IPSec IKE 报文格式
因特网密钥交换协议IKE(Internet Key Exchange)是IPSEC的信令协议。
一、 IKE头部报文格式
0 7 15 23 31
+---------------------------------------------------------------+ -----
| | |
+ IKE_AS Initiator SPI + |
| | |
+---------------------------------------------------------------+ |
| | |
+ IKE_AS Responder SPI + |
| | |
+---------------------------------------------------------------+ IKE Header
| Next Payload |MjVer |MnVer |Exchange Type | Flags | |
+---------------------------------------------------------------+ |
| Message ID | |
+---------------------------------------------------------------+ |
| Length | |
+---------------------------------------------------------------+ -----
| Next Payload2 |C| RESERVED | Payload Length | Payload Header
+---------------------------------------------------------------+ -----
| |
+ +
| Payload |
+ +
| |
+---------------------------------------------------------------+
二、IKE头部报文格式解释
| 字段 | 长度 | 描述 |
|---|---|---|
| IKE_AS Initiator SPI | 8字节 | 发送者用来唯一标识一个IKE安全联盟,该值不能设置为0。 |
| IKE_AS Responder SPI | 8字节 | 应答者用来唯一标识一个IKE安全联盟,对于IKE初始交互的消息该值必须为0,其他消息不能为0。 |
| Next Payload | 1字节 | 仅随头部之后的负载的类型。 |
| MjVer | 4比特 | 标识所使用的IKE协议的最大版本。 |
| MnVer | 4比特 | 标识所使用的IKE协议的最小版本。 |
| Exchange Type | 1字节 |
|
| Flags | 1字节 | 消息中设置的特定选项。如果Flag域置位表示带有选项。
|
| Message ID | 4字节 | 消息标识符,用来对请求消息和呼应消息的匹配,以便控制丢弃消息的重复发送。这在抑制重放攻击时对保障协议的安全性很关键。 |
| Length | 4字节 | 整个消息的长度(报文头+负荷),以字节为单位。 |
| Next Payload | 1字节 | 标识消息中的下一个负载的类型。如果当前的负载是消息的最后一个,则此字段置0。
|
| C (Critical) | 1比特 |
注意,C比特应用于当前负载,而不是下一个负载。 |
| RESERVED | 7比特 | 发送时必须置0,接收时忽略。 |
| Payload Length | 2字节 | 当前负载的长度,包括通用负载的头部,以字节为单位。 |
三、IPSec IKE消息(Security Association)报文示例
Frame 4: 304 bytes on wire (2432 bits), 304 bytes captured (2432 bits)
Arrival Time: May 7, 2005 20:00:52.978189000
Epoch Time: 1115467252.978189000 seconds
[Time delta from previous captured frame: 0.000321000 seconds]
[Time delta from previous displayed frame: 0.000321000 seconds]
[Time since reference or first frame: 0.310309000 seconds]
Frame Number: 4
Frame Length: 304 bytes (2432 bits)
Capture Length: 304 bytes (2432 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:gre:ip:udp:isakmp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: HuaweiTe_29:4a:a2 (00:e0:fc:29:4a:a2), Dst: HuaweiTe_48:90:4e (00:e0:fc:48:90:4e)
Destination: HuaweiTe_48:90:4e (00:e0:fc:48:90:4e)
Address: HuaweiTe_48:90:4e (00:e0:fc:48:90:4e)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: HuaweiTe_29:4a:a2 (00:e0:fc:29:4a:a2)
Address: HuaweiTe_29:4a:a2 (00:e0:fc:29:4a:a2)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 10.6.6.1 (10.6.6.1), Dst: 10.8.8.4 (10.8.8.4)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 290
Identification: 0x643f (25663)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 254
Protocol: GRE (47)
Header checksum: 0x3b5b [correct]
[Good: True]
[Bad: False]
Source: 10.6.6.1 (10.6.6.1)
Destination: 10.8.8.4 (10.8.8.4)
Generic Routing Encapsulation (IP)
Flags and Version: 0x0000
0... .... .... .... = Checksum Bit: No
.0.. .... .... .... = Routing Bit: No
..0. .... .... .... = Key Bit: No
