Network security: IPSEC

In the previous blog, the small series has used the GRE protocol to achieve the VPN technology, then in this blog, the small part of the use of IPSec protocol to achieve VPN, although the theoretical knowledge is somewhat abstract, but in helping us understand the technology is still very necessary, then now began to theory

IPSec (IP Security)

is a group of open protocols, the specific communication between the IP layer through encryption and data source verification to ensure that the packet in the Internet transmission when the privacy, integrity and authenticity.

IPSec is implemented through both the AH (authentication Header) and the ESP (Encapsulating Security Payload) protocols.

IPSec provides the following several network security services

Privacy-IPSec encrypts the packet before it is transmitted. To ensure the privacy of the data;

Integrity-IPSec validates the packet at its destination to ensure that the packet is not modified during transmission;

Authenticity-IPSec-side to validate all IPSec-protected packets;

Anti-replay-IPSec prevents packets from being captured and dropped back on the web, where the destination rejects old or repetitive packets, which are implemented via the serial number of the message.

IPSec overview

The IPSEC (IP Security) protocol family is a series of protocols developed by the IETF that provide high-quality, interoperable, password-based security for IP datagrams.

This is achieved through the two security protocols of the AH (Authentication header, authentication header) and ESP (Encapsulating Security Payload, encapsulating Secure payload) by IPSec

Validation header

The IPSec Authentication Header (AH) is a mechanism for providing IP packet integrity and authentication. Its integrity is to ensure that datagrams are not inadvertently or maliciously altered

The AH protocol provides integrity and authentication services by implementing a message digest calculation throughout an IP datagram

The output of the message digest algorithm is placed in the authentication data (authentication_data) area of the AH header.

IPSec encryption

Esp

The Packet security protocol header provides the integrity and credibility of the IP datagram, which is defined in RFC2406.

The ESP protocol is designed to work in two modes: tunneling (tunneling) mode and transport (transport) mode

Security protocol Data Encapsulation format

In terms of security, tunnel mode is better than transmission mode

In terms of performance, tunnel mode takes up more bandwidth than transfer mode

Security associations

A security association (SA) is one of the most basic IPSec concepts, which is a policy convention between a peer or a host

IPSec provides secure communication between two endpoints, and endpoints are referred to as IPSec peers.