SIP Security - IP-Sec - AH-Authentication and ESP-Encapsulating Security Visualized

February 27, 2008
SIP Security - IP-Sec - AH-Authentication and ESP-Encapsulating Security Visualized
 
They say a picture is worth a 1,000 words, an animation ten times that and even more as the complexity of the problem increases. I have read 30-page white-papers on IP-security and its still “techno-babble.”  Here’s the animated tutorial. If you are brave enough the text explanation is below the animation.   
 
The IP AH-Authentication Header adds another security check by adding another label or tag to the IP packet/datagram. AH supports TCP-Transmission Control Protocol and UDP-User Datagram Protocol. The IP AH-Authentication Header fits in between the original IP header and the TCP/UDP header.  Shown here is the format for IP-Security Transport Mode.  This the format for IP-Security Tunnel Mode where the original IP packet, TCP header and data are encrypted and a new IP header is used to route the packet. A Transitive Trust provides the means to transmit trust from one domain or server to another without having to authenticate the client again. This may reduce the need for Tunnel Mode within one network or between trusted networks. IP ESP-Encapsulating Security Payload like AH seeks to enhance security by encrypting data to be protected. ESP can be used to encrypt Transport Layer 4 protocols such as TCP, UDP, ICMP-Internet Control Message Protocol or the entire IP packet. The SPI-Security Payload Identifier is a 32-bit pseudo-random value identifying the security association. If no security value has been assigned, the value is 0x00000000. This is the format for ESP IP-Security Transport Mode where the original IP packet is not encrypted but the TCP header, data and ESP trailer are encrypted with an ESP authentication is added/appended. This is the format for ESP IP-Security Tunnel Mode where the original IP packet, TCP header, data, ESP trailer are encrypted and a new IP header is used to route the packet with an ESP authentication packet appended. Since we are discussing security, let's review the role of other packet schemes. GRE-Generic Routing Encapsulation packages arbitrary packets within an arbitrary Transport-Layer 4 protocol. GRE can be used with IP, using IP as the delivery or payload (data) protocol. Next you will see GRE used in PPTP. PPTP encapsulates IP packets in a tunnel across a TCP/IP network. PPTP is a special communications connection using a special TCP-Transmission Control Protocol port (special place of entry) to create a tunnel. 
 
This tutorial is part of SIP Essentials 2.0c available in the onsite and online courses. The online version is $299 for SIP 2.0c and for $499 as part of OCS-101 Office Communications Server online version per person or less with discounts. For more information go to http://www.techtionary.com or please call Tom Cross at 303-594-1694 or cross@gocross.com Discounts are also available to members of the SIP Forum. For a complete detailed course outline go to: http://www.techtionary.com/ocs/sip-essentials.htm


See this page in TechnoratiTechnoratibook mark in del.icio.usDel.icio.usSlashdot.comSlashdotSubmit to Digg.comDigg BoingBoingBookmark in FurlFurlBookmark in SpurlSpurl

Related Tags: , , , , ,

Listed below are links to sites that reference SIP Security - IP-Sec - AH-Authentication and ESP-Encapsulating Security Visualized:

Trackback Pings

TrackBack URL:
http://blog.tmcnet.com/mt3/t.fcgi/35292

Comments to SIP Security - IP-Sec - AH-Authentication and ESP-Encapsulating Security Visualized


(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)