IPsec security mechanism is obsoleted in latest Diameter RFC-6733, but it is still maintained for backward compatibility.
Ipsec encrypt and authenticate all traffic at the IP level by a by pre-shared secret key, and uses IKE (Internet Key Exchange) for peer authentication, negotiation of security associations and key management.
Ipsec encrypt and authenticate all traffic at the IP level by a by pre-shared secret key, and uses IKE (Internet Key Exchange) for peer authentication, negotiation of security associations and key management.
There are two modes of operation of IPSec
1) Transport Mode :- In this mode only payload (data to be transfer) of IP packet is encrypted and /or auhenticated.
2) Tunnel Mode:- Entire IP packet is encrypted and/or authenticated.
All Diameter deployment MUST support IPsec in Transport mode (per packet encryption and authentication implicitly in transport mode) and MUST support the Replay Protection mechanisms of IPsec.
IPsec uses the following protocols to perform various functions
2) Tunnel Mode:- Entire IP packet is encrypted and/or authenticated.
All Diameter deployment MUST support IPsec in Transport mode (per packet encryption and authentication implicitly in transport mode) and MUST support the Replay Protection mechanisms of IPsec.
IPsec uses the following protocols to perform various functions
1)Authentication Header :- provides INTEGRITY, Authentication and protection against replay attacks.Diagram shows the AH header between the IP header and the TCP header.
Various fields of AH and their purpose are given below.
1)Payload Len:-The length of this Authentication Header .
2)Reserved:-Reserved for future use (all zeroes until then).
3)Security Parameters Index:-Arbitrary value which is used (together with the source IP address) to identify the security association of the sending party.
4)Sequence Number :-A monotonic strictly increasing sequence number (incremented by 1 for every packet sent) to prevent replay attacks. When replay detection is enabled, sequence numbers are never reused because a new security association must be renegotiated before an attempt to increment the sequence number beyond its maximum value.[5]
5)Integrity Check Value:-Variable length check value. Something similar to check sum.
2)ESP (Encapsulating Security Payload):-provides INTEGRITY, Authentication and protection against replay attacks. And ALSO provide the support for encryption. ESP does not protect the IP packet header. until Tunnel Mode is applied.
ESP and AH can be used together on the same datagram without redundancy. Various fields of ESP and their purpose are given below.
1)Security Parameters Index:-Arbitrary value which is used (together with the source IP address) to identify the security association of the sending party.
2)Sequence Number:-A monotonically increasing sequence number (incremented by 1 for every packet sent) to protect against replay attacks. There is a separate counter kept for every security association.
3)Payload data:-The protected contents of the original IP packet, including any data used to protect the contents (e.g. an Initialisation Vector for the cryptographic algorithm). The type of content that was protected is indicated by the Next Header field.
4)Padding:-Padding for encryption, to extend the payload data to a size that fits the encryption's cypher block size, and to align the next field.
5)Pad Length:-Size of the padding in octets.
6)Integrity Check Value :-Variable length check value. Something similar to check sum.
Your Comments /Suggestions and Questions are always welcome.I would try to clarify doubts with best of my knowledge. So feel free to put Questions.
 |
| Fig:- Packet Format after including AH |
 |
| Fig:- Various fields of AH |
1)Payload Len:-The length of this Authentication Header .
2)Reserved:-Reserved for future use (all zeroes until then).
3)Security Parameters Index:-Arbitrary value which is used (together with the source IP address) to identify the security association of the sending party.
4)Sequence Number :-A monotonic strictly increasing sequence number (incremented by 1 for every packet sent) to prevent replay attacks. When replay detection is enabled, sequence numbers are never reused because a new security association must be renegotiated before an attempt to increment the sequence number beyond its maximum value.[5]
5)Integrity Check Value:-Variable length check value. Something similar to check sum.
 |
| Fig:- Packet format after including ESP -Encryption |
 |
| Fig:- Various Fields of Esp |
1)Security Parameters Index:-Arbitrary value which is used (together with the source IP address) to identify the security association of the sending party.
2)Sequence Number:-A monotonically increasing sequence number (incremented by 1 for every packet sent) to protect against replay attacks. There is a separate counter kept for every security association.
3)Payload data:-The protected contents of the original IP packet, including any data used to protect the contents (e.g. an Initialisation Vector for the cryptographic algorithm). The type of content that was protected is indicated by the Next Header field.
4)Padding:-Padding for encryption, to extend the payload data to a size that fits the encryption's cypher block size, and to align the next field.
5)Pad Length:-Size of the padding in octets.
6)Integrity Check Value :-Variable length check value. Something similar to check sum.
Your Comments /Suggestions and Questions are always welcome.I would try to clarify doubts with best of my knowledge. So feel free to put Questions.
Awesome
ReplyDelete