Full access to IP Security encryption and IPSec Security Technologies (1)

IP Security encryption-IPSec uses network communication encryption technology. Although the header and tail information of a data packet cannot be encrypted, such as the source/destination IP address, port number, and CRC Check value, data packets can be encrypted. Because the encryption process occurs on the IP layer, you can perform security encryption on the network protocol without changing protocols such as POP/WWW. At the same time, it can also be used to implement secure connections between local networks through the Internet.
Security Architecture of IP protocol
IPv4 packets do not provide any security protection, hackers can use information packet detection, IP address electronic spoofing, connection interception, and replay attacks to attack systems by repeatedly sending packets with the same serial number. Therefore, the packets we receive are in the following danger: they are not from legal senders; data is modified during transmission; the data content has been stolen from conversations with important information such as military secrets ). The purpose of IPsec is to implement data transmission integrity source address verification and ensure that the data is not modified) and confidentiality is not viewed) and provide a certain degree of protection against replay attacks. IPsec provides security protection for IP addresses and their upper-layer protocols, such as TCP and UDP.
The basic structure of IPsec, which uses the Authentication Header mark AH) and encapsulated Security Net Load ESP) to implement data authentication and encryption. The former is used to achieve data integrity, and the latter is used to achieve data confidentiality. At the same time, there are two modes for data transmission: Transmission Mode and channel mode. In transmission mode, a new IPsec header AH or ESP is embedded between the IP header and the upper-layer protocol header). In channel mode, the entire IP packet to be protected is encapsulated into another IP packet, and a new IPsec header is embedded between the external and internal IP addresses. Both IPsec headers can work in both transmission and channel modes.
Original data packet
Transfer Mode protected data packets
Channel Mode protected data packets
IPsec packet Protection Mechanism
IPsec is composed of four components: Internet Key Exchange Process, IPsec process itself, Security Alliance database, and security policy database.
IPsec has two important databases: The Security Alliance database SAD and the Security Policy Database SPD. each tuple in SAD is a security alliance SA, which forms the basis of IPsec and is an agreement established by two communication entities through negotiation, it determines the IPsec protocol, transcoding method, key, and effective time of key used to protect data packet security. Each tuple in SPD is a policy that applies to the security service of data packets and processes data packets. It is a secure interface between humans and machines, includes policy definition, expression, management, and interaction between policies and IPsec system components. The two databases are used together. For the sender, each SPD tuples have a pointer pointing to the relevant SAD tuples. If a SPD tuples do not point to the SA suitable for sending packets, a new SA or SA bundle is created and the SPD tuples and the new SA tuples are linked. For the receiver, find the corresponding SA in SAD by using the IP Destination Address, IP Security protocol type AH or ESP contained in the packet header information and SPI security parameter index. other fields in SA are serial number, serial number overflow mark, Anti-replay window, AH authentication algorithm and key, ESP encryption algorithm and key and initialization matrix, ESP authentication algorithm and key, and so on.
Internet Key Exchange (IKE) is the most important part of IPsec. Before using IPsec to protect an IP packet, you must create an SA. IKE stands for IPsec to negotiate with SA and fill the SAD database. IKE is a hybrid protocol built on a framework defined by Internet security alliance and ISAKMP. IKE uses two phases of ISAKMP. The first phase establishes an IKE security alliance, and the second stage uses this established security alliance to negotiate specific security alliances for IPsec.
The IPsec process itself is used to implement the entire IPsec daemon process. You can manage your own security policies by dealing with this process to achieve network security that suits your needs. Of course, the source code of each development organization is different, but they must comply with RFC specifications, and the ultimate goal should be similar. Generally, the source code of IPsec is embedded in the source code of the kernel IP layer. It is also suggested that the source code of IPsec can be embedded in the source code of the kernel IP layer above the IP layer and under TCP in either way.
IPsec-based Virtual Private Network
When IPsec is used for a vro, you can create a virtual private network. A vro is connected to one end of the Intranet. It is a protected network and the other end is an insecure public network. The two routers establish a secure channel through which communication can be sent from a local subnet to a remote subnet, forming a VPN.
In this VPN, each vro with IPsec is a network aggregation point, and the attempt to analyze the VPN communication will fail. The destination is that all VPN communications go through the SA on the vro to define encryption or authentication algorithms, keys, and other parameters, that is, as long as the packets from a vro of the VPN comply with the security policy, the corresponding SA is used to encrypt or authenticate the AH or ESP header ). The entire secure transmission process is controlled by IKE and keys are automatically generated. Security is not required to protect users in the subnet. All encryption and decryption are performed by the vrouters at both ends.