KPDK 4

IPSec / Key Exchange (KE) Payload Format Payload # 4 KE Key Exchange Data The Diffie-Hellman public value, as per the Diffie-Hellman Group Type and Description attributes in the negotiated transform.

IPSec / Identification (ID) Payload Format Payload # 5 ID ID Type Protocol ID Port Value specifying an associated port (e.g. 500, with UDP). A value of 0 means that the Port field should be ignored Identification Data Value specifying an associated IP protocol ID (e.g. UDP/TCP). A value of 0 means that the Protocol ID field should be ignored Identification Type: ID_IPV4_ADDR 1 (4-octet IPv4 address) ID_FQDN 2 (fully-qualified domain name, e.g. "foo.bar.com") ID_USER_FQDN 3 (fully-qualified username string, e.g. "user@foo.bar.com") ID_IPV4_ADDR_SUBNET 4 (4-octet IPv4 address + 4-octet IPv4 network mask) ID_IPV6_ADDR 5 (16-octet IPv6 address) ID_IPV6_ADDR_SUBNET 6 (16-octet IPv6 address + 16-octet IPv6 network mask) ID_IPV4_ADDR_RANGE 7 (4-octet beginning IPv4 address + 4-octet ending IPv4 address) ID_IPV6_ADDR_RANGE 8 (16-octet beginning IPv6 address + 16-octet ending IPv6 address) ID_DER_ASN1_DN 9 (binary DER encoding of an ASN.1 X.500 Distinguished Name) ID_DER_ASN1_GN 10 (binary DER encoding of an ASN.1 X.500 General Name) ID_KEY_ID 11 (opaque byte stream) Value, as indicated by the Identification Type

IPSec / Certificate (CERT) Payload Format Payload # 6 CERT Certificate Encoding Certificate Data Type of certificate or certificate-related information contained in the Certificate Data field NONE 0 PKCS #7 wrapped X.509 certificate 1 PGP Certificate 2 DNS Signed Key 3 X.509 Certificate - Signature 4 X.509 Certificate - Key Exchange 5 Kerberos Tokens 6 Certificate Revocation List (CRL) 7 Authority Revocation List (ARL) 8 SPKI Certificate 9 X.509 Certificate - Attribute 10

IPSec / Certificate Request (CR) Payload Format Payload # 7 CR Certificate ype Certificate Authority Type of certificate or certificate-related information contained in the Certificate Data field NONE 0 PKCS #7 wrapped X.509 certificate 1 PGP Certificate 2 DNS Signed Key 3 X.509 Certificate - Signature 4 X.509 Certificate - Key Exchange 5 Kerberos Tokens 6 Certificate Revocation List (CRL) 7 Authority Revocation List (ARL) 8 SPKI Certificate 9 X.509 Certificate - Attribute 10

IPSec / Hash (HASH) Payload Format Payload # 8 HASH Hash Data Data generated by the hash function (selected during the SA establishment exchange), over some part of the message and/or ISAKMP state. May be used to verify the integrity of the data in an ISAKMP message or for authentication of the negotiating entities.

IPSec / Signature (SIG) Payload Format Payload # 9 SIG Signature Data Data generated by the digital signature function (selected during the SA establishment exchange), over some part of the message and/or ISAKMP state. Used to verify the integrity of the data in the ISAKMP message, and may be of use for non-repudiation services.

IPSec / Nonce (NONCE) Payload Format Payload # 10 NONCE Nonce Data Random data generated by the transmitting entity. Used to guarantee liveness during an exchange and protect against replay attacks.

IPSec / Notify (N) Payload Format Payload # 11 N Domain of Interpretation (DOI) Protocol-ID SPI Size Notify Message Type Security Parameter Indx (SPI) Notification Data

IPSec / Delete (D) Payload Format Payload # 12 D Domain of Interpretation (DOI) Protocol-ID SPI Size # of SPIs Security Parameter Index(es) (SPI)

IPSec / Vendor ID (VID) Payload Format Payload # 13 VID Vendor ID (VID)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback