`
`I
`
`l‘h'.:i.
`
`I'rll-I':
`.mumEm s'j,_1..':'.
`ARTE-tn House‘;’_ln.m 1|.nlli_i".-_l
`comp-urea secunnv seams"
`
`.
`
`Demystifying
`the!iPsec Puzzle
`
`
`
`SHEILA FRANKEL
`
`Ex. 101 1
`
`Apple V. MPH Techs. Oy
`IPR2019-00823
`
`Ex. 1011
`Apple v. MPH Techs. Oy
`IPR2019-00823
`
`
`
`,AOIJEBOEC JDA 12IA? 2KA
`Demystifying the lPsec Puzzle
`
`
`
`.H GKEJA = C JEA ?FKJAH IA?KHEJO M=I = H=JDAH =HHM BEA@ B
`For quite a long time, computer security was a rather narrow field of
`IJK@O JD=J M=I FFK=JA@ =EO >O JDAHAJE?= ?FKJAH I?EAJEIJI AA?JHE?=
`study that was populated mainly by theoretical computer scientists, electrical
`ACEAAHI =@ =FFEA@ =JDA=JE?E=I 9EJD JDA FHEBAH=JE B FA IOI
`engineers, and applied mathematicians. With the proliferation of open sys—
`JAI E CAAH= =@ JDA 1JAHAJ =@ JDA 9H@ 9E@A 9A> 999 E
`tems in general, and the Internet and the World Wide Web W in
`F=HJE?K=H JDEI IEJK=JE D=I ?D=CA@ BK@=AJ=O 6@=O ?FKJAH =@
`particular, this situation has changed fiindamentally. Today, computer and
`AJMH FH=?JEJEAHI =HA AGK=O EJAHAIJA@ E ?FKJAH IA?KHEJO IE?A JDAO
`network practitioners are equally interested in computer security, since they
`HAGKEHA JA?DCEAI =@ IKJEI JD=J ?= >A KIA@ J IA?KHA =FFE?=JEI
`require technologies and solutions that can be used to secure applications
`HA=JA@ J AA?JHE? ?AH?A A?AH?A )C=EIJ JDEI >=?CHK@ JDA
`related to electronic commerce (e—commerce). Against this background, the
`BEA@ B ?FKJAH IA?KHEJO D=I >A?A LAHO >H=@ =@ E?K@AI =O JFE?I
`field of computer security has become very broad and includes many topics
`B EJAHAIJ 6DA =E B JDEI IAHEAI EI J FK>EID IJ=JABJDA=HJ DECD IJ=@=H@
`of interest. The aim of this series is to publish state—of—the—art, high standard
`JA?DE?= >I JFE?I HA=JA@ J ?FKJAH IA?KHEJO .KHJDAH EBH=JE
`technical books on topics related to computer security. Further information
`=>KJ JDA IAHEAI ?= >A BK@ JDA 999 >O JDA BMEC 74
`about the series can be found on the W W W by the following URL:
`
`DJJF MMMAIA?KHEJO?DIAHEAIA@EJHDJ
`http://www.esecurity.ch/serieseditor.html
`
`)I EB OK\@ EA J ?JHE>KJA J JDA IAHEAI =@ MHEJA = > =>KJ =
`Also, if you’d like to contribute to the series and write a book about a
`JFE? HA=JA@ J ?FKJAH IA?KHEJO BAA BHAA J ?J=?J AEJDAH JDA +EI
`topic related to computer security, feel free to contact either the Commis—
`IEEC -@EJH H JDA 5AHEAI -@EJH =J )HJA?D 0KIA
`sioning Editor or the Series Editor at Artech House.
`
`4A?AJ 6EJAI E JDA )HJA?D 0KIA
`Recent Titles in the Artech House
`+FKJAH 5A?KHEJO 5AHEAI
`Computer Security Series
`4B FFECAH 5AHEAI -@EJH
`Rolf Oppliger, Series Editor
`
`,AOIJEBOEC JDA 12IA? 2KA 5DAE= .H=A
`Demystifiing the [Psee Puzzle, Sheila Frankel
`1BH=JE 0E@EC 6A?DEGKAI BH 5JAC=CH=FDO =@ ,ECEJ= 9=JAH=HEC
`Information Hia'ing Techniquesfor Steganography and Digital Watermarking,
`5JAB= =JA>AEIIAH =@ .=>EA ) 2 2AJEJ?=I
`Stefan Katzenbeisser and Fabien A. P. Petitcolas
`5A?KHA AII=CEC 9EJD 2/2 =@ 51- 4B FFECAH
`Secure Messaging ‘Vith PCP and S/MIME, Rolf Oppliger
`5A?KHEJO .K@=AJ=I BH -+AH?A 8AI= 0=IIAH
`Security Fundamentalsfor E—Commeree, Vesna Hassler
`5A?KHEJO 6A?DCEAI BH JDA 9H@ 9E@A 9A> 4B FFECAH
`Security Technologiesfor the ‘Vorla' Wide Web, Rolf Oppliger
`
`.H = EIJEC B HA?AJ JEJAI E JDA )HJA?D 0KIA
`For a listing of recent titles in the Artech House
`+FKJEC E>H=HO JKH J JDA >=? B JDEI >
`Computing Library, turn to the back of this book.
`
`
`
`,AOIJEBOEC JDA 12IA? 2KA
`Demystifying the lPsec Puzzle
`
`5DAE= .H=A
`Sheila Frankel
`
`m
`)HJA?D 0KIA
`Artech House
`*IJ _ @
`Boston 0 London
`MMM=HJA?DDKIA?
`www.artechhouse.com
`
`
`
`E>H=HO B +CHAII +=J=CECE2K>E?=JE ,=J=
`.H=A 5DAE=
`,AOIJEBOEC JDA 12IA? FKA 5DAE= .H=A
`F
`? a )HJA?D 0KIA ?FKJAH IA?KHEJO IAHEAI
`1?K@AI >E>ECH=FDE?= HABAHA?AI =@ E@AN
`15* #&#!%'$ = F=FAH
` 125A? +FKJAH AJMH FHJ?
`6###$% .%!
`
`"$\ a@?
`
`1 6EJA
`
`11 5AHEAI
`
` &&%
`
`*HEJEID E>H=HO +=J=CKEC E 2K>E?=JE ,=J=
`.H=A 5DAE=
`,AOIJEBOEC JDA 12IA? FKA a )HJA?D 0KIA ?FKJAH IA?KHEJO IAHEAI
` 125A? +FKJAH AJMH FHJ?
`1 6EJA
`"$\
`15* 1-58053-399-X
`
`+LAH @AIEC >O 1CH 8=@=
`
` )46-+0 075- 1+
`$&# +=J 5JHAAJ
`HM@ ) $
`
`) HECDJI HAIAHLA@ 2HEJA@ =@ >K@ E JDA 7EJA@ 5J=JAI B )AHE?= F=HJ B JDEI >
`=O >A HAFH@K?A@ H KJEEA@ E =O BH H >O =O A=I AA?JHE? H A?D=E?= E
`?K@EC FDJ?FOEC HA?H@EC H >O =O EBH=JE IJH=CA =@ HAJHEAL= IOIJA MEJD
`KJ FAHEIIE E MHEJEC BH JDA FK>EIDAH
`) JAHI AJEA@ E JDEI > JD=J =HA M J >A JH=@A=HI H IAHLE?A =HI D=LA
`>AA =FFHFHE=JAO ?=FEJ=EA@ )HJA?D 0KIA ?=J =JJAIJ J JDA =??KH=?O B JDEI EBH=
`JE 7IA B = JAH E JDEI > IDK@ J >A HAC=H@A@ =I =BBA?JEC JDA L=E@EJO B =O JH=@A
`=H H IAHLE?A =H
`
`1JAH=JE= 5J=@=H@ * K>AH #&#!%'$
`E>H=HO B +CHAII +=J=C +=H@ K>AH &&%
`
` ' & % $ # " !
