Data communication and network note-IPSec

Data communication and network note-IPSec

1. IP layer security: IPSec
IP layer security (IPsec) is a set of protocols designed by the Internet Engineering Task Group (IETF) to provide security for IP layer groups. IPsec help
Generate identified and Secure IP layer groups, such:



1. Two Methods
IPSec runs in two different modes: Transmission Mode and tunnel mode, as shown in:


Transmission Mode
In the transmission mode, IPsec protects the content transmitted from the transport layer to the network layer.
.
Transmission Mode is usually used for data protection from the host to the host. The sending host uses IPsec to authenticate and/or encrypt the payload from the transport layer. Accept the host's use of IPSec for authentication
And/or decrypt the IP Group and pass it to the transport layer.


Tunnel Mode
In tunnel mode, IPsec protects the entire IP group, including the header, uses the IPsec Encryption Method with the entire group, and then adds a new header. Tunnel
Mode is usually used between two routers, or between a host and a vro, and between a vro and a host. In other words, when the sender and receiver are not the host
Tunnel is used to provide original group protection for intrusions from the sender and receiver. It seems that the entire group is transmitted through a hypothetical tunnel.

1. 2. Two security protocols
IPSec defines two security protocols: the Authentication Header (AH) protocol and the encapsulation security load (ESP) protocol, which provide authentication and/or encryption at the IP layer.

1.2.1. header Authentication Protocol
Authenticatin Header Protocol is used to identify the source host to ensure the integrity of the load carried by the IP Group. The protocol uses a hash function and
The symmetric key generates a message digest and inserts it into the authentication header. Insert AH to the corresponding location based on the running mode (transmission mode or tunnel mode. Indicates
Each field in the transmission mode and the position of the identification header.


When an IP datagram carries a authentication header, the initial value of the Protocol field in the IP header is replaced with 51. A field in the identification header (write a header field) specifies
The initial value of the field (the payload type carried by the IP datagram ). Follow these steps to add the authentication header:
A. Add the validation header to the payload and set the value of the validation data field to 0.
B. Hash processing is calculated based on the total grouping. However, only those fields in the IP header that do not change during transmission are included in the packet Digest (authentication data ).
Computing process.
C. Change the value of the Protocol field added to the authentication header to 51 and add the IP header.

1.2.2. encapsulation security Load
The AH Protocol does not provide confidentiality. It only provides source-end authentication and data integrity. IPSec later defined an optional security load called Encapsulation
(Encapsulating Security Payload, ESP) protocol, which provides source end authentication, integrity and confidentiality. ESP adds a header and a tail. Note,
The end of the ESP data loading group. This makes computing easier. The position of the head and tail of ESP.

When an IP datagram carries the header and tail of ESP, the value of the Protocol field in the IP header is changed to 50. A field (the next header field) at the end of ESP retains the initial value of the Protocol field.
(The load type carried by the IP datagram, such as TCP or UDP ). The ESP process follows these steps:
A. Add the tail of ESP to the payload.
B. encrypt the payload and tail.
C. Add the ESP header.
D. Use the ESP header, the payload, And the ESP tail to generate the identification data.
E. Add the identification data to the end of ESP.
F. Change the Protocol value to 50 and add it to the IP header.

1.2.3.AH and ESP
The ESP protocol is designed after the AH protocol is used. In addition to doing anything that AH can do, ESP also provides additional functions (confidentiality). The question is, why do we need
AH, the answer is we don't need it, but AH's implementation is already included in some commercial products, which means AH will still be part of the Internet until these products are eliminated.

1.2.4.services provided by IPSec
The AH and ESP protocols can provide several security services for groups at the network layer.
Access Control: IPSec provides access control through the security association database (SADB). When a group arrives at the destination end, if no security association is established for the group
Discard this group.
Packet Authentication: Both AH and ESP provide packet integrity by using the authentication data. Generate a Data summary, which is sent by the sender to the receiver and verified by the receiver.
Entity identification: in AH and ESP, the sender is identified by the Security Association sent by the sender and the data digest hashed by the key.
Confidentiality: in ESP, message encryption provides confidentiality, but AH does not. If confidentiality is required, we should use ESP instead of AH.
Protection against replay attacks: In two protocols, a serial number and a sliding window are used to prevent replay attacks (reply attack ). Each IPSec header has
Unique serial number, which increases from 0 until 2 ^ 32-1. When the serial number reaches the maximum value, it is reset to 0, and the old security association is deleted and a new security association is established. Is
To prevent repeated groups from being processed, IPSec requires the recipient to use a fixed size window. The default value of the fixed window size of the receiver is 64.

1. 3. Security Association
IPSec uses a security Association (SA) mechanism to establish a set of security parameters.
Because we know that the IP address is a connectionless protocol, each datagram is independent of each other. For this type of communication, IPSec uses the following method to establish a security association:
When the sender has a datagram for the first time to send to a specific receiver, a set of security parameters are created between the sender and the specified receiver. This set of security parameters
It can be saved and used for sending IP group transmission to the same receiver.
An example of simple Inbound and Outbound Security Association is as follows:

When Alice needs to send a data report to Bob, he uses the IPSec ESP protocol to perform authentication with the SHA-1 key x, and uses the DES key y to perform decryption,
When Bob needs to send data reports to Alice, he uses the AH protocol of IPSec and uses the MD5 key of z for authentication.

Security associated database (SADB)
Security associated databases can be complex. If Alice wants to send multiple packets to multiple people, Bob needs to receive messages from multiple people, the situation is quite complicated.
In addition, each party must be associated and associated to allow two-way communication. In other words, we need to have a group of associations, which are aggregated into a database called
Security association database (SADB ).

1. 4. Internet Key Exchange (IKE)
Now let's solve the last part, how to create SADB. Internet key exchange (IKE) is used to establish inbound associations in SADB
An associated Protocol.
IKE is a more complex protocol based on three other protocols (Oakley, SKEME, and ISAKMP. As shown in:

A protocol developed by Hilarieorman in the oak protocol. It is a key generation protocol based on the Diffie-Hellman key exchange method, but some improvements have been made,
Oakley is a non-formatted protocol, that is, there is no specification for the format of the exchanged message.
SKEME is designed by HugoKrawcyzk. It is another key exchange protocol, which uses public key cryptography and key exchange as entity authentication.
Internet Security Association and Key Management Protocol (ISAKMP) is)
The protocol designed to implement IKE-defined exchange. In the process of generating standardized and formatted insulation, it allows multiple groups, protocols, and parameters for IKE exchange to Generate Security
Full Association.

2. Virtual Private Network (VPN)
Virtual private network (VPN) is a technology widely used in large companies. In order to realize communication between the company and the company,
They use the Internet, but internal communication must be kept confidential. VPN is to use the IPSec protocol to secure IP datagram.
VPN technology uses IPSec in tunneling to provide authentication, integrity, and confidentiality.
Tunneling: each dedicated IP datagram in the Organization is encapsulated into another datagram. To use IPSec in tunneling technology, two addressing methods are required for VPN,

The public network (Internet) is responsible for transmitting the group from R1 to R2. External personnel cannot decrypt the group content or decrypt the Source and Destination addresses. The decryption process occurs on R2,
It finds the target address of the group and forwards it to the group.