session_09_vpn__ipsec__and_tls_101908

Mogollon 0108 19 the ah protocol rfc 4302 defines the

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: cation: Enables a network device to authenticate a user. Anti-replay service (optional) Authentication IP Header Payload Data 8 bits 8 bits Word 1 AH 16 bits Next Header AH Payload Length Reserved Word 2 Security Parameters Index (SPI) Word 3 Sequence Number Word 4 - Integrity Check Value –ICV (variable) 32 bits VPN IPsec IKE v2 TLS M. Mogollon – 01/08 - 19 • The AH protocol, RFC 4302, defines the format for IPsec packets that require data origin authentication, connectionless integrity, and anti-replay services only. The AH does not encrypt the data portion of the packet. AH may be applied alone, in combination with ESP, or in a nested fashion through the use of tunnel mode. A description of each of the different fields is given below. • Next Header: Identifies the type of header of the next payload after the Authentication Header. • Payload Length: Specifies the length of AH in 32-bit words (4-byte units), minus "2". • Reserved: This 16-bit field is reserved for future use. • Security Parameters Index (SPI): The SPI is an arbitrary 32-bit value that, in combination with the destination IP address and security protocol (AH), uniquely identifies the Security Association for the datagram. The SPI tells which security protocols are being used. The algorithms and keys are included in this field. • Sequence Number: This field contains a monotonically increasing counter value (sequence number) that tells how many packets have been sent and provides anti-replay protection. The sender's counter and the receiver's counter are initialized to 0 when an SA is established. The first packet sent using a given SA will have a Sequence Number of 1. • Integrity Check Value: This variable-length field contains the Integrity Check Value (ICV) for the packet. The field must be an integral multiple of 32 bits in length. The authentication algorithm employed for the ICV computation is specified by the SA. For point-to-point communication, suitable authentication algorithms include keyed Message Authentication Codes (HMACs) based on symmetric encryption algorithms (e.g., AES) or on one-way hash functions (e.g., MD5 or SHA1). • The mandatory-to-implement authentication algorithms are: HMAC-SHA-1-96; AES-XCBCMAC-96; HMAC-MD5-96. 19 VPN, IPSec and TLS Encapsulation Security Payload (ESP) • • • Data Integrity + Aut...
View Full Document

This note was uploaded on 05/26/2010 for the course TECH 6350 taught by Professor Mogollon during the Spring '10 term at University of Arkansas for Medical Sciences.

Ask a homework question - tutors are online