Support
Joined: 09 Oct 2002
Posts: 175
Location: Lausanne, Switzerland
|
 Posted: Tue Jan 14, 03 13:30 Post subject: How does is VPN data different than normal data? |
 |
|
Below are 2 packet sniffer results when watching a computer sending email with and without IPSec. Without IPSec, the final destination is known, usernames and passwords are visible and in fact all of the contents of the email are visible as well. Packets below are NOT encrypted with IPSec when sending an email message.
| Code: | No. Source Destination Protocol Info
1 10.0.2.254 222.1.1.1 TCP 4199 > smtp [SYN]
2 222.1.1.1 10.0.2.254 TCP smtp > 4199 [SYN, ACK]
3 10.0.2.254 222.1.1.1 TCP 4199 > smtp [ACK]
4 222.1.1.1 10.0.2.254 SMTP Response: 220 mailserver.me.com ESMTP Postfix
5 10.0.2.254 222.1.1.1 SMTP Command: HELO mycomputer
6 222.1.1.1 10.0.2.254 TCP smtp > 4199 [ACK]
7 222.1.1.1 10.0.2.254 SMTP Response: 250 mailserver.mycompany.com
8 10.0.2.254 222.1.1.1 SMTP Command: MAIL FROM: <shawn.giese@lightning.ch>
9 222.1.1.1 10.0.2.254 SMTP Response: 250 Ok
10 10.0.2.254 222.1.1.1 SMTP Command: RCPT TO: <sg@lightning.ch>
11 222.1.1.1 10.0.2.254 SMTP Response: 250 Ok
12 10.0.2.254 222.1.1.1 SMTP Command: RSET
13 222.1.1.1 10.0.2.254 SMTP Response: 250 Ok
32 10.0.2.254 222.1.1.1 TCP 4199 > smtp [ACK]
33 10.0.2.254 222.1.1.1 SMTP Command: MAIL FROM: <shawn.giese@lightning.ch>
34 222.1.1.1 10.0.2.254 SMTP Response: 250 Ok
35 10.0.2.254 222.1.1.1 SMTP Command: RCPT TO: <sg@lightning.ch>
36 222.1.1.1 10.0.2.254 SMTP Response: 250 Ok
37 10.0.2.254 222.1.1.1 SMTP Command: DATA
38 222.1.1.1 10.0.2.254 SMTP Response: 354 End data with <CR><LF>.<CR><LF>
39 10.0.2.254 222.1.1.1 SMTP Message Body
40 222.1.1.1 10.0.2.254 TCP smtp > 4199 [ACK]
41 10.0.2.254 222.1.1.1 SMTP EOM:
42 222.1.1.1 10.0.2.254 TCP smtp > 4199 [ACK]
43 222.1.1.1 10.0.2.254 SMTP Response: 250 Ok: queued as E911FD9087
44 10.0.2.254 222.1.1.1 SMTP Command: QUIT
45 10.0.2.254 222.1.1.1 TCP 4199 > smtp [FIN, ACK]
46 222.1.1.1 10.0.2.254 TCP smtp > 4199 [ACK]
47 222.1.1.1 10.0.2.254 SMTP Response: 221 Bye
48 10.0.2.254 222.1.1.1 TCP 4199 > smtp [RST]
49 222.1.1.1 10.0.2.254 TCP smtp > 4199 [FIN, ACK]
50 10.0.2.254 222.1.1.1 TCP 4199 > smtp [RST] |
When the message is encrypted using IPSec, it is impossible to know the contents of the data packets or, in many cases, even where those packets are going. Notice that all descriptions of the packets are gone and replaced by the ESP protocol. Anyone watching this traffic will not know if the data is accessing a database, email, internal web services... Below are packets using IPSec encryption when sending the same email message as above.