...0 .... .... .... = Sequence Number Bit: No
.... 0... .... .... = Strict Source Route Bit: No
.... .000 .... .... = Recursion control: 0
.... .... 0000 0... = Flags (Reserved): 0
.... .... .... .000 = Version: GRE (0)
Protocol Type: IP (0x0800)
Internet Protocol Version 4, Src: 10.14.14.1 (10.14.14.1), Dst: 10.14.14.4 (10.14.14.4)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 266
Identification: 0x643e (25662)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 255
Protocol: UDP (17)
Header checksum: 0x1e84 [correct]
[Good: True]
[Bad: False]
Source: 10.14.14.1 (10.14.14.1)
Destination: 10.14.14.4 (10.14.14.4)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 246
Checksum: 0xb109 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Internet Security Association and Key Management Protocol
Initiator cookie: 66089b759c1dd9ba
Responder cookie: 94df4b78a8e4076f
Next payload: Security Association (1)
Version: 1.0
Exchange type: Aggressive (4)
Flags: 0x00
.... ...0 = Encryption: Not encrypted
.... ..0. = Commit: No commit
.... .0.. = Authentication: No authentication
Message ID: 0x00000000
Length: 238
Type Payload: Security Association (1)
Next payload: Key Exchange (4)
Payload length: 56
Domain of interpretation: IPSEC (1)
Situation: 00000001
.... .... .... .... .... .... .... ...1 = Identity Only: True
.... .... .... .... .... .... .... ..0. = Secrecy: False
.... .... .... .... .... .... .... .0.. = Integrity: False
Type Payload: Proposal (2) # 1
Next payload: NONE / No Next Payload (0)
Payload length: 44
Proposal number: 1
Protocol ID: ISAKMP (1)
SPI Size: 0
Proposal transforms: 1
Type Payload: Transform (3) # 0
Next payload: NONE / No Next Payload (0)
Payload length: 36
Transform number: 0
Transform ID: KEY_IKE (1)
Transform IKE Attribute Type (t=1,l=2) Encryption-Algorithm : DES-CBC
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Encryption-Algorithm (1)
Value: 0001
Encryption Algorithm: DES-CBC (1)
Transform IKE Attribute Type (t=2,l=2) Hash-Algorithm : SHA
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Hash-Algorithm (2)
Value: 0002
HASH Algorithm: SHA (2)
Transform IKE Attribute Type (t=3,l=2) Authentication-Method : PSK
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Authentication-Method (3)
Value: 0001
Authentication Method: PSK (1)
Transform IKE Attribute Type (t=4,l=2) Group-Description : Default 768-bit MODP group
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Group-Description (4)
Value: 0001
Group Description: Default 768-bit MODP group (1)
Transform IKE Attribute Type (t=11,l=2) Life-Type : Seconds
1... .... .... .... = Transform IKE Format: Type/Value (TV)
Transform IKE Attribute Type: Life-Type (11)
Value: 0001
Life Type: Seconds (1)
Transform IKE Attribute Type (t=12,l=4) Life-Duration : 1
0... .... .... .... = Transform IKE Format: Type/Length/Value (TLV)
Transform IKE Attribute Type: Life-Duration (12)
Length: 4
Value: 00015180
Life Duration: 86400
Type Payload: Key Exchange (4)
Next payload: Nonce (10)
Payload length: 100
Key Exchange Data: bd92432d50a36c541335249c3a4f868ca5b24036987a13ad...
