Actual IPsec protocol Process (1)

The above section describes the basic content of the IPsec protocol, including its workflow and specific operation details. Now let's give an in-depth explanation of the implementation of the IPsec protocol. The following is an overview of the implementation of the IOS IPsec protocol:

Authentication Header): AH is defined in ietf rfc 2402. It supports IPsec data verification, Authentication, and integrity services. It does not support data encryption. In typical cases, AH is implemented independently, but it can also be implemented together with ESP. We only use AH to ensure data exchange security. Since AH does not support data encryption, you may ask why we need AH? You can see this question: if the application already supports data encryption, no additional data encryption is required. Compared with ESP, AH is more "light" in terms of processing overhead, so it is easier to apply to low-end routers.

In addition, compared with ESP, AH provides better IP layer security. AH generates Hash signature data for all IP data packets that are not modified during transmission to ensure the security of IP data packets. AH security data is stored in the 32-bit AH header, which is installed between the IP data header and the layer-4 protocol header. Because AH is responsible for making IP packets "secure", AH cannot be deployed in a Network environment using Network Address Translation (NAT. AH works in transmission mode or channel mode. In most cases, we use the channel mode and encapsulate the original IP packet in a new AH security IP packet. This new packet contains a new IP header containing the destination address of the IPsec remote node gateway) and AH header, followed by the original IP packet and layer-4 packet. IANAInternet Assigned Numbers Authority) assigns the ESP protocol ID to 51.

Encapsulation Security load Encapsulating Security Payload): ESP is defined in ietf ref 2406 and supports IPsec data encryption, verification, authentication, and integrity services. ESP can be implemented independently or together with AH. The AH header is contained in the data load section of the IP data packet in advance, while the ESP encapsulates the entire data section of the IP data packet with a header and an end. The ESP header contains security and serialization information. ESP end contains supplementary parameters and necessary) verification data. ESP requires more routers to process resources than AH to encapsulate the original ULP data and its ciphertext. In addition, ESP also requires 1500-byte Layer 4 packets to be split to support additional security load data. Similar to AH, ESP also supports transmission and channel operations, but almost all vendors implement channel modes. The esp rfc does not specify which protocol must be used to encrypt data. Cisco IOS supports 56-DES, 3DES, and AES encryption protocols. Other vendors have also implemented Blowfish and IDEA. IANA assigns the ESP protocol ID to 50.

Internet Security contact and Key Management Protocol Internet Security Association and Key Management Protocol, ISAKMP) and Internet Key Exchange, IKE ): these protocols provide a framework and process for IPsec VPN service negotiation. ISAKMP is defined in ietf ref 2408, while IKE is defined in ietf rfc 2409. ISAKMP defines the plan, syntax, and program for creating and deleting authentication keys and Security contact SA. IPsec protocol nodes use SA to track different aspects of security service policies negotiated between different IPsec nodes.

After a node connection is established, SA is responsible for inter-node negotiation. During connection establishment and subsequent re-establishment, each node assigns its own security parameter index SPI to the SA negotiated by other nodes for several years. SPI is exchanged between nodes and is used to identify data packets. When a node receives an IPsec packet, it checks the SPI, finds the corresponding SA by searching the SPI database, and then processes the packet according to the rules in the SA. One important thing to remember about ISAKMP is that it is a key management protocol, secret text and authentication independent of IPsec.

IKE is a mixture of the oak key decision protocol and the SKEME Key Exchange protocol. The IKE protocol is used to manage IPsec Security contacts in the ISAKMP of an IPsec node. IKE protocols can be used for ISAKMP, but they are not the same. IKE is a mechanism for establishing an IPsec protocol "connection" between IPsec nodes. This requires negotiation of the following types:

Authentication Algorithm: IKE uses Diffie-Hellman to establish a shared secret session key for non-secure network transmission.

Confidentiality algorithms: IKE nodes use security protocol negotiation. They are a combination of AH, ESP, AH, and ESP.

Hash Algorithm: IKE uses a hash algorithm to verify packet data.