Firewall and others-4

Internet layer security

The idea of standardizing security protocols on the Internet layer has long existed. It has been mentioned in the past decade
Some solutions have been developed. For example, "Security Protocol No. 3 (SP3)" is the US National Security Agency and standard technology.
Developed as part of the secure data network system (SDNS. "Network Layer Security Association
NLSP is a security protocol developed by the International Organization for Standardization for the "connectionless network protocol (CLNP )".
Standard. "Integrated NLSP (I-NLSP)" is proposed by the National Institute of Science and Technology, including IP and CLNP in
Unified security mechanism. SwIPe is another security protocol for the Intenet layer.
Propose and implement the prototype. All these proposals have more in common than differences. In fact, they all use
IP Encapsulation technology. In essence, the plain text package is encrypted and encapsulated in the outer IP header
The encrypted package is used to select routes on the Internet. When the other end is reached, the outer IP header is split.
The message is decrypted and sent to the receiving location.

The Internet Engineering Task Force (IETF) has licensed the Internet Protocol Security Protocol (IPSEC) workgroup
The IP Security Protocol (IPSP) and the corresponding Internet Key Management Protocol (IKMP) are standardized.

The main purpose of IPSP is to enable users who need security measures to use the corresponding encryption security system. This body
Not only can work in the current public IP address (IPv4), but can also work in the new version of the IP address (IPng or IPv6 ).
. This system should be algorithm-independent. Even if the encryption algorithm is replaced, it will not be implemented in other parts.
This has an impact. In addition, the system must be able to implement multiple security policies.
System users have adverse effects. According to these requirements, the IPSEC Working Group has developed a specification: Authentication Header
(Authentication Header AH) and encapsulation Security
Payload ESP ). In short, AH provides the authenticity and integrity of the IP package. ESP provides the required content.

Ip ah refers to a piece of Message Authentication Code MAC
It has been calculated in advance before the package. The sender uses an encryption key to calculate that the AH receiver uses the same
Or another key pair. If the sending and receiving sides use a single key system, they use the same
One key; if the receiving and receiving sides use the public key system, they use different keys. In the last
In other cases, the AH system can provide undeniable services. In fact, some are variable during transmission.
For example, the time-to-live domain in IPv4 or the hop limit domain in IPv6 are all computed in AH.
It must be omitted. RFC 1828 sets for the first time that AH must be used for calculation and verification in the sealing status
The MD5 Algorithm of the CMK. At the same time, both MD5 and sealing statuses are criticized as weak encryption and
Propose a replacement scheme.

The basic idea of ip esp is to encapsulate the entire IP package or only use the data of the Upper-layer protocol in the ESP (Transport
State) to encapsulate and encrypt the vast majority of ESP data. The status of the MPs queue is
The encrypted ESP appends a new IP header (plain text), which can be used
Select a route. The receiver removes this header, decrypts the ESP, removes the ESP header, and then decrypts the ESP header.
The data of the original IP package or higher-level protocol is processed as that of a common IP package. In RFC 1827
The ESP format is defined in RFC 1829, which specifies that ESP encryption and
Data Encryption Standard (DES) is used for decryption ). Although other algorithms and statuses are also usable
Some countries have to consider the Import and Export Control of such products. Some countries even have private connections
Encryption must be restricted.

The AH and ESP systems can be used in combination or separately. No matter how it is used, it cannot escape the attack of transmission analysis.
We do not know whether there are economic and effective means to combat transmission analysis on the Internet layer.
There are few Internet users who really take transmission analysis seriously.