`
`
`
`
`
`6 A?DO O F=HJAH E ALAHOJDEC EFHJ=J
`To Meelzy, my partner in eoeiyt/ying important
`=@
`and
`J JDA IJ M@AHBK HAIKJI @EHA?J =@ E@EHA?J B KH ?=>H=JE
`to the most wona’eifal results (direct and indirect) ofour collaboration,
`*A=E 5DEJ +D== ;==L ,=EA =@ -EJ=
`Benjamin, Slylomit, Cbana, Yaakoo, Daniel and Eitan,
`5=H= E 5D== =@ )HOAD
`Sara, Nomi, Shana, andArye/y
`
`
`
`+JAJI
`Contents
`
`2HAB=?A
`Preface
`
`
`
`1JH@K?JE
`Introduction
`
`1.1
`
`1.1.1
`
`1.1.2
`
`
`6DA 6+212 2HJ? 5J=?
`The TCP/IP Protocol Stack
`12 2=?AJI
`IP Packets
`12 2=?AJE=JE =@ .H=CAJ=JE
`IP Packetization and Fragmentation
`
`1.2
`
`
`!
`1.3
`
`"
`1.4
`
`
`
`2.1
`
`
`2.2
`
`
`1JH@K?EC 12IA?
`Introducing IPsec
`
`5K=HO
`Summary
`
`.KHJDAH 4A=@EC
`Further Reading
`
`4ABAHA?AI
`References
`
`6DA .EHIJ 2KA 2EA?A 6DA )KJDAJE?=JE 0A=@AH
`The First Puzzle Piece: The Authentication Header
`
`2HJA?JEI 2HLE@A@ >O )0
`Protections Provided by AH
`
`5A?KHEJO )II?E=JEI =@ JDA 5A?KHEJO 2=H=AJAHI
`Security Associations and the Security Parameters
`1@AN
`Index
`
` !
`2.3
`
`)0 .H=J
`AH Format
`
`vii
`LEE
`
`NLEE
`xvii
`
`
`1
`
`#
`5
`%
`7
`
`10
`
`
`12
`
`!
`13
`
`"
`14
`
`"
`14
`
`#
`15
`
`#
`15
`
`$
`1 6
`
`'
`19
`
`
`
`Demystifying the IPsec Puzzle
`viii
`,AOIJEBOEC JDA 12IA? 2KA
`LEEE
`
` "
`2.4
`
` #
`2.5
`
`2.6
` $
`
` %
`2.7
`
`2.8
` &
`
` '
`2.9
`
`2.10
`
`
`2.11
`
`
`2.12
`
`
` !
`2.13
`
` "
`2.14
`
`!
`
`!
`3.1
`
`!
`3.2
`
`!!
`3.3
`
`!"
`3.4
`
`!#
`3.5
`
`!$
`3.6
`
`!%
`3.7
`
`!&
`3.8
`
`!'
`3.9
`
`AH Location
`)0 ?=JE
`
`)0 @AI
`AH Modes
`
`AIJA@ 0A=@AHI
`Nested Headers
`
`1FAAJEC 12IA? 0A=@AH 2H?AIIEC
`Implementing IPsec Header Processing
`
`)0 2H?AIIEC BH KJ>K@ AII=CAI
`AH Processing for Outbound Messages
`
`)0 2H?AIIEC BH 1>K@ AII=CAI
`AH Processing for Inbound Messages
`
`+FE?=JEI
`Complications
`
`)K@EJEC
`Auditing
`
`6DHA=J EJEC=JE
`Threat Mitigation
`
`5K=HO
`Summary
`
`.KHJDAH 4A=@EC
`Further Reading
`
`4ABAHA?AI
`References
`
`6DA 5A?@ 2KA 2EA?A 6DA -?=FIK=JEC
`The Second Puzzle Piece: The Encapsulating
`5A?KHEJO 2=O=@
`Security Payload
`
`2HJA?JEI 2HLE@A@ >O -52
`Protections Provided by ESP
`
`5A?KHEJO )II?E=JEI =@ JDA 5A?KHEJO
`Security Associations and the Security
`2=H=AJAHI 1@AN
`Parameters Index
`
`-52 0A=@AH .H=J
`ESP Header Format
`
`-52 0A=@AH ?=JE =@ @AI
`ESP Header Location and Modes
`
`AIJA@ =@ )@=?AJ 0A=@AHI
`Nested and Adjacent Headers
`
`-52 0A=@AH 2H?AIIEC BH KJ>K@ AII=CAI
`ESP Header Processing for Outbound Messages
`
`-52 0A=@AH 2H?AIIEC BH 1>K@ AII=CAI
`ESP Header Processing for Inbound Messages
`
`+FE?=JEI
`Complications
`
`+HEJE?EII =@ +KJAH?=EI
`Criticisms and Counterclaims
`
`20
`
`
`21
`
`
`22
`
`
` !
`23
`
` #
`25
`
`!
`30
`
`!
`32
`
`!#
`35
`
`!%
`37
`
`!%
`37
`
`!&
`38
`
`!&
`38
`
`"
`41
`
`41
`"
`
`42
`"
`
`"!
`43
`
`"#
`45
`
`"$
`46
`
`"&
`48
`
`"'
`49
`
`#
`52
`
`#
`52
`
`
`
`ix
`Content:
`+JAJI
`EN
`
`!
`3.10
`
`6DHA=J EJEC=JE
`Threat Mitigation
`
`! 9DO 6M 5A?KHEJO 0A=@AHI
`3.11
`Why Two Security Headers?
`
`!
`3.12
`
`!!
`3.13
`
`"
`
`"
`4.1
`
`"
`4.2
`"
`4.2.1
`"
`4.2.2
`" !
`4.2.3
`" "
`4.2.4
`
`"!
`4.3
`"!
`4.3.1
`"!
`4.3.2
`"!!
`4.3.3
`"!"
`4.3.4
`
`""
`4.4
`
`"#
`4.5
`"#
`4.5.1
`"#
`4.5.2
`"#!
`4.5.3
`
`"$
`4.6
`
`"%
`
`5K=HO
`Summary
`
`.KHJDAH 4A=@EC
`Further Reading
`
`4ABAHA?AI
`References
`
`6DA 6DEH@ 2KA 2EA?A 6DA +HOFJCH=FDE?
