outline - cyut.edu.tw
TRANSCRIPT
Microsoft PowerPoint - Ch11.pptIntroduction IP Address & MAC
Address TCP/UDP/ICMP IP Gateway, Network Mask, TTL Routing Protocol
Network Address Translation (NAT) Domain Name System (DNS) Dynamic
Host Configuration Protocol (DHCP) / Asymmetric Digital Subscriber
Line (ADSL) HyperText Transfer Protocol (HTTP) Virtual Private
Network (VPN) Firewall Wireless Networks
2
VPN(Internet)
3
Intranets VPN Internet
Extranets VPN Intranet VPN
4
VPN ?
Internet
5
VPN
VPN(Platform Scalability) (Security) VPN
7
(Security)
VPN VPN ””
8
VPN
9
VPN
11
12
VPN
13
VPN(1/4)
14
VPN(2/4)
15
VPN(3/4)
16
VPN(4/4)
17
Trusted VPNs: VPN VPN VPN
Secure VPNs: (Encryption)VPN
Hybrid VPN : Secure VPN Trusted VPN VPN Hybrid VPN
18
VPN(1)
19
20
VPN(3)
22
VPN
Generic Routing Encapsulation (GRE) network AGREnetwork B Layer 3
GREVPNTunnel
Point to Point Tunneling Protocol (PPTP) PPTPVPNGRE headerIP packetPPP packet client-server Enhance GRE
IP Security Protocol (IPSec) IP Protocol PacketIP protocol ””Tunnel
23
GRE 1. Network AHost A Network
BHost B 2. Host ANetwork APacketRouter
A Router APacket Packet
3. Router APacketGREInternet
24
5. Router B(Unwarp) 6. Router BPacketNetwork B
Host B
26
GRE Header
0 1 2 3 4 5-7 8-12 13-15 16-31 C R K S s Recur Flags Ver Protocol type
Checksum (optional) Offset (optional)
27
(Bit 8) Acknowledgment sequence number present. Set to one (1) if packet contains Acknowledgment Number to be used for acknowledging previously transmitted data. (Bits 9-12) Must be set to zero (0)
Flag
(Bit 4) Strict source route present. Set to zero (0)s
(Bit 3) Sequence Number Present. Set to one (1) if a payload (data) packet is present. Set to zero (0) if payload is not present (GRE packet is an Acknowledgment only).
S
28
Source routing entries (SRE)Routing
Contains the sequence number of the payload. Present if S bit (Bit 3) is one (1)
Sequence Number
(Low 2 octets) Contains the Peer's Call ID for the session to which this packet belongs.
Key (LW) Call ID
(High 2 octets of Key) Size of the payload, not including the GRE header.
Key (HW) Payload Length
Checksum with IP, GRE header and payload packet
Checksum
(Bits 13-15) Must contain 0Ver
29
Address Family (2 Octets) : Routing Information Field
SRE Offset (1 Octets) :
SRE Length (1 Octets) : SRE SRE Length0SRERouting Field SRE Routing Information (Variable) : Packet
SRE length
Routing information …
30
PPTPVPN GRE headerIP packetPPP packet client-server Enhance GRE
PPTP tunnel
PPTP Server B
PPTP
2. PPTP Client APPTP Server BMS-CHAP
3.PPTP Tunnel PPTP 1.Host A PacketNetwork BHost B
2. Host APacketPPTP Client A
3. PPTP Client A PacketPPPGRE HeaderInternetPPTP Server B
4. PPTP Server BNetwork B Host B
5. Host BPacket
MS-CHAP (Microsoft Challenge Handshake )
Windows
MS-CHAP v2
33
PPTP Packet PPTPGRE Header
Key Call ID : Call ID
Acknowledgment Number :Packet Sequence Number
PPP Packet GRE Header IP Header
Media Header
PPTP packet
35
IPSec(1)
Host-to-Host Host-to-Network Network-to-Network
Integrity
Encapsulation Security Payload (ESP) : DatagramIP Packet PacketPacketESP
37
IPSec(2)
38
IPSec(3)
(a) Transport mode
(b) Tunnel mode IP1
41
IPSec
(Encapsulating Security Payload ESP)
42
43
Security Protocol ID(ID)AH ESPAHESP AHESP AHESP
IP destination address (IP) IP
44
46
IPSec(4)
IPSec
47
IPSec(5)
IPSec: 1. Host APacketHost B 2. Host APacketIPSecDriverPacket AHESP Header
3.IP HeaderPacket Host B
49
Question: FirewallIPsec VPN VPN Firewall
50
51
1
2
3
4
53
54
55
56
57
58
59
IPsecNAT
60
IPsecNAT
NAT Internet
61
62
63
64
2
VPN(Internet)
3
Intranets VPN Internet
Extranets VPN Intranet VPN
4
VPN ?
