Cryptography Reference
In-Depth Information
Diagram 8.20 Iterated Tunneling
SA ESP Tunnel
Security
Gateway A
Security
Gateway B
Host
A
Host
B
Internet
SA ESP (or AH) Tunnel
Configuration I: Host-to-Host and Host-to-Gateway
SA ESP Tunnel
Security
Gateway A
Security
Gateway B
Host
A
Host
B
Internet
SA ESP (or AH) Tunnel
Configuration II: Host-to-Host and Gateway-to-Gateway
In configuration I, the host-to-gateway tunnel allows Host B to reach Host
A's security gateway, after which it may gain access to a server behind the
gateway. Both Host A and Host B are IPSec enabled to communicate via an
SA, via the tunnel through which they are connected.
In configuration II, the gateway-to-gateway tunnel may provide both authen-
tication and confidentiality for all traJc between the two networks. Moreover,
since the tunnel is in ESP mode, it also contributes a certain qualified amount
of traJc confidentiality. With the SA tunnel between hosts, we have end-to-end
security in either configuration.
The next protocol to be discussed in detail is a major component of IPSec,
which we mentioned at the outset of this section, the AH. It renders services
that protect against attacks levelled at networks, such as spoofing , where an
adversary creates packets with some other entity's IP address, then exploits
those software applications that are based upon IP authentication; as well as
replay attacks; and packet sni A ng , where an attacker reads login and database
information.
Authentication Header Protocol
These fields are presented top-down in order (see Diagram 8.21 on page 307).
1. Next header : This 8-bit field identifies the header for the higher-level
protocol immediately followingAH (such as ESP or TCP, for instance).
Search WWH ::




Custom Search