`The Third Puzzle Piece: The Cryptographic
`)CHEJDI
`Algorithms
`
`7@AHOEC 2HE?EFAI
`Underlying Principles
`
`)KJDAJE?=JE )CHEJDI
`Authentication Algorithms
`6DA ,# )CHEJD
`The MD5 Algorithm
`6DA 50) )CHEJD
`The SHA—1 Algorithm
`6DA 0)+ )CHEJD
`The HMAC Algorithm
`JDAH )KJDAJE?=JE )CHEJDI
`Other Authentication Algorithms
`
`6DA -52 0A=@AH -?HOFJE )CHEJDI
`The ESP Header Encryption Algorithms
`6DA ,-5 )CHEJD
`The DES Algorithm
`6DA 6HEFA ,-5 )CHEJD
`The Triple DES Algorithm
`JDAH -?HOFJE )CHEJDI
`Other Encryption Algorithms
`6DA )-5 )CHEJD
`The AES Algorithm
`
`+FE?=JEI
`Complications
`
`2K>E? AO +HOFJCH=FDO
`Public Key Cryptography
`,ECEJ= 5EC=JKHAI
`Digital Signatures
`JDAH 2K>E? AO FAH=JEI
`Other Public Key Operations
`6DA ,EBBEA0A= -N?D=CA
`The Diffie—Hellman Exchange
`
`+?KIE
`Conclusion
`
`.KHJDAH 4A=@EC
`Further Reading
`
`4ABAHA?AI
`References
`
`#"
`54
`
`##
`55
`
`#$
`56
`
`#$
`56
`
`#%
`57
`
`#'
`59
`
`60
`$
`
`62
`$
`$"
`64
`$#
`65
`$$
`66
`68
`$&
`
`$&
`68
`%
`70
`%
`72
`%$
`76
`%%
`77
`
`%&
`78
`
`%'
`79
`80
`&
`80
`&
`80
`&
`
`82
`&
`
`82
`&
`
`&!
`83
`
`
`
`N
`
`,AOIJEBOEC JDA 12IA? 2KA
`
`#
`
`#
`
`#
`
`#!
`
`#"
`
`##
`
`#$
`
`#%
`
`#&
`
`#'
`
`#
`
`#
`
`#
`
`#!
`
`#"
`
`##
`
`6DA .KHJD 2KA 2EA?A 6DA 1JAHAJ AO
`-N?D=CA 1-
`
`6DA 1- 6M5JAF ,=?A
`
`2=O=@I =@ -N?D=CAI
`
`)KJDAJE?=JE AJD@I
`
`2HFI=I =@ +KJAHFHFI=I
`
`+EAI
`
`6DA 5A?KHEJO )II?E=JE 2=O=@
`
`6DA 2HFI= 2=O=@
`
`6DA AII=CA 1,
`
`?AI
`
`1@AJEJEAI =@ 1@AJEJO 2HJA?JE
`
`+AHJEBE?=JAI =@ +AHJEBE?=JA 4AGKAIJI
`
`AOI =@ ,EBBEA0A= -N?D=CAI
`
`JEBE?=JEI
`
`EBAJEAI
`
`8A@H 1,I
`
`6DA 2D=IA ACJE=JE
`#$
`#$ =E @A
`#$ )CCHAIIELA @A
`#$! *=IA @A
`
`6DA 2D=IA ACJE=JE
`#%
`#% 3KE? @A
`#% 6DA +EJ *EJ
`
`#&
`
`#'
`
`AM /HKF @A
`
`1BH=JE= -N?D=CAI
`
`&%
`
`&%
`
`&&
`
`&&
`
`'
`
`'"
`
`'#
`
`'#
`
`'$
`
`'$
`
`'%
`
`'&
`
`''
`
`
`
`
`
`
`
`
`
`&
`
`
`
`!
`$
`
`%
`
`&
`
`
`
`xi
`Content:
`+JAJI
`NE
`
`#
`5.20
`
`#
`5.21
`
`#
`5.22
`
`# !
`5.23
`
`# "
`5.24
`
`# #
`5.25
`
`# $
`5.26
`
`# %
`5.27
`
`# &
`5.28
`
`$
`
`6.1
`$
`
`$
`6.2
`
`$!
`6.3
`
`$"
`6.4
`
`$#
`6.5
`
`6.6
`$$
`
`$%
`6.7
`
`$&
`6.8
`
`$'
`6.9
`
`6.10
`$
`
`$
`6.11
`
`6DA 15)2 0A=@AH
`The ISAKMP Header
`
`6DA /AAHE? 2=O=@ 0A=@AH
`The Generic Payload Header
`
`6DA 1- 5J=JA =?DEA
`The IKE State Machine
`
`6DA HECEI B 1-
`The Origins of IKE
`
`) -N=FA
`An Example
`
`+HEJE?EII =@ +KJAH?=EI
`Criticisms and Counterclaims
`
`6DHA=J EJEC=JE
`Threat Mitigation
`
`5K=HO
`Summary
`
`.KHJDAH 4A=@EC
`Further Reading
`
`4ABAHA?AI
`References
`
`6DA .EBJD 2KA 2EA?A 1- =@ JDA 4=@ 9=HHEH
`The Fifth Puzzle Piece: IKE and the Road Warrior
`
`AC=?O )KJDAJE?=JE AJD@I
`Legacy Authentication Methods
`
`15)2 +BECKH=JE AJD@
`ISAKMP Configuration Method
`
`-NJA@A@ )KJDAJE?=JE
`Extended Authentication
`
`0O>HE@ )KJDAJE?=JE
`Hybrid Authentication
`
`+D=ACA4AIFIA BH )KJDAJE?=JA@
`Challenge—Response for Authenticated
`+HOFJCH=FDE? AOI
`Cryptographic Keys
`
`7IAHALA )KJDAJE?=JE
`User—Level Authentication
`
`+HA@AJE=*=IA@ )FFH=?DAI
`Credential—Based Approaches
`
`+FE?=JEI
`Complications
`
`6DHA=J EJEC=JE
`Threat Mitigation
`
`5K=HO
`Summary
`
`.KHJDAH 4A=@EC
`Further Reading
`
`4ABAHA?AI
`References
`
`'
`119
`
`120
`
`
`121
`
`
`122
`
`
`122
`
`
` !
`123
`
` #
`125
`
` #
`125
`
`126
` $
`
` %
`127
`
` '
`129
`
`!
`132
`
`!"
`134
`
`!'
`139
`
`"
`140
`
`142
`"
`
`"#
`145
`
`"#
`145
`
`#
`150
`
`#
`151
`
`#
`151
`
`#
`151
`
`#
`152
`
`
`
`Demystifying the lPsec Puzzle
`xii
`,AOIJEBOEC JDA 12IA? 2KA
`NEE
`
`%
`
`%
`7.1
`
`%
`7.2
`
`%!
`7.3
`
`%"
`
`%#
`7.5
`
`%$
`7.6
`
`&
`
`8.1
`&
`
`8.2
`&
`
`&!
`8.3
`
`&"
`8.4
`
`&#
`8.5
`
`8.6
`&$
`
`'
`
`'
`9.1
`
`'
`9.2
`'
`9.2.1
`'
`9.2.2
`' !
