1.3.3 Implements IPSEC.
In IPv4, we choose subnet 102.2.2.0/24 and subnet 103.3.3.0/24 to implement IPSEC. We will implement IPSEC on router1’s interface which will go to 102.2.2.0/24. On router3 we will implement IPSEC on the interface which will go to 103.3.3.0/24. In the lab, we will use tunnel mode as IPSEC mode, 3DES as security protocol, HMAX-MD5 as authentication protocol.
In IPv6, we choose two PC which belong the same subnet to implement IPSEC. We use transport mode as IPSEC mode, HMAC-MD5 as authentication mode
1.3.4 4 analyses IPSEC.
In IPv4, we will contrast the packets which have been captured by sniffer. We will analysis the different before implement IPSEC and after implemented IPSEC. We have the following results: the packets were encrypted after implemented IPSEC; it can provide confidentiality and Limited traffic flow confidentiality. And we have use HMAC-MD5 as authentication protocol, so it also provide data origin authentication. In IPv6, we use transport as IPSEC mode, which is encrypted data, but it can provide authentication. It also provide connectionless integrity and limited rejection of replayed packets
1.3.5 conclusion.
In the comprehensive network with IPv4 and IPv6, IPSEC is mandatory in IPv6, so it can support for high security data communication. In IPv4, we can apply IPsec depending on what security we want. We can choose different IPSEC mode, and the different encryption protocol, authentication protocol. IPSEC can enhance the security at the process of network transport, so it have a great foreground for government networks, military networks and commercial networks, especially with the new generation IP
Chapter2: The introduce of Internet protocol (IP)
The role of Internet Protocol
An Internet Protocol (IP) provides the functionality for interconnecting end systems across multiple networks. For this purpose, IP is implemented in each end system and in routers, which are devices that provide connection between networks. Higher-level data at a source end system are encapsulated in an IP protocol data unit (PDU) for transmission. This PDU is then passed through one or more networks and connecting routers to reach the destination end system.
2.1 IPv4 header format
For decades, the keystone of the TCP/IP protocol architecture has been the Internet Protocol (IP) version 4.figure 1.1 show the IP header format, which is a minimum of 20 octets, or 160 bits. The fields are:
图表 2 1:IPv4 Header format
Version (4bits): Indicates version number, to allow evolution of the protocol; the value is 4.
Internet Header Length (IHL) (4bits): Length of header in 32-bits words. The minimum value is five, for a minimum header length of 20 octets.
Type of service (8bits): Provides guidance to end system IP modules and to routers along the packet’s path, in terms of the packet’s relative priority.
Total length (16bits): Total IP packet length, in octets.
Identification (16bits): A sequence number that, together with the source address, destination address, and user protocol, is intended to identify a packet uniquely. Thus, the identifier should be unique for the packet’s source address, destination address, and user protocol for the time during which the packet will remain in the internet
Flags (3bits): Only two of the bits are currently defined .When a packet is fragmented, the more bit indicates whether this is the last fragment in the original packet. The don’t fragmented bit prohibits fragmentation when set. This bit may be useful if it is known that destination does not have the capability to reassemble fragments. However, if this bit is set, the packet will be discarded if it exceeds the maximum size of an en route subnetwork. Therefore, if the bit is set, it may be advisable to use source routing to avoid subnetworks with small maximum packet size.
Fragment Offset (13bits): Indicates where in the original packet this fragment belong, measured in 64-bit units. This implies that fragments other than the last fragment must contain a data field that is a multiple of 64 bits in length.
Time to Live (8bits): Specifies how long, in second, a packet is allowed to remain in the internet. Every router that processes a packet must decrease the TTL by at least one, so the TTL is somewhat similar to a hop count.
Protocol (8 bits): Indicates the next higher level protocol, which is to receive the data field at the destination; thus, this field identifies the type of the next header in the packet after the IP header.
Header checksum (16bits): An error-detecting code applied to the header only. Because some header fields may change during transit (e.g., time to live, segmentation-related fields), this is verified recomputed at each router. The checksum field is the 16-bit ones complement addition of all 16-bit words in the header. For purposes of computation, the checksum field is itself initialized to a value of zero.
Source Address (32bits): Coded to allow a variable allocation of bits to specify the network and the end system attached to the specified network.
Destination Address(32bits):some characteristics as source address
Options (variable): Encodes the options requested by the sending user; these may include security label, source routing, record routing, and timestamping.
上一页 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] ... 下一页 >>