Type Payload: Nonce (10)
Next payload: Identification (5)
Payload length: 20
Nonce DATA: b8eae6228042a32e8fa029691616fa33
Type Payload: Identification (5)
Next payload: Hash (8)
Payload length: 10
ID type: FQDN (2)
Protocol ID: Unused
Port: Unused
Identification Data:R1
ID_FQDN: R1
Type Payload: Hash (8)
Next payload: NONE / No Next Payload (0)
Payload length: 24
Hash DATA: 8aedda5a91a9e67cf5b5fc4237463ff94295d6bc
四、IPSec IKE消息(秘钥交换Key Exchange)报文示例
Frame 3: 214 bytes on wire (1712 bits), 214 bytes captured (1712 bits)
Arrival Time: May 7, 2005 21:53:36.079496999
Epoch Time: 1115474016.079496999 seconds
[Time delta from previous captured frame: 0.200906999 seconds]
[Time delta from previous displayed frame: 0.200906999 seconds]
[Time since reference or first frame: 0.205238999 seconds]
Frame Number: 3
Frame Length: 214 bytes (1712 bits)
Capture Length: 214 bytes (1712 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:gre:ip:udp:isakmp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: HuaweiTe_43:84:45 (00:e0:fc:43:84:45), Dst: HuaweiTe_01:fb:d1 (00:e0:fc:01:fb:d1)
Destination: HuaweiTe_01:fb:d1 (00:e0:fc:01:fb:d1)
Address: HuaweiTe_01:fb:d1 (00:e0:fc:01:fb:d1)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: HuaweiTe_43:84:45 (00:e0:fc:43:84:45)
Address: HuaweiTe_43:84:45 (00:e0:fc:43:84:45)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 10.13.13.5 (10.13.13.5), Dst: 10.8.8.4 (10.8.8.4)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 200
Identification: 0x8ab7 (35511)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 255
Protocol: GRE (47)
Header checksum: 0x0632 [correct]
[Good: True]
[Bad: False]
Source: 10.13.13.5 (10.13.13.5)
Destination: 10.8.8.4 (10.8.8.4)
Generic Routing Encapsulation (IP)
Flags and Version: 0x0000
0... .... .... .... = Checksum Bit: No
.0.. .... .... .... = Routing Bit: No
..0. .... .... .... = Key Bit: No
...0 .... .... .... = Sequence Number Bit: No
.... 0... .... .... = Strict Source Route Bit: No
.... .000 .... .... = Recursion control: 0
.... .... 0000 0... = Flags (Reserved): 0
.... .... .... .000 = Version: GRE (0)
Protocol Type: IP (0x0800)
Internet Protocol Version 4, Src: 10.15.15.5 (10.15.15.5), Dst: 10.15.15.4 (10.15.15.4)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 176
Identification: 0x8ab5 (35509)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 255
Protocol: UDP (17)
Header checksum: 0xf460 [correct]
[Good: True]
[Bad: False]
Source: 10.15.15.5 (10.15.15.5)
Destination: 10.15.15.4 (10.15.15.4)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 156
Checksum: 0x22a3 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Internet Security Association and Key Management Protocol
Initiator cookie: ec699b01f0dc191a
Responder cookie: 988ec7ff4123b62a
Next payload: Key Exchange (4)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags: 0x00
.... ...0 = Encryption: Not encrypted
.... ..0. = Commit: No commit
.... .0.. = Authentication: No authentication
Message ID: 0x00000000
Length: 148
Type Payload: Key Exchange (4)
Next payload: Nonce (10)
Payload length: 100
Key Exchange Data: ef2e8b06cd441eda2127a4925ea1fb8e035df4b082ae4666...