`9.2.3
`' "
`9.2.4
`' #
`9.2.5
`
`6DA 5ENJD 2KA 2EA?A 1- .HEI =@ )@@I
`The Sixth Puzzle Piece: IKE Frills and Add-Ons
`
`4AACJE=JE
`Renegotiation
`
`0A=HJ>A=JI
`Heartbeats
`
`1EJE= +J=?J
`Initial Contact
`
`,=CEC 5)I
`Dangling SAs
`
`5K=HO
`Summary
`
`.KHJDAH 4A=@EC
`Further Reading
`
`4ABAHA?AI
`References
`
`6DA /KA 2.-;
`The Glue: PF_KEY
`
`6DA 2.-; AII=CAI
`The PF_KEY Messages
`
`) 5=FA 2.-; -N?D=CA
`A Sample PF_KEY Exchange
`
`+FIEJE B 2.-; AII=CAI
`Composition of PF_KEY Messages
`
`+FE?=JEI
`Complications
`
`5K=HO
`Summary
`
`.KHJDAH 4A=@EC
`Further Reading
`
`4ABAHA?A
`Reference
`
`6DA EIIEC 2KA 2EA?A 2E?O 5AJJEC =@
`The Missing Puzzle Piece: Policy Setting and
`-BH?AAJ
`Enforcement
`
`6DA 5A?KHEJO 2E?O ,=J=>=IA
`The Security Policy Database
`
`6DA 2E?O 2H>A
`The Policy Problem
`2E?O +BECKH=JE
`Policy Configuration
`2E?O 5AHLAHI
`Policy Servers
`/=JAM=O ,EI?LAHO
`Gateway Discovery
`2E?O ,EI?LAHO
`Policy Discovery
`2E?O -N?D=CA
`Policy Exchange
`
`#!
`153
`
`#"
`154
`
`#%
`157
`
`162
`$
`
`$!
`163
`
`$"
`164
`
`$"
`164
`
`$"
`164
`
`$#
`165
`
`$$
`166
`
`%
`171
`
`%!
`173
`
`%%
`177
`
`%%
`177
`
`%%
`177
`
`%%
`177
`
`%'
`179
`
`180
`&
`
`&%
`187
`&%
`187
`188
`&&
`188
`&&
`&'
`189
`'
`190
`
`
`
`+JAJI
`
`' $
`' %
`' &
`
`2E?O 4AIKJE
`2E?O ,A?HHA=JE
`2E?O +FE=?A +DA?EC
`
`'!
`
`4ALEIEJEC JDA 4=@ 9=HHEH
`
`'"
`'"
`'"
`'"!
`'""
`'"#
`'"$
`
`'#
`
`'$
`
`12IA? 2E?O 5KJEI
`6DA 12IA? +BECKH=JE 2E?O @A
`6DA 12IA? 2E?O 1BH=JE *=IA
`6DA 5A?KHEJO 2E?O 2HJ?
`6DA 5A?KHEJO 2E?O 5FA?EBE?=JE =CK=CA
`6DA AOJA 6HKIJ ==CAAJ 5OIJA
`) LAH= 2=
`
`5K=HO
`
`.KHJDAH 4A=@EC
`
`4ABAHA?AI
`
`
`
`6DA .H=AMH 2K>E? AO 1BH=IJHK?JKHA 21
`
`
`
`
`
`!
`
`"
`
`#
`
`$
`
`%
`
`&
`
`'
`
`21 .K?JE= +FAJI
`
`6DA 21 9H@ 8EAM
`
`6DA EBA +O?A B = +AHJEBE?=JA
`
`21 2HJ?4A=JA@ +FAJI
`
`+AHJEBE?=JAI =@ +4I
`
`+AHJEBE?=JA .H=JI
`
`+AHJEBE?=JA +JAJI
`
`1- =@ 12IA? +IE@AH=JEI
`
`5K=HO
`
`
`
`.KHJDAH 4A=@EC
`
`4ABAHA?AI
`
`NEEE
`
`'
`'
`'!
`
`'!
`
`'"
`'#
`'$
`'$
`
`
` !
`
` "
`
` "
`
` "
`
` %
`
` &
`
`
`
`
`
`
`
` #
`
` $
`
` &
`
`
`
` #
`
` #
`
` $
`
`
`
`
`xiv Demystifying the lPsec Puzzle
`,AOIJEBOEC JDA 12IA? 2KA
`NEL
`
`
`11
`
`6DA 7ILA@ 2KA 5A?KHA 12 KJE?=IJ
`The Unsolved Puzzle: Secure IP Multicast
`
`11.1
`
`
`11.2
`
`
`!
`11.3
`
`5A -N=FAI
`Some Examples
`
`KJE?=IJ CEIJE?I
`Multicast Logistics
`
`.K?JE= 4AGKEHAAJI
`Functional Requirements
`
`5A?KHEJO 4AGKEHAAJI
`"
`11.4
`Security Requirements
`" AO ==CAAJ
`11.4.1
`Key Management
`"
`5A?HA?O
`11.4.2
`Secrecy
`"! ,=J= 1JACHEJO
`11.4.3
`Data Integrity
`""
`5KH?A )KJDAJE?=JE
`11.4.4
`Source Authentication
`"# H@AH B +HOFJCH=FDE? FAH=JEI
`11.4.5
`Order of Cryptographic Operations
`"$ A>AHIDEF ==CAAJ
`11.4.6
`Membership Management
`"% )??AII4A=JA@ 1IIKAI
`Access—Related Issues
`11.4.7
`"&
`2E?O ,AJAHE=JE
`11.4.8
`Policy Determination
`"' )OEJO
`11.4.9
`Anonymity
`" HAFK@E=JE
`11.4.10
`Nonrepudiation
`" 5AHLE?A )L=E=>EEJO
`11.4.11
`Service Availability
`" .EHAM= 6H=LAHI=
`11.4.12
`Firewall Traversal
`"! 2EH=?O
`11.4.13
`Piracy
`
`# 9DEJDAH 12 KJE?=IJ 5A?KHEJO
`11.5
`Whither IP Multicast Security?
`
`$
`11.6
`
`%
`11.7
`
`5K=HO
`Summary
`
`.KHJDAH 4A=@EC
`Further Reading
`
`4ABAHA?AI
`References
`
`
`12
`
`6DA 9DA 2KA 1I 12IA? JDA +HHA?J 5KJE
`The Whole Puzzle: ls lPsec the Correct Solution?
`
`12.1
`
`
`12.2
`
`
`)@L=J=CAI B 12IA?
`Advantages of IPsec
`
`,EI=@L=J=CAI B 12IA?
`Disadvantages of IPsec
`
`)JAH=JELAI J 12IA?
` !
`Alternatives to IPsec
`12.3
` ! 6H=IFHJ =OAH 5A?KHEJO 2HJ?
`12.3.1
`Transport Layer Security Protocol
` ! =OAH 6KAEC 2HJ?
`12.3.2
`Layer 2 Tunneling Protocol
`
` '
`229
`
` !
`230
`
` !
`231
`
` !
`232
`
` !!
`233
` !"
`234
` !$
`236
` !$
`236
` !$
`236
` !%
`237
` !%
`237
` !&
`238
` !&
`238
` !&
`238
` !'
`239
` !'
`239
` !'
`239
` !'
`239
`
` !'
`239
`
` "
`240
`
` "
`240
`
`241
` "
`
` "!
`243
`
`244
` ""
`
` "#
`245
`
` "#
`245
` "#
`245
` "#
`245
`
`
`
`
`
`+JAJI NL Content:
`XV
`
` !!
`12.3.3
`
`2EJJ2EJ 6KAEC 2HJ?
