IPSec报文AH封装

IPSec报文AH封装
IPSec通过认证头AH（Authentication Header）和封装安全载荷ESP（Encapsulating Security Payload）这两个安全协议来实现。其中，AH安全协议可提供数据源验证和数据完整性校验功能。
一、AH头部报文格式

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   | Next Header   |  Payload Len  |          RESERVED             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                 Security Parameters Index (SPI)               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Sequence Number Field                      |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |            Integrity Check Value-ICV (variable)               |
   +                                                               +
   |                    ... ...                                    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

二、AH头部报文格式说明

字段	长度	描述
Next Header	8比特	表示认证头部之后的下一个负载。
Payload Len	8比特	AH的长度减2，4字节为计数单位。例如，有个96比特的认证值，长度将是"4"（即头部固定的3个4字节 + ICV的3个4字节 - 2）。对于IPv6，头部总长度必须为8字节的倍数。
RESERVED	16比特	预留将来使用。必须置0，接收时忽略。
Security Parameters Index	32比特	用于给报文接收端识别SA
Sequence Number Field	32比特	序列号，每发送一个报文，计数加1，例如每发一个SA报文序列号增加1。
Integrity Check Value-ICV	变长	报文的ICV字段，可变长度，长度必须为32比特的整数倍。

三、IPsec报文示例

Frame 4: 174 bytes on wire (1392 bits), 174 bytes captured (1392 bits)
    Arrival Time: Mar  9, 2005 18:43:22.031525000
    Epoch Time: 1110365002.031525000 seconds
    [Time delta from previous captured frame: 2.002245001 seconds]
    [Time delta from previous displayed frame: 2.002245001 seconds]
    [Time since reference or first frame: 2.022646000 seconds]
    Frame Number: 4
    Frame Length: 174 bytes (1392 bits)
    Capture Length: 174 bytes (1392 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:ah:esp]
Ethernet II, Src: HuaweiTe_1d:64:0d (00:e0:fc:1d:64:0d), Dst: HuaweiTe_01:fb:d1 (00:e0:fc:01:fb:d1)
    Destination: HuaweiTe_01:fb:d1 (00:e0:fc:01:fb:d1)
        Address: HuaweiTe_01:fb:d1 (00:e0:fc:01:fb:d1)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: HuaweiTe_1d:64:0d (00:e0:fc:1d:64:0d)
        Address: HuaweiTe_1d:64:0d (00:e0:fc:1d:64:0d)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol Version 4, Src: 10.6.7.8 (10.6.7.8), Dst: 10.6.7.10 (10.6.7.10)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
    Total Length: 160
    Identification: 0x029a (666)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 255
    Protocol: AH (51)
    Header checksum: 0xa073 [correct]
        [Good: True]
        [Bad: False]
    Source: 10.6.7.8 (10.6.7.8)
    Destination: 10.6.7.10 (10.6.7.10)
Authentication Header
    Next Header: ESP (0x32)
    Length: 24
    AH SPI: 0x2ff1ca42
    AH Sequence: 1
    AH ICV: f9c2e208697acabb0c81f575
Encapsulating Security Payload
    ESP SPI: 0xaa40dd69
    ESP Sequence: 1

四、IPsec协议栈结构
IPSec协议有两种封装模式。
传输模式：AH或ESP被插入到IP头之后但在所有传输层协议之前，或所有其他IPSec协议之前。
隧道模式：AH或ESP插在原始IP头之前，另外生成一个新IP头放到AH或ESP之前。
此外，AH和ESP协议可以组合使用。
4.1、AH封装传输模式

   |<---Authentication Fields (Not including the variable field of IP header) --->|
   +-------------------+-------------------+------------------------+-------------+
   |     IP Header     |      AH Header    |     TCP/UDP Header     |     Data    |
   |   (protocol=51)   |                   |                        |             |
   +-------------------+-------------------+------------------------+-------------+

4.2、AH封装隧道模式

   |<- Authentication Fields (Not including the variable field of New IP header) ->|
   +-----------------+-------------+-------------+------------------+--------------+
   |  New IP Header  |  AH Header  |  IP Header  |  TCP/UDP Header  |     Data     |
   |  (protocol=51)  |             |             |                  |              |
   +-----------------+-------------+-------------+------------------+--------------+

4.3、AH和ESP协议组合使用

传输模式：
   |<-------------------    AH Authentication Fields    ------------------->|
   |                        |<----  ESP Authentication Fields  ---->|       |
   |                                  |<-- ESP Encryption Fields -->|       |
   +---------------+--------+---------+--------------------+----------------+
   |   IP Header   |   AH   |   ESP   |  TCP/UDP  |  Data  |   ESP  |  ESP  |
   | (protocol=51) | Header |  Header |   Header  |        | Tailer |  Auth |
   +---------------+--------+---------+--------------------+----------------+

隧道模式：
   |<----------------------    AH Authentication Fields    --------------------->|
   |                        |<------  ESP Authentication Fields  ------->|       |
   |                                  |<---- ESP Encryption Fields ----->|       |
   +---------------+--------+---------+--------+---------+------+--------+-------+
   | New IP Header |   AH   |   ESP   |   IP   | TCP/UDP | Data |   ESP  |  ESP  |
   | (protocol=51) | Header |  Header | Header |  Header |      | Tailer |  Auth |
   +---------------+--------+---------+--------+---------+------+--------+-------+

相关文章

发表评论

热门文章

文章分类

最新评论