| Code: | No. Source Destination Protocol Info
1 10.0.2.254 10.0.0.1 ISAKMP Identity Protection (Main Mode)
2 10.0.0.1 10.0.2.254 ISAKMP Identity Protection (Main Mode)
3 10.0.2.254 10.0.0.1 ISAKMP Identity Protection (Main Mode)
4 10.0.0.1 10.0.2.254 ISAKMP Identity Protection (Main Mode)
5 10.0.2.254 10.0.0.1 ISAKMP Identity Protection (Main Mode)
6 10.0.0.1 10.0.2.254 ISAKMP Identity Protection (Main Mode)
7 10.0.2.254 10.0.0.1 ISAKMP Quick Mode
8 10.0.0.1 10.0.2.254 ISAKMP Quick Mode
9 10.0.2.254 10.0.0.1 ISAKMP Quick Mode
10 10.0.2.254 10.0.0.1 ESP ESP (SPI=0xa6d4b946)
11 10.0.0.1 10.0.2.254 ICMP Destination unreachable
12 10.0.2.254 10.0.0.1 ESP ESP (SPI=0xa6d4b946)
13 10.0.0.1 10.0.2.254 ESP ESP (SPI=0xef1015de)
14 10.0.2.254 10.0.0.1 ESP ESP (SPI=0xa6d4b946)
15 10.0.0.1 10.0.2.254 ESP ESP (SPI=0xef1015de)
16 10.0.2.254 10.0.0.1 ESP ESP (SPI=0xa6d4b946)
17 10.0.0.1 10.0.2.254 ESP ESP (SPI=0xef1015de)
18 10.0.0.1 10.0.2.254 ESP ESP (SPI=0xef1015de)
19 10.0.2.254 10.0.0.1 ESP ESP (SPI=0xa6d4b946)
20 10.0.0.1 10.0.2.254 ESP ESP (SPI=0xef1015de)
21 10.0.2.254 10.0.0.1 ESP ESP (SPI=0xa6d4b946)
22 10.0.0.1 10.0.2.254 ESP ESP (SPI=0xef1015de)
23 10.0.2.254 10.0.0.1 ESP ESP (SPI=0xa6d4b946)
24 10.0.0.1 10.0.2.254 ESP ESP (SPI=0xef1015de)
25 10.0.2.254 10.0.0.1 ESP ESP (SPI=0xa6d4b946)
26 10.0.0.1 10.0.2.254 ESP ESP (SPI=0xef1015de)
27 10.0.2.254 10.0.0.1 ESP ESP (SPI=0xa6d4b946)
28 10.0.0.1 10.0.2.254 ESP ESP (SPI=0xef1015de)
29 10.0.2.254 10.0.0.1 ESP ESP (SPI=0xa6d4b946)
30 10.0.0.1 10.0.2.254 ESP ESP (SPI=0xef1015de)
31 10.0.0.1 10.0.2.254 ESP ESP (SPI=0xef1015de)
32 10.0.2.254 10.0.0.1 ESP ESP (SPI=0xa6d4b946)
33 10.0.0.1 10.0.2.254 ESP ESP (SPI=0xef1015de)
34 10.0.0.1 10.0.2.254 ESP ESP (SPI=0xef1015de)
35 10.0.2.254 10.0.0.1 ESP ESP (SPI=0xa6d4b946)
36 10.0.0.1 10.0.2.254 ESP ESP (SPI=0xef1015de)
37 10.0.2.254 10.0.0.1 ESP ESP (SPI=0xa6d4b946)
38 10.0.0.1 10.0.2.254 ESP ESP (SPI=0xef1015de)
39 10.0.2.254 10.0.0.1 ESP ESP (SPI=0xa6d4b946)
40 10.0.0.1 10.0.2.254 ESP ESP (SPI=0xef1015de)
41 10.0.2.254 10.0.0.1 ESP ESP (SPI=0xa6d4b946)
42 10.0.0.1 10.0.2.254 ESP ESP (SPI=0xef1015de)
43 10.0.2.254 10.0.0.1 ESP ESP (SPI=0xa6d4b946)
44 10.0.2.254 10.0.0.1 ESP ESP (SPI=0xa6d4b946)
45 10.0.0.1 10.0.2.254 ESP ESP (SPI=0xef1015de)
46 10.0.2.254 10.0.0.1 ESP ESP (SPI=0xa6d4b946)
47 10.0.0.1 10.0.2.254 ESP ESP (SPI=0xef1015de)
48 10.0.2.254 10.0.0.1 ESP ESP (SPI=0xa6d4b946)
49 10.0.0.1 10.0.2.254 ESP ESP (SPI=0xef1015de)
50 10.0.2.254 10.0.0.1 ESP ESP (SPI=0xa6d4b946)
51 10.0.0.1 10.0.2.254 ESP ESP (SPI=0xef1015de)
52 10.0.2.254 10.0.0.1 ESP ESP (SPI=0xa6d4b946)
53 10.0.0.1 10.0.2.254 ESP ESP (SPI=0xef1015de)
54 10.0.0.1 10.0.2.254 ESP ESP (SPI=0xef1015de)
55 10.0.2.254 10.0.0.1 ESP ESP (SPI=0xa6d4b946)
56 10.0.2.254 10.0.0.1 ESP ESP (SPI=0xa6d4b946)
57 10.0.0.1 10.0.2.254 ESP ESP (SPI=0xef1015de)
58 10.0.2.254 10.0.0.1 ESP ESP (SPI=0xa6d4b946)
59 10.0.0.1 10.0.2.254 ESP ESP (SPI=0xef1015de)
60 10.0.2.254 10.0.0.1 ESP ESP (SPI=0xa6d4b946)
61 10.0.0.1 10.0.2.254 ESP ESP (SPI=0xef1015de)
62 10.0.2.254 10.0.0.1 ESP ESP (SPI=0xa6d4b946) |
The actual text of these messages is here ->
UNENCRYPTED http://dns.lightning.ch/support/resources/email_wo_ipsec.txt, and here ->
ENCRYPTED http://dns.lightning.ch/support/resources/email_w_ipsec.txt. See if you can see the difference between the 2. |
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