`Point—to—Point Tunneling Protocol
`
` "
`12.4
`
` #
`12.5
`
` $
`12.6
`
` %
`12.7
`
`12IA? 6@=O
`IPsec Today
`
`6DA .KJKHA B 12IA?
`The Future of IPsec
`
`5K=HO
`Summary
`
`.KHJDAH 4A=@EC
`Further Reading
`
`4ABAHA?AI
`References
`
`EIJ B )?HOI =@ )>>HALE=JEI
`List of Acronyms and Abbreviations
`
`)>KJ JDA )KJDH
`About the Author
`
`1@AN
`Index
`
` "%
`247
`
` "%
`247
`
` "%
`247
`
` "'
`249
`
` "'
`249
`
` "'
`249
`
` #
`251
`
` $
`261
`
` $!
`263
`
`
`
`
`
`2HAB=?A
`
`12IA? 1JAHAJ 2HJ? 5A?KHEJO D=I >AA FK>E?EA@ E JDA FFK=H ?
`FKJAH FHAII KAHKI =HJE?AI D=LA DAH=@A@ EJI HA=@OBHFHEAJEA IJ=JKI
`=@ B ?KHIA KAHKI IJ=@=H@I =A KF EJI GKEJAIIAJE= =@ H=JELA
`@ABEEJE *KJ LAHO BAM >I =JJAFJ J IOIJA=JE?=O @AI?HE>A A=?D B=?AJ
`B JDEI ALAH ANF=@EC ?HA=JKHA 6D=J EI JDA C= B JDEI > 1J EI @EHA?JA@ =J
`AJMH =@EEIJH=JHI EBHA@ KIAHI =@ ?KHEKI CH=@K=JA IJK@AJI
`6DA > EI HC=EA@ =I BMI +D=FJAH IAJI JDA IJ=CA MEJD =
`EJH@K?JE J 6+212 JDA >=IEI BH 1JAHAJ ?KE?=JEI -=?D IK>
`IAGKAJ ?D=FJAH @EI?KIIAI = @EBBAHAJ B=?AJ B 12IA?
`
`• +D=FJAHI =@ ! AN=EA JDA FHJ?I JD=J =A KF ?=IIE? 12IA?
`JDA )KJDAJE?=JE 0A=@AH )0 =@ JDA -?=FIK=JEC 5A?KHEJO
`2=O=@ -52
`• +D=FJAH " @EI?KIIAI JDA ?HOFJCH=FDE? =CHEJDI KIA@ E 12IA?
`• +D=FJAH # I =J JDA 1JAHAJ AO -N?D=CA 1- 12IA?\I AO
`ACJE=JE FHJ?
`• +D=FJAH $ =FFEAI 1- J JDA H=@ M=HHEH
`• +D=FJAH % @AI?HE>AI =JA>HA=EC =@@EJEI J 1-
`• +D=FJAH & AN=EAI 2.-; JDA FHJ? JD=J A=>AI 1- J J=
`J 12IA?
`
`NLEE
`
`
`
`NLEEE
`
`,AOIJEBOEC JDA 12IA? 2KA
`
`• +D=FJAH ' J=AI = =J ME@AHH=CEC 12IA? FE?O ??AHI
`• +D=FJAH ANF=EI FK>E? AO EBH=IJHK?JKHA 21 =@ ?AHJEBE?=JAI
`• +D=FJAH @EI?KIIAI ANJA@EC 12IA? FHJA?JE J KJE?=IJ
`?KE?=JEI
`• +D=FJAH CELAI = IK=HO =@ ??KIEI
`
`M JD=J EJ EI LAH 1 MK@ EA J ANJA@ = DA=HJO JD=I J 4B FFECAH
`)HJA?D 0KIA 5AHEAI -@EJH BH +FKJAH 5A?KHEJO MD HA?HKEJA@ A J
`MHEJA JDEI > =@ MD HA=@ A=?D ?D=FJAH MEJDE @=OI B EJI IK>EIIE
`1 =I MK@ EA J JD= O A@EJHI =J )HJA?D 0KIA 8EE 9EE=I
`MD KHA@ A EJ JDEI =@ JDA BA@ J CHAAAH F=IJKHAI 4KJD 0=HHEI
`MD F=JEAJO A@KHA@ EIIA@ @A=@EAI ?H=?A@ JDA MDEF MDA A?AII=HO
`=@ IJHAJ?DA@ JDA I?DA@KA FHK?A@ ]IDA@KA^ J EJI EEJI =@
`=JEA ?A=O MD F=JEAJO CKE@A@ = LE?A JDHKCD JDA FHAFK>E
`?=JE =A 1 =I MK@ EA J JD= O ?A=CKAI =J 156 E ,H=O
`4> /A 6E 2 =@ D 9=? =@ 2=K 0BB= ,EHA?JH B JDA
`82 +IHJEK MD J JEA BH JDAEH >KIO I?DA@KAI J HA=@ FHJEI
`B JDA > 6DAEH ?AJI MAHA HECDJ J=HCAJ =O HA=EEC AHHHI =HA
`EA =A r"alyez
`
`5DAE= .H=A
`IDAE=BH=A(EIJCL
`
`
`
`
`
`
`
`1JH@K?JE
`
`4=EH=@ ?=HHE=CAI =HA FKA@ =J JDA AHKI IFAA@ B # FD >O
`ACEAI MDE?D E =@@EJE J A@=CAHEC EBA =@ E> B F=IIACAHI
`H=H =@ IHJ JDAEH M=O JDHKCD JDA ?KJHOIE@A IAJJEC BEHA J JDA
`?HFI I?=HEC JDA ELAIJ? =@ BHECDJAEC MA =@ ?DE@HA 6DA
`)ECDJO ?AHJ=EO ALAH EJA@A@ JD=J FAFA IDK@ JH=LA =J IK?D
`>HA=A? IFAA@
`
`=HJE 8= *KHA
`
`*=? E JDA @ @=OI MDA JDA 1JAHAJ M=I OKC BEHA>HA=JDEC @H=CI
`H=A@ JDA A=HJD =@ *E /=JAI M=I IJE MHEC DEI BEBJD >EE JDA
`1JAHAJ M=I JDA F=OJDEC B = CHKF B =?=@AE?I =@ HAIA=H?DAHI 1JI C=
`M=I J =NEEA ?KE?=JE ?A?JA@AII =@ ?=>H=JE =@ J
`EEEA >=HHEAHI JD=J MK@ @AJH=?J BH JDA HA=E=JE B JDIA C=I 6DA
`FHJ?I JD=J MAHA @ABEA@ JDAa=@ JD=J IJE CLAH JDA K@AHFEECI B
`JDA 1JAHAJ MaHABA?J JD=J HA=EJO
`9DA 1 AJEA@ J = BHEA@ JD=J 1 M=I JDEEC B MHEJEC = >
` 1JAHAJ IA?KHEJO DA HAIF@A@ ]1JAHAJ IA?KHEJO EI = NOH^ 1
`BK@ OIAB HA=?JEC E = @ABAIELA =@ IAMD=J FHJA?JELA =AH
`=JDKCD BH JDA FAHIFA?JELA B =OA MD HA=@I AMIF=FAHI\ @=EO HAFHJI
