Copy Link
Add to Bookmark
Report
IPSec a Down and Dirty Introduction
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-= IPSec a Down and Dirty Introduction =-
-= By rudeboy =-
-= rudeboy@xmission.com =-
-= http://www.2600slc.org =-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
What IPSec is
IPSec is a protocol established by the IETF (Internet Engineering Task Force)
to enable secure communications between two or more hosts via IP. It can
provide access control (establish communication based on policy i.e. server
refusal to communicate with a client who cannot speak IPSec), data origin
authentication (can I believe this person says who he says he is?), message
integrity (packets are not accepted if they are altered), protection against
replay attacks (cannot send a previously sent packet) and confidentiality
(message is encrypted).
Other Benefits
Because it is built "on top" of IP and in essense encapsulates it you get
end-to-end security for both IPv4 and IPv6 although the implementations are
somewhat different. Additionally because the security is implemented at the
IP level you are inherently securing any TCP or UDP protocols running under it!
Ingredients
AH Authentication Header [rfc 2402]
this handles the message integrity, data origin authentication and
anti-replay
tunnel mode packet [[iphdr][ah][iphdr2][tcphdr][data]]
transport mode packet [[iphdr][ah][tcphdr][data]]
ESP Encapsulating Security Payload [rfc2406]
this handles all AH stuff in addition to encryption
tunnel mode packet [[iphdr][ah][esp][iphdr2][tcphdr][data]]
transport mode packet [[iphdr][ah][esp][tcphdr][data]]
ISAKMP Internet Security Association Key Management Protocol
framework protocol for key generation and crypto negotiation for SAs
SPI Security Parameter Index
a 32bit number in AH and ESP used to uniquely identify conversations
SA Security Association
combination of the destination IP + the SPI + AH/ESP
More about SAs
Security Associations are simplex (one-way) connections that handle the security
services for the secured traffic. Basically for each ESP or AH that you use to
communicate the host is gonna have an SA for conversations that it is holding
with others that it either initiates OR receives.
Modes
IPSec can be run in TRANSPORT mode or TUNNEL mode. Transport mode works
between two individual hosts and because these hosts are known there is less
packet overhead for IPSec. Tunnel mode however allows conversation with many
hosts. Because it needs to be routed it has to generate a new packet to wrap
the IP packet it intends to deliver. A new IP header is generated, etc.
Tunnel mode is the mode you use if you are implementing IPSec as a VPN solution.
Algorithms
My information is probably a bit out of date, but there are several algorithms
that are recognized in the IPSec standard domain as useable for both
encryption and authentication. Algorithms on the encryption (ESP) side include
DES, 3DES, CAST128, IDEA, and RC5. I also suspect that Blowfish, AES
(Rijndael) are also supported. On the authentication (AH) side you have MD5,
ripem and SHA1. I also suspect that there are other options available, but this
is the best information I have to date.
Protocols, Ports, and Packet Filters
For those who like a bit more detail, AH is identified as IP protocol number 51.
This isn't port 51, just protocol number 51. Likewise ESP is protocol number
50. ISAKMP however does listen on udp/500 which IS a port for key management
purposes. In order to allow IPSec, you need a packet filter that can filter on
protocol types like the ones I just mentioned above (50 and 51). Firewall's
can't modify or possibly even inspect the packets as it will ruin the
conversation and IPSec will just say no!
Proxies
You can proxy with IPSec with one condition. Proxies must be tunnellers too,
running IPSec in TUNNEL mode. Otherwise they mess with the packet and screw up
IPSec. IPSec can also work with SOCKS. However it causes an increase in
resources as SOCKS must now hold it's own conversation with the destination.
Basically for every IPSec conversation that is initiated with a SOCKS proxy,
it now must hold 2 IPSec conversations. One with the source and one with the
destination.
NAT
NAT (Network Address Translation) is possible with one condition. You NAT
before you tunnel, and decrypt before you hit the NAT gateway.
Implementations
Win2K security policy
OpenBSD ipsecadm
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
RFCs and Links
The RFCs that describe IPSec include 2401-2409.
RFC 2411 is an IPSec roadmap and is a useful read as well.
Read "A Cryptographic Evaluation of IPsec" -Schneier
[www.counterpane.com]
IETF IPSec charter
[www.ietf.org/html.charters/ipsec-charter.html]
Win2k IPSec guide
[www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp]
OpenBSD IPSec guide
[www.openbsd.org/faq/faq13.html]
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
� 2600SLC.ORG 2001
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-