Type Payload: Nonce (10)
Next payload: NONE / No Next Payload (0)
Payload length: 20
Nonce DATA: aa570fd46d584c1686e52ddc6125f500
五、IPSec IKE消息(Identification)报文示例
Frame 5: 134 bytes on wire (1072 bits), 134 bytes captured (1072 bits)
Arrival Time: May 7, 2005 21:53:36.506457999
Epoch Time: 1115474016.506457999 seconds
[Time delta from previous captured frame: 0.291198999 seconds]
[Time delta from previous displayed frame: 0.291198999 seconds]
[Time since reference or first frame: 0.632199999 seconds]
Frame Number: 5
Frame Length: 134 bytes (1072 bits)
Capture Length: 134 bytes (1072 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:gre:ip:udp:isakmp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: HuaweiTe_43:84:45 (00:e0:fc:43:84:45), Dst: HuaweiTe_01:fb:d1 (00:e0:fc:01:fb:d1)
Destination: HuaweiTe_01:fb:d1 (00:e0:fc:01:fb:d1)
Address: HuaweiTe_01:fb:d1 (00:e0:fc:01:fb:d1)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: HuaweiTe_43:84:45 (00:e0:fc:43:84:45)
Address: HuaweiTe_43:84:45 (00:e0:fc:43:84:45)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 10.13.13.5 (10.13.13.5), Dst: 10.8.8.4 (10.8.8.4)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 120
Identification: 0x8aba (35514)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 255
Protocol: GRE (47)
Header checksum: 0x067f [correct]
[Good: True]
[Bad: False]
Source: 10.13.13.5 (10.13.13.5)
Destination: 10.8.8.4 (10.8.8.4)
Generic Routing Encapsulation (IP)
Flags and Version: 0x0000
0... .... .... .... = Checksum Bit: No
.0.. .... .... .... = Routing Bit: No
..0. .... .... .... = Key Bit: No
...0 .... .... .... = Sequence Number Bit: No
.... 0... .... .... = Strict Source Route Bit: No
.... .000 .... .... = Recursion control: 0
.... .... 0000 0... = Flags (Reserved): 0
.... .... .... .000 = Version: GRE (0)
Protocol Type: IP (0x0800)
Internet Protocol Version 4, Src: 10.15.15.5 (10.15.15.5), Dst: 10.15.15.4 (10.15.15.4)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 96
Identification: 0x8ab8 (35512)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 255
Protocol: UDP (17)
Header checksum: 0xf4ad [correct]
[Good: True]
[Bad: False]
Source: 10.15.15.5 (10.15.15.5)
Destination: 10.15.15.4 (10.15.15.4)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 76
Checksum: 0xea7a [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Internet Security Association and Key Management Protocol
Initiator cookie: ec699b01f0dc191a
Responder cookie: 988ec7ff4123b62a
Next payload: Identification (5)
Version: 1.0
Exchange type: Identity Protection (Main Mode) (2)
Flags: 0x01
.... ...1 = Encryption: Encrypted
.... ..0. = Commit: No commit
.... .0.. = Authentication: No authentication
Message ID: 0x00000000
Length: 68
Encrypted Data (40 bytes)
六、IPSec IKE消息(Quick Mode)报文示例
Frame 3: 94 bytes on wire (752 bits), 94 bytes captured (752 bits)
Arrival Time: Mar 9, 2005 18:43:20.029279999
Epoch Time: 1110365000.029279999 seconds
[Time delta from previous captured frame: 0.000596999 seconds]
[Time delta from previous displayed frame: 0.000596999 seconds]
[Time since reference or first frame: 0.020400999 seconds]
Frame Number: 3
Frame Length: 94 bytes (752 bits)
Capture Length: 94 bytes (752 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:udp:isakmp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: HuaweiTe_1d:64:0d (00:e0:fc:1d:64:0d), Dst: HuaweiTe_01:fb:d1 (00:e0:fc:01:fb:d1)
Destination: HuaweiTe_01:fb:d1 (00:e0:fc:01:fb:d1)
Address: HuaweiTe_01:fb:d1 (00:e0:fc:01:fb:d1)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: HuaweiTe_1d:64:0d (00:e0:fc:1d:64:0d)
Address: HuaweiTe_1d:64:0d (00:e0:fc:1d:64:0d)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 10.6.7.8 (10.6.7.8), Dst: 10.6.7.10 (10.6.7.10)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 80
Identification: 0x0299 (665)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 255
Protocol: UDP (17)
Header checksum: 0xa0e6 [correct]
[Good: True]
[Bad: False]
Source: 10.6.7.8 (10.6.7.8)
Destination: 10.6.7.10 (10.6.7.10)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 60
Checksum: 0xdd1b [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Internet Security Association and Key Management Protocol
Initiator cookie: f98d6b82ac868487
Responder cookie: 6bd7453d4fe4fa69
Next payload: Hash (8)
Version: 1.0
Exchange type: Quick Mode (32)
Flags: 0x01
.... ...1 = Encryption: Encrypted
.... ..0. = Commit: No commit
.... .0.. = Authentication: No authentication
Message ID: 0x3a2758e4
Length: 52
Encrypted Data (24 bytes)
发表评论