` >HA=EI =@ LEHKIAI DEI HAIFIA M=I AJEHAO =FFHFHE=JA
`?A JDA 1JAHAJ >A?=A JDA ]EBH=JE IKFAHDECDM=O^ =@ JDA
`JH=BBE? J J AJE JDA @HELAHI >A?=A HA @ELAHIA IA?KHEJO >IIA@
`
`
`
`
`
`
`
`,AOIJEBOEC JDA 12IA? 2KA
`
`EJ = =H ??AH 1J M=I =I EB JDA ED=>EJ=JI B = FHEL=JA IECAB=EO
`DKIA MAHA J M=A KF A HEC =@ @EI?LAH JD=J A=?D >A@H M=I
`ED=>EJA@ >O = CHKF B IJH=CAHI 1B = B=EO A>AH IDK@ ?F=E =>KJ
`JDA =? B FHEL=?O H IA?KHEJO A B JDA EJAHFAHI ECDJ IKHAO I=O ]1
`JDEI DKIA IA?KHEJO EI = NOH^
`->A@@A@ MEJDE JDA ?FAN =@ H=FE@O ALLEC EBH=IJHK?JKHA EJ
`FHLA@ EFIIE>A J H=@E?=O H IK@@AO =JAH JDA 1JAHAJ FHJ?I JDIA
`=CHAA@ ?LAJEI BH=JI =@ HKAI JD=J CLAH 1JAHAJ ?KE?=
`JEI 6DKI JM JOFAI B IKJEI D=LA AAHCA@ E HAIFIA J JDA IA?KHEJO
`D==H@I JD=J JDHA=JA 1JAHAJ JH=BBE? ?=EA@ IKJEI =@ =FFE?=JE
`IFA?EBE? IKJEI ?=EA@ IKJEI =HA =JJAFJI >O ?FKJAH AJMH
`=@EEIJH=JHI J EI=JA H BHJEBO JDAEH F=HJE?K=H BEAB@I =@ J=A JDA BH
`B I?HAAEC HKJAHI BEHAM=I @ABAIELA I?=AHI =@ JDA AEE=JE B
`M IA?KHEJO DAI BH FAH=JEC IOIJAI =@ =FFE?=JE FHCH=I
`)FFE?=JEIFA?EBE? IKJEI =HA =FFEA@ J IFA?EBE? =FFE?=JEI IK?D =I
`AA?JHE? ?AH?A H A=E =@ =HA =CHAA@ >O IA IACAJ B JDA KIAH
`FFK=JE
`9D=J @EBBAHAJE=JAI 12IA? BH JDAH IKJEI 12IA? EI = =JJAFJ J
`@ABEA = HA C>= IKJE J JDA FH>A B 1JAHAJ IA?KHEJO *A?=KIA
`12IA? ME >A =FFEA@ =J JDA 1JAHAJ =OAH B ?KE?=JEI EJ ?= >A KIA@
`>O =O H = =FFE?=JEI 4=JDAH JD= HAGKEHEC A=?D A=E FHCH= H 9A>
`>HMIAH J EFAAJ EJI M IA?KHEJO A?D=EII 12IA? ELLAI = ?D=CA
`J JDA K@AHOEC AJMHEC B=?EEJEAI JD=J =HA KIA@ >O ALAHO =FFE?=JE 1J
`=I =MI AJMH ==CAHI J =FFO FHJA?JE J AJMH JH=BBE? MEJDKJ
`ELLEC A@ KIAHI
`6DA 12IA? FHJ?I =HA EA = ECI=M FKA ?IEIJEC B KAHKI
`EJAH?A?JA@ FEA?AI JD=J =IIA>A@ =A = ?DAIELA MDA 6DEI >
`AN=EAI JDA ?FAJ FEA?AI A =J = JEA MDEA MA =HA ==OEC
`E@ELE@K= FEA?AI B JDA FKA MA ID= =IIKA JD=J JDAH IJE KANFHA@
`?FAJI =CE?=O =FFA=H E = KIFA?EBEA@ =AH FAHD=FI JDHKCD
`EL?=JEI H ME=H@HO
`6DA EF=?J B A=?D 12IA? FEA?A EI A=IEAH J K@AHIJ=@ MDA LEAMA@ E
`JDA ?JANJ B = I=FA ?KE?=JEI I?A=HE 6DHKCDKJ JDEI >
`KIAI JDHAA IEFA >KJ ?F=?A I?A=HEI BH JD=J FKHFIA 6DA I=FA
`I?A=HEI =HA ?FHEIA@ B JM JOFAI B >KE@EC >?I DIJI =@ C=JAM=OI
`
`• ) DIJ EI = IOIJA JD=J ?= EEJE=JA AII=CAI J >A IAJ =?HII JDA
`1JAHAJ =@ HA?AELA AII=CAI BH JDAH IOIJAI >KJ ?=J =?J
`=I = EJAHA@E=HO J BHM=H@ H HKJA AII=CAI BH A IOIJA
`J =JDAH ) DIJ ?= FHLE@A 12IA? IAHLE?AI BH EJIAB >KJ J BH
`
`
`
`1JH@K?JE
`
`!
`
`JDAH IOIJAI -N=FAI B DIJI =HA = IECAKIAH 2+ = =>H=JHO
`?FKJAH KIA@ J C=JDAH =@ ==OA @=J= =@ = >KIEAII @=J=
`HAFIEJHO
`• ) C=JAM=O EI = IOIJA JD=J ?= EEJE=JA AII=CAI J >A IAJ =?HII JDA
`1JAHAJ HA?AELA AII=CAI BH JDAH IOIJAI =@ =?J =I = EJAH
`A@E=HO J BHM=H@ H HKJA AII=CAI BH A IOIJA J =JDAH
`4KJAHI =@ BEHAM=I =HA AN=FAI B C=JAM=OI ) IA?KHEJO C=JAM=O
`E KH BH=AMH EI = C=JAM=O JD=J ?= FHLE@A 12IA? IAHLE?AI BH
`EJIAB =@ BH JDAH IOIJAI
`
`5?A=HE EI JDA IEFAIJ ?=IA JM DIJI ?KE?=JEC MEJD A=?D
`JDAH +KHHAJO A B JDA ? KIAI B 12IA? EI JDA ?HA=JE B = LEHJK=
`FHEL=JA AJMH 82 1B = ?F=O AA@I J ?@K?J IA?KHA ?KE?=
`JEI >AJMAA I?=JJAHA@ ?=JEI = FHEL=JA AJMH ?= >A ?IJHK?JA@ >O
`A=IEC H IJHECEC FHEL=JA ?KE?=JE EAI ) AII ANFAIELA =@ HA
`BANE>A =JAH=JELA EI = 82 JD=J KIAI JDA 1JAHAJ =I JDA ?KE?=JEI
`A@EK =@ AFOI 12IA? J AIKHA JD=J JDA ?KE?=JEI =HA E@AA@
`FHEL=JA )JDKCD JDA 82\I JH=BBE? ?HIIAI JDA FK>E? 1JAHAJ 12IA? FHJA?
`JE FHALAJI K=KJDHEA@ KJIE@AHI BH HA=@EC H @EBOEC JDA JH=BBE?
