Lectures notes for 2010 - KTH
Lectures notes for 2010 - KTH Lectures notes for 2010 - KTH
ISAKMP ISAKMP is based on the Diffie-Hellman key exchange protocol; it assumes the identities of the two parties are known. Using ISAKMP you can: • control the level of trust in the keys, • force SPIs to be changed at an appropriate frequency, • identify keyholders via digital certificates [requires using a certificate authority (CA)] For further information see: • Internet Security Association and Key Management Protocol (ISAKMP) - RFC 2408 [4] • The Internet IP Security Domain of Interpretation for ISAKMP - RFC 2407 [5] • The OAKLEY Key Determination Protocol - RFC 2412 [6] • The Internet Key Exchange (IKE) - RFC 2409 [7] Maguire ISAKMP 12: 10 of 30 maguire@kth.se 2010.03.21 Internetworking/Internetteknik
Where can you run IPSec? Mode Where it runs Payload Transport end-systems payload data follows the normal IP header Tunnelling internetworking device: e.g., router, firewall, or VPN gateway • end-user’s entire packet-IP headers and all-placed within another packet with ESP or AH fields [thus it is encapsulated in another packet] • can hide the original source and destination address information AS1 tunnel AS3 AS4 AS2 Figure 4: IPSec usage red = secure, black = unsecure AS5 Maguire Where can you run IPSec? 12: 11 of 30 maguire@kth.se 2010.03.21 Internetworking/Internetteknik
- Page 709 and 710: Identification γ Z C Y B α γ Z C
- Page 711 and 712: How did it know to send the “I am
- Page 713 and 714: Getting Service Once it’s identit
- Page 715 and 716: Alternative 1 Initially X is locate
- Page 717 and 718: Alternative 3 Initially X is locate
- Page 719 and 720: Alternative 4 continued Initially X
- Page 721 and 722: What happens in the case of wireles
- Page 723 and 724: Wireless WANs BS-a cell a BS-a cell
- Page 725 and 726: Mobile IP Standardization Effort
- Page 727 and 728: A Mobile-IP(V6) Scenario Home Agent
- Page 729 and 730: Tunneling IP Datagrams Both home ag
- Page 731 and 732: Why Agent Discovery? Agent Discover
- Page 733 and 734: Registration Message Format 0 8 16
- Page 735 and 736: FA Requirements (v4) • Each FA mu
- Page 737 and 738: Optimization Problem Home site Inte
- Page 739 and 740: Mobile IP Problems and Development
- Page 741 and 742: Wireless IP Network Architecture Ho
- Page 743 and 744: HAWAII extension is similar to Cell
- Page 745 and 746: Hierarchical FA and Regional Tunnel
- Page 747 and 748: Hierarchical FA and Regional Tunnel
- Page 749 and 750: This lecture we have discussed: •
- Page 751 and 752: IK1550 Internetworking/Internettekn
- Page 753 and 754: Private networks Private Networks a
- Page 755 and 756: Security Protocols, APIs, etc. •
- Page 757 and 758: IPSec IPSec in three parts: • enc
- Page 759: AH header For authentication purpos
- Page 763 and 764: Linux firewall For example, for the
- Page 765 and 766: Proxy Access Through A Firewall ext
- Page 767 and 768: Newping http://ftp.cerias.purdue.ed
- Page 769 and 770: Secure Mailer (aka Postfix) Wietse
- Page 771 and 772: • TCP Wrappers - allows monitorin
- Page 773 and 774: Network Address Translation exterio
- Page 775 and 776: Network Security Exercises You will
- Page 777 and 778: This lecture we have discussed: •
- Page 779 and 780: [13] Swedish Defense Material Admin
- Page 781 and 782: IK1550 Internetworking/Internettekn
- Page 783 and 784: Generations of technology versus ge
- Page 785 and 786: Dissemination not conversation On s
- Page 787 and 788: Are interplanetary and intergalacti
- Page 789 and 790: Trends: Shifting from traditional t
- Page 791 and 792: Visualizing these laws 100 25000 80
- Page 793 and 794: Exponential growth As Ray Kurzweil
- Page 795 and 796: Is this only true for books? Chris
- Page 797 and 798: Too cheap to meter "It is not too m
- Page 799 and 800: What Would Google Do? Jeff Jarvis
- Page 801 and 802: Service Differentiation Integrated
- Page 803 and 804: Mobile ad hoc Networks (MANETs) Ad
- Page 805 and 806: PC interfaces Standard I/O ports of
- Page 807 and 808: IP Storage Area Networks (SANs) Usi
- Page 809 and 810: • Internet SCSI (iSCSI) JBOD == J
Where can you run IPSec?<br />
Mode Where it runs Payload<br />
Transport end-systems payload data follows the normal IP header<br />
Tunnelling<br />
internetworking<br />
device: e.g., router,<br />
firewall, or VPN<br />
gateway<br />
• end-user’s entire packet-IP headers and all-placed within another packet<br />
with ESP or AH fields<br />
[thus it is encapsulated in another packet]<br />
• can hide the original source and destination address in<strong>for</strong>mation<br />
AS1<br />
tunnel<br />
AS3<br />
AS4<br />
AS2<br />
Figure 4: IPSec usage<br />
red = secure, black = unsecure<br />
AS5<br />
Maguire Where can you run IPSec? 12: 11 of 30<br />
maguire@kth.se <strong>2010</strong>.03.21 Internetworking/Internetteknik