Internet
5
VPN
VPN(Platform Scalability) (Security) VPN
7
(Security)
VPN VPN ””
8
VPN
9
VPN
11
12
VPN
13
VPN(1/4)
14
VPN(2/4)
15
VPN(3/4)
16
VPN(4/4)
17
Trusted VPNs: VPN VPN VPN
Secure VPNs: (Encryption)VPN
Hybrid VPN : Secure VPN Trusted VPN VPN Hybrid VPN
18
VPN(1)
19
20
VPN(3)
22
VPN
Generic Routing Encapsulation (GRE) network AGREnetwork B Layer 3
GREVPNTunnel
Point to Point Tunneling Protocol (PPTP) PPTPVPNGRE headerIP packetPPP packet client-server Enhance GRE
IP Security Protocol (IPSec) IP Protocol PacketIP protocol ””Tunnel
23
GRE 1. Network AHost A Network
BHost B 2. Host ANetwork APacketRouter
A Router APacket Packet
3. Router APacketGREInternet
24
5. Router B(Unwarp) 6. Router BPacketNetwork B
Host B
26
GRE Header
0 1 2 3 4 5-7 8-12 13-15 16-31 C R K S s Recur Flags Ver Protocol type
Checksum (optional) Offset (optional)
27
(Bit 8) Acknowledgment sequence number present. Set to one (1) if packet contains Acknowledgment Number to be used for acknowledging previously transmitted data. (Bits 9-12) Must be set to zero (0)
Flag
(Bit 4) Strict source route present. Set to zero (0)s
(Bit 3) Sequence Number Present. Set to one (1) if a payload (data) packet is present. Set to zero (0) if payload is not present (GRE packet is an Acknowledgment only).
S
28
Source routing entries (SRE)Routing
Contains the sequence number of the payload. Present if S bit (Bit 3) is one (1)
Sequence Number
(Low 2 octets) Contains the Peer's Call ID for the session to which this packet belongs.
Key (LW) Call ID
(High 2 octets of Key) Size of the payload, not including the GRE header.
Key (HW) Payload Length
Checksum with IP, GRE header and payload packet
Checksum
(Bits 13-15) Must contain 0Ver
29
Address Family (2 Octets) : Routing Information Field
SRE Offset (1 Octets) :
SRE Length (1 Octets) : SRE SRE Length0SRERouting Field SRE Routing Information (Variable) : Packet
SRE length
Routing information …
30
PPTPVPN GRE headerIP packetPPP packet client-server Enhance GRE
PPTP tunnel
PPTP Server B
PPTP
2. PPTP Client APPTP Server BMS-CHAP
3.PPTP Tunnel PPTP 1.Host A PacketNetwork BHost B
2. Host APacketPPTP Client A
3. PPTP Client A PacketPPPGRE HeaderInternetPPTP Server B
4. PPTP Server BNetwork B Host B
5. Host BPacket
MS-CHAP (Microsoft Challenge Handshake )
Windows
MS-CHAP v2
33
PPTP Packet PPTPGRE Header
Key Call ID : Call ID
Acknowledgment Number :Packet Sequence Number
PPP Packet GRE Header IP Header
Media Header
PPTP packet
35
IPSec(1)
Host-to-Host Host-to-Network Network-to-Network
Integrity
Encapsulation Security Payload (ESP) : DatagramIP Packet PacketPacketESP
37
IPSec(2)
38
IPSec(3)
(a) Transport mode
(b) Tunnel mode IP1
41
IPSec
(Encapsulating Security Payload ESP)
42
43
Security Protocol ID(ID)AH ESPAHESP AHESP AHESP
IP destination address (IP) IP
44
46
IPSec(4)
IPSec
47
IPSec(5)
IPSec: 1. Host APacketHost B 2. Host APacketIPSecDriverPacket AHESP Header
3.IP HeaderPacket Host B
49
Question: FirewallIPsec VPN VPN Firewall
50
51
1
2
3
4
53
54
55
56
57
58
59
IPsecNAT
60
IPsecNAT
NAT Internet
61
62
63
64