`5?A=HE EI = I=I?=A 82 JM IAF=H=JA AJMHI A=?D FHJA?JA@
`BH JDA KJIE@A >O = IA?KHEJO C=JAM=O JD=J I?HAAI = ?KE?=JEI J
`=@ BH EJI =II?E=JA@ AJMH 6DEI JFCO ?= HAFHAIAJ = IECA >KIE
`AII MEJD IALAH= >H=?D ?=JEI H MEJD IAF=H=JA @AF=HJAJ= AJMHI E
`JDA I=A ?=JE
`5?A=HE ! ?>EAI =IFA?JI B JDA BEHIJ JM = IECA DIJ ?KE?=J
`EC MEJD =JDAH DIJ JD=J HAIE@AI = AJMH FHJA?JA@ >O = IA?KHEJO C=JA
`M=O 6DEI ?O ??KHI MDA = AFOAA @E=I EJ = >KIEAII AJMH
`BH DA H MDA = >KIEAII JHEF 5?A=HE ! EI ?FE?=JA@ >O JDA B=?J
`JD=J JDA IECA DIJ MDA @E=EC EJ JDA AJMH =O J D=LA = BENA@
`AJMH =@@HAII .ECKHAI = > =@ ? EKIJH=JA I?A=HEI
`=@ ! HAIFA?JELAO
`*A?=KIA OK =HA HA=@EC JDEI > OK KIJ D=LA IA EJAHAIJ E
`12IA? 1IJA=@ B JKJEC JDA IKFAHEHEJO B JDA 12IA? =FFH=?D JDEI > BEHIJ
`@AI?HE>AI JDA @AJ=EI B JDA 12IA? FHJ? EJIAB ?A MA D=LA ]=IIA>A@^
`JDA 12IA? FKA MA ME ?F=HA 12IA? J JDA JDAH A=@EC ?JA@AHI =@
`?JH=IJ JDAEH HA=JELA IJHACJDI =@ MA=AIIAI
`6DA EBH=JE E JDEI > ME MA DFA >A IKBBE?EAJ J JKH
`12IA?EEJAH=JA HA=@AHI EJ EBHA@ KIAHI B 12IA? FH@K?JI H J JKH
`12IA?=M=HA HA=@AHI EJ JMA=AHI B ANEIJEC 12IA? EFAAJ=JEI *O
`
`
`
`"
`
`,AOIJEBOEC JDA 12IA? 2KA
`
`0IJ 0
`
`1JAHAJ
`
`0IJ 0
`
`.ECKHA = +KE?=JE I?A=HE DIJJDIJ
`
`AJMH
`
`0IJ 0
`
`0IJ 0
`
`1JAHAJ
`
`AJMH
`
`0IJ 0
`
`0IJ 0
`
`/=JAM=O
`5/
`
`/=JAM=O
`5/
`
`0IJ 0!
`
`0IJ 0 !
`
`.ECKHA > +KE?=JE I?A=HE C=JAM=OJC=JAM=O
`
`0IJ 0
`
`1JAHAJ
`
`AJMH
`
`0IJ 0 0IJ 0
`
`/=JAM=O
`5/
`
`0IJ 0 !
`
`.ECKHA ? +KE?=JE I?A=HE ! DIJJC=JAM=O
`
`EJIAB DMALAH JDEI > EI AEJDAH IKBBE?EAJO HECHKI H IKBBE?EAJO
`@AJ=EA@ J A=>A HA=@AHI J >A?A 12IA? EFAAJAHI BH I?H=J?D
`6DA JA?DCO EI ?FAN AKCD =@ IJE
`E BKN I JD=J MK@>A
`
`
`
`1JH@K?JE
`
`#
`
`EFAAJAHI AA@ J >A?A EJE=JAO B=EE=H MEJD JDA 12IA? 4AGKAIJI BH
`+AJI 4.+I =@ 1JAHAJ ,H=BJI JD=J =HA JDA @ABEEJELA IFA?EBE?=JEI
`BH JDEI JA?DCO
`0MALAH JDA 4.+I =@ JDA 1JAHAJ ,H=BJI @ J =M=OI FHAIAJ =
`?FAJA FE?JKHA 1 JDA IFEHEJ B JDA 1-6. JDA HC=E=JE HAIFIE>A BH
`JDA @ALAFAJ B JDIA @?KAJI =@ MDIA JJ EI ]HKCD ?IAIKI
`=@ HKEC ?@A^ JDA @?KAJI @ J =M=OI JA JDA BK IJHO 6DA
`@AJ=EI =HA BAIDA@ KJ JDHKCD =EEC EIJ @EI?KIIEI EJAHFAH=>EEJO JAIJ
`EC IAIIEI =@ D=M=O @EI?KIIEI =J JDA 1-6. AAJECI 5AJEAI JDA
`I= >KJ AIIAJE= @AJ=EI =HA =CHAA@ >KJ EJ J=AI JEA KJE JD=J EI
`HABA?JA@ E JDA @?KAJI 6DEI > =JJAFJI J ?LAO JDA B=LH =@ IK>
`IJ=?A B JDA BEEIDEC @AJ=EI =@ E =O ?=IAI KHAILA@ @EI=CHAAAJI
`MDE?D =HA AIIAJE= J = K@AHIJ=@EC B 12IA? *A?=KIA 12IA? EI IJE K@AH
`@ALAFAJ EJ FHLE@AI = LEC J=HCAJ BH =O =JJAFJ =J @?KAJEC
`EJI BA=JKHAI =@ IJ=JKI 6DEI > =JJAFJI J ?=FJKHA JDA HA=EJO B 12IA?
`FHAIAJEC = I=FIDJ B 12IA? =I B ?J>AH
`6DA BEA@ B ?FKJAH IA?KHEJO A>@EAI = HE?D =@ ANJAIELA JDAHAJE
`?= =@ DEIJHE?= EBH=IJHK?JKHA )JDKCD JDEI > ?=J ?LAH JDA JDAHO
`=@ FH=?JE?= H=EBE?=JEI B ALAHO =IFA?J B 12IA? EJ @AI =E J =A JDA
`12IA? FHJ?I\ C=I BK?JE=EJO =@ EJAHHA=JEIDEFI K@AHIJ=@=>A
`J JDA HA=@AH 1J =I IKCCAIJI LKEKI =KJI B ANJH= HA=@EC =JAHE=
`J JDIA HA=@AHI MEJD = JDEHIJ BH 12IA?HA=JA@ MA@CA
`
` 6DA 6+212 2HJ? 5J=?
