IPv6在校园网中的应用-IP安全分析 第7页
In the IPv6 context, ESP is viewed as an end-to-end payload, and thus should appear after hop-by-hop, routing, and fragmentation extension headers. Destination options extension header(s) could appear before, after, or both before and after the ESP header depending on the semantics desired. However, because ESP protects only fields after the ESP header, it generally will be desirable to place the destination options header(s) after the ESP header. The following diagram illustrates ESP transport mode positioning for a typical IPv6 packet
IPv6’s ESP transport mode
Tunnel mode
There provide an overview of AH transport mode and ESP transport mode
AH Tunnel mode
In tunnel mode, the "inner" IP header carries the ultimate (IP) source and destination addresses, while an "outer" IP header contains the addresses of the IPsec "peers," e.g., addresses of security gateways. Mixed inner and outer IP versions are allowed, i.e., IPv6 over IPv4 and IPv4 over IPv6. In tunnel mode, AH protects the entire inner IP packet, including the entire inner IP header. The position of AH in tunnel mode, relative to the outer IP header, is the same as for AH in transport mode. The following diagram illustrates AH tunnel mode positioning for typical IPv4 and IPv6 packets. (* = if present, construction of outer IP hdr/extensions and modification of inner IP hdr/extensions is discussed in the Security Architecture document)
AH tunnel mode
ESP Tunnel mode
In tunnel mode, the "inner" IP header carries the ultimate (IP) source and destination addresses, while an "outer" IP header contains the addresses of the IPsec "peers", e.g., addresses of security gateways. Mixed inner and outer IP versions are allowed, i e, IPv6 over IPv4 and IPv4 over IPv6. In tunnel mode, ESP protects the entire inner IP packet, including the entire inner IP header. The position of ESP in tunnel mode, relative to the outer IP header, is the same as for ESP in transport mode. The following diagram illustrates ESP tunnel mode positioning for typical IPv4 and IPv6 packets
ESP Tunnel mode
表 2 1 成绩表1
表 2 2 成绩表2
Chapter5: Implementing IPsec
5.1 Configuration the lab’s platform for IPv4
5.1.1 The requirement analysis
We ought to have more than three subnets during the lab for the analysis of Internet Protocol (IP) security. The first subnet and the second subnet are used for communicating with one another. The third subnet acts as opponent of the first or second or both subnets. The user of the third subnet wants to know the messages which belong to his opponent. And he may obtain the secret which belong to the first and second subnet users. A message is to be transferred from first party to the second party across some sort of Internet. When the first and second subnets user exchange their information, a logical information channel is established by defining a route through the internet from source to destination and by the operative use of communication protocols by (e .g ,TCP/IP) the subnet’s users. The third subnet user can implement passive attack at the internet .
The structure of the lab’s platform
From the following drawing, you will know that we have three subnets 101.1.1.0/24,102.2.2.0/24 103.3.3.0/24 and 104.4.4.0/24. We have three routers and a lot of personal computers and switches. The four subnets’s IP addresses were allocated by the DHCP server.
5.1.2 Configuration the platform
Configuration of the server
The server is windows server 2003 enterprise edition. First, you must install the DHCP service from Add or Remove Programs in Control Panel. After install a DHCP server, we can use the DHCP console to perform these basic administrative server tasks:
Create three scopes
View and modify scope properties for scopes, such as setting additional exclusion ranges
Active scopes
Monitor scope leasing activity by reviewing the active leases for each scope
Create reservations in scopes as needed for DHCP clients that require a permanent IP address for leased use.
After configuration success, we can look DHCP console, four scopes were activated.
DHCP console
Configure routers
At the router2, first, we assign the interface Ethernet 0/0, 0/1, interface serial 1/0, 1/1 with the following IP addresses 101.1.1.254/24, 202.203.132.115/26, 10.1.1.2/30, 11.1.1.1/30 .Second, we must add three static route to router1 and router3.
We can see the result with the following configuration file
#
interface Ethernet0/0
ip address 101.1.1.254 255.255.255.0
#
interface Ethernet0/1
ip address 202.203.132.115 255.255.255.192
#
interface Serial1/0
link-protocol ppp
ip address 10.1.1.2 255.255.255.252
#
interface Serial1/1
link-protocol ppp
ip address 11.1.1.1 255.255.255.252
#
ip route-static 102.2.2.0 24 11.1.1.2
ip route-static 103.3.3.0 24 10.1.1.1
ip route-static 104.4.4.0 24 11.1.1.2
上一页 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] ... 下一页 >>