Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

Protocols > PPTP - Pg. 146

146 Eleventh Hour Security : Exam SY0-201 Study Guide Each IKE negotiation results in two SAs, one inbound and one outbound, at each host. Obviously, one host's inbound SA will match the other host's outbound SA, and vice versa. The SA consists of an IP address, a Security Parameters Index (SPI), and the key associated with the SA. The SPI is simply a random number generated by the host that created its associated key, and along with the IP address of that host, can be viewed as an index into the data- base of SAs. AH operates as IP protocol number 51 (thus, it is neither UDP nor TCP, and does not have an associated port number), and inserts a header into each protected data packet containing the SPI of the negotiated SA to which the packet is associated, a Sequence Number to prevent replay attacks, and an Integrity Check Value (ICV), which is generally a keyed MAC of the AH header (excluding the ICV) and any data following it. This allows each packet to be verified independently of any other packets (other than the key exchange performed by IKE). ESP operates as IP protocol number 50, and its IP header contains the SPI of the connection, a Sequence Number to prevent replay attacks, encrypted payload data (the IP packet that has been encrypted), encrypted padding to align the payload data with block sizes for block ciphers, an encrypted Next Header value, and an ICV just as in AH protocol. The Next Header value refers to the header inside the payload data, rather than a header following the ESP header--there usually is no such following header, but the decrypted payload data can be considered to be the logically following data. Comparing IPSec to the protocols previously discusses it is clear that there are some advantages and some disadvantages. IPSec authenticates hosts to one another, and cannot authenticate users. IPSec protects any application, without that application being aware of its being protected. IPSec requires that routers accept and pass protocols 50 and 51. IPSec builds its ICV, and creates its SA, over values that include the IP address of each host--this makes it difficult to use across a NAT (Network Access Translation) router. To deal with this, an encapsulation known as NAT-T (NAT Tunneling) was developed. IPSec ESP can operate either in Transport mode, in which it uses addresses on the local network, or in Tunnel mode, in which the source and des- tination IP addresses inside are from different physical--and logical-- networks than those that are carrying the outer packets. PPTP PPTP is the least fully featured or secure by itself. PPTP stands for the Point- to-Point Tunneling Protocol. Described in RFC 2637, it is a relatively simple encapsulation of PPP (the Point-to-Point Protocol) over an existing TCP/IP