`
`6DA BH=A B HABAHA?A E MDE?D 12IA? FAH=JAI EI JD=J B JDA 1JAHAJ 2HJ
`? 12 12 EI A F=HJ B = =OAHA@ IKEJA B ?KE?=JE FHJ?I M
`=I 6+212 `" 6DA JF =OAH JDA =FFE?=JEI =OAH ?IEIJI B FHJ?I
`JD=J =HA B=EE=H J KIAHI JDHKCD JDA =FFE?=JEI JDAO KIA 1JAHAJ >HMIAHI
`KIA JDA 0OFAH 6ANJ 6H=IBAH 2HJ? 0662 FHJ? J ?KE?=JA
`
` ) JDA 1JAHAJ FHJ?I E?K@EC 12IA? =HA @ABEA@ E @?KAJI JD=J =HA @ALAFA@
`K@AH JDA IFIHIDEF B JDA 1JAHAJ -CEAAHEC 6=I .H?A 1-6. ) 1JAHAJ ,H=BJ
`@AI?HE>AI = FHJ? JD=J EI E JDA A=HO IJ=CAI B @ALAFAJ ?A JDA JA?DCO
`HA=?DAI = ?AHJ=E ALA B ?IAIKI =@ JDAHA =HA KJEFA LA@H EFAAJ=JEI B JDA
`FHJ? EJ EI HA?=IIEBEA@ =I = 4.+ ) ?KHHAJ 1JAHAJ ,H=BJI =@ 4.+I ?= >A BK@
`=J JDA 1-6.\I 9A> IEJA DJJF MMMEAJBHC 6DA 1-6. ?=KJEI =C=EIJ ?EJEC 1JAHAJ
`,H=BJI =I HABAHA?AI >A?=KIA =O =IFA?JI B 12IA? D=LA J OAJ =?DEALA@ 4.+ IJ=JKI JDEI
`> @AI ?EJA 1JAHAJ ,H=BJI
`
`
`
`$
`
`,AOIJEBOEC JDA 12IA? 2KA
`
`A=E FHCH=I KIA JDA 562 22! =@ 1)2" FHJ?I HAJA JAHE
`= FHCH=I KIA 6--6 =@ BEA JH=IBAH FHCH=I KIA JDA .EA 6H=IBAH
`2HJ? .62 6DIA =FFE?=JE FHJ?I HAO JDA 6H=IEIIE +
`JH 2HJ? 6+2 JDA JH=IFHJ FHJ? JD=J EI KIA@ J AIJ=>EID HAE=>A
`?KE?=JEI IAIIEI E MDE?D @=J= =HA FHA@E?J=>O JH=IBAHHA@ MEJDKJ
`II @KFE?=JE H JDAH JOFAI B AHHHI
`JDAH =FFE?=JEI =@ JDAEH HA=JA@ FHJ?I =HA J =I B=EE=H J
`IJ KIAHI >KJ =HA AIIAJE= BH JDA IJD FAH=JE B JDA 1JAHAJ AJ
`MH HKJEC HAEAI FHJ?I IK?D =I JDA 4KJEC 1BH=JE 2HJ?
`412 JDA =>EEJO J HABAH J DIJI >O JDAEH =AI H=JDAH JD= >O = ACJDO
`IJHEC B K>AHI HAIKJI BH KIA B JDA ,=E =EC 5OIJA ,5
`FHJ? 6DIA =FFE?=JE FHJ?I HAO JDA 7IAH ,=J=CH= 2HJ?
`7,2 = JH=IFHJ FHJ? JD=J JH=IEJI E@ELE@K= F=?AJI MEJDKJ ?DA?
`EC BH II H @KFE?=JE .H =FFE?=JEI JD=J HK LAH 7,2 JDA =FFE?=
`JEI JDAIALAI =HA HAIFIE>A BH JDEI JOFA B HAE=>EEJO EIKH=?A H=JDAH
`JD= JDA K@AHOEC JH=IFHJ FHJ? 6DA 6+2 ?KE?=JEI @A
`?= >A EAA@ J JDA FDA ?F=O ) ?A?JE EI AIJ=>EIDA@ =@ AI
`I=CAI =HA HAE=>O JH=IEJJA@ =@ HA?AELA@ E JDA FHFAH H@AH 6DA 7,2
`?KE?=JEI @A ?= >A ?F=HA@ J JDA 2IJ BBE?A AII=CAI =HA
`IAJ KJ =@ A DFAI HA?AELA@ >KJ ?DA?EC EI @A J AIKHA JD=J
`JDAO =?JK=O MAHA HA?AELA@ H E MD=J H@AH *JD JH=IFHJ FHJ?I 6+2
`=@ 7,2 HAO JDA 1JAHAJ =OAH FHJ? 12 BH JDA BMEC
`
`• 6H=IEJJEC AII=CAI BH A =?DEA J =JDAH
`• 4KJEC JDA AII=CAI I JDAO =HHELA =J JDA @AIEHA@ @AIJE=JE
`• 1B JDA AII=CAI =HA J =HCA J >A JH=IEJJA@ >O A H HA B
`JDA AJMH EI A?KJAHA@ =C JDA M=O >HA=EC JDA AII=CAI
`EJ I=AH BH=CAJI =@ =J JDA JDAH A@ HA=IIA>EC JDA BH=C
`AJI J HA?IJHK?J JDA HECE= AII=CA
`
`6DA 1JAHAJ +JH AII=CA 2HJ? 1+2 @ABEAI IFA?E=FKHFIA
`AII=CAI KIA@ >O JDA 12 =OAH J =AHJ JDAH IOIJAI J FH>A=JE? H AHHA
`KI ?@EJEI =@ J AN?D=CA EBH=JE HA=JA@ J 12 BK?JEI
`.ECKHA EKIJH=JAI JDA =OAHI B = JOFE?= IOIJA JD=J KIAI 6+212 =I
`EJI AJMHEC FHJ? 9DA = KJ>K@ AII=CA EI ?IJHK?JA@ A=?D
`=OAH BH JDA JF J JDA >JJ EIAHJI EJI M DA=@AH E BHJ B JDA
`@=J= J >A JH=IFHJA@ =@ JDA IA@I JDA AII=CA J JDA ANJ MAH
`=OAH BH BKHJDAH FH?AIIEC 9DA = E>K@ AII=CAEI HA?AELA@ JDA
`FH?AII EI HALAHIA@ -=?D =OAH BH JDA >JJ J JDA JF FAHBHI EJI
`
`
`
`
`Introduction 7
`1JH@K?JE
`%
`
`)FFE?=JE =OAH
`Application layer
`
`6H=IFHJ =OAH
`Transport layer
`
`1JAHAJ 12 =OAH
`Internet (IP) layer
`
`Data layer
`
`,=J= =OAH
`
`.ECKHA 6DA 6+212 =OAHI
`Figure 1.2 The TCP/IP layers.
`
`=OAH=FFHFHE=JA FH?AIIEC IJHEFI BB EJI DA=@AH =@ IA@I JDA AII=CA J
`layer—appropriate processing, strips off its header, and sends the message to
`JDA ANJ KFFAH =OAH BH BKHJDAH FH?AIIEC -=?D =OAH LEAMI = AII=CA =I
`the next (upper) layer for fiirther processing. Each layer views a message as
`D=LEC JM F=HJI JDA =OAH\I DA=@AH =@ ]JDAH IJKBB^ 6DA JDAH IJKBB CAAH
`having two parts: the layer’s header and “other stuff.” The other stuff gener—
`=O EI HABAHHA@ J =I ]@=J=^ =JDKCD E B=?J EJ CAAH=O ?J=EI = IAHEAI B
`ally is referred to as “data,” although in fact it generally contains a series of
`KFFAH=OAH DA=@AHI BMA@ >O JDA AII=CA @=J= @AIJEA@ BH JDA =FFE?=JE
`upper—layer headers, followed by the message data destined for the application.
`
`
`1.1.1
`
`12 2=?AJI
`IP Packets
`
`6DA LAHMDAEC =HEJO B F=?AJI JD=J JH=LAHIA JDA 1JAHAJ J@=O BM
`The