PKI IPsec/SSL IETF (http://www.netcocoon.com) 2004.12.9
IPsec ESP,AH,IPComp DOI:SA IKE SA ISAKMP IKE ESP IKE AH DOI Oakley ISAKMP IPComp SKEME
IPsec IPv4TCP + IPv6TCP + IPv4 AH TCP + IPv6 AH + TCP IPv4 ESP TCP + ESP ESP IPv6 ESP + TCP ESP ESP IPv4 AH ESP TCP + ESP IPv6 AH ESP + TCP ESP IPv4 IPv6 IPComp AH AH ESP ESP
IPsec IPv4 + TCP IPv4 + AH IPv4 + ESP IPv4 + AH ESP IPv6 + TCP IPv6 + IPv6 + IPv6 + IPv6 + IPv6 + AH ESP AH ESP ESP ESP IPv4 IPv6 ESP ESP ESP IPv4 + TCP IPv4 + TCP IPv4 + TCP IPv6 + TCP TCP ESP TCP IPComp AH AH ESP ESP
IPsec IKE Phase 1 (Main Mode) Phase 2 (Quick Mode)
IPsec DH(Diffie-Hellman) x g x g x g x g y g xy = (g y ) x g y g xy =?? y g y g xy = (g x ) y mod p
IPsec Man-in-the-Middle for DH x g x g x g x g x g y y g y x g y y g y g xy = (g y ) x g xy = (g x ) y g x y = (g y ) x g xy = (g x ) y mod p
IPsec NetCocoon Analyzer
IPsecMain Mode Pre-shared keymain Mode: Initiator Responder HDR, SA HDR, SA HDR, KE, Ni HDR, KE, Nr HDR*{ IDii, HASH_I } HDR*{ IDir, HASH_R }
IPsecAggressive Mode Pre-shared keyaggressive Mode: Initiator Responder HDR, SA, KE, Ni, IDii HDR, SA, KE, Nr, IDir, HASH_R HDR, HASH_I SKEYID = prf(pre-shared-key, Ni_b Nr_b) HASH_R = prf(skeyid, g^xr g^xi CKY-R CKY-I SAi_b IDir_b )
IPsecMain Mode SignatureMain Mode: Initiator Responder HDR, SA HDR, SA HDR, KE, Ni HDR*{ IDii, [CERT], SIG_I } HDR, KE, Nr HDR*{ IDir, [CERT], SIG_R} SIG_x = Sign ( HASH_x)
IPsec CA IPsec-VPN: X-authMode-Config Aggressive Mode SSL-VPN: NAPT IPsec NAT-T
SSL/TLS IPsec OS IPsec SSL (OpenSSL ) API SSL IPsec TCP/IP Ethernet
SSL/TLS SSL SSL SSL SSL HTTP Handshake Change Cipher Alert Record Layer Application SSL Layer TCP
SSL/TLS Client Hello Server Hello (Server Certificate) (Server Key Exchange) (Certificate Request) Server Hello Done (Client Certificate) (Client Key Exchange) (Certificate Verify) Change Cipher Spec Finished Change Cipher Spec Finished
SSL/TLS Client Hello Server Hello Change Cipher Spec Finished Change Cipher Spec Finished
SSL/TLS ClientHello ServerHello Server Certificate ClientKeyExchange
SSL/TLS ClientHello ServerHello
SSL/TLS NetCocoon Analyzer
SSL/TLS IPsec EAP SSL/TLS ( RSA ServerKeyExchange DH RSA
[ ] MSEC + + 1 to M M to M 1 to M M to M
[ ] MSEC Hash Chaining Signature Packet Block1 Block2 Blockn Sign(hash-B1) hash-b2 Data hash-b3 Data Data TESLA MAC Packet n MAC Packet n-1 MAC Packet i MAC Packet 0 MAC(Kn, Pn) MAC(Kn-1, Pn-1) MAC(Ki, Pi) MAC(K0, P0) Kn Kn-1 Ki K0 Packet n Packet n-1 Packet i Packet 0
[ ] MSEC SA Category 1 SA (pull) Initial setup (multicast) Key Distributor (KD) Control Messages (multicast) Initial setup (multicast) Category 1 SA (pull) Member (sender) Data Messages (multicast) Category 2 SA (push) Category 3 SA Member (receiver)
[ ] MSEC ~GSAKMP~ GC Request to join Sig Member Unicast Secure Channel Establishment Sig Invitation Invitation Response Sig Sig SAs and Keys Download Acknowledgement Sig Secure Multicast GC:Group Controller
IETF IKEv2 PKI4IPSEC MOBIKE NBTS EASYCERT INCH RID
IKEv1IKEv2 VPN EAP(RFC3748) NAT-T(NAPT DoS Cookie IKE RSADSS OCSP in IKEv2
PKI4IPSEC IPsec (v1/v2) PKI IPsec CMC CRLsInbound/Outbound IKEUDP CRL OCSP Inbound
MOBIKE IKEv2 IP PeerNotify PayloadIP DPDPeer IKE-SA IPsec-SA IP
NBTS ~ Nothing Better Than Security BoF ~ Nothing Better Than Security BoF IETF61thBoF BCP Pre-sharedCA IPsec Off-path-Attack Man-in-the-middle BGP
EasyCert ~Easy to use Certificates BOF~ PKI (, ) MIT CA SIP
RID (Realtime Inter Defense) RID DoS/DDoS RID NP RID
RID NP
RID 3 4 ISP3 ISP4 ISP9 ISPa C3 C4 G1 C9 Ca G5 1 2 ISP1 ISP2 ISP5 ISP6 ISP7 ISP8 ISPb ISPc C1 C2 G1 C5 C6 G3 C7 C8 G4 Cb Cc G6
IETF & (EasyCert, NBTS) (IKEv2) (MSEC, MOBIKE, INCH RID PKI