Copy Link
Add to Bookmark
Report

IPSec a Down and Dirty Introduction

hacker's profile picture
Published in 
2600 Salt Lake City
 · 5 years ago

 

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

-= IPSec a Down and Dirty Introduction =-

-= By rudeboy =-
-= rudeboy@xmission.com =-

-= http://www.2600slc.org =-
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


What IPSec is

IPSec is a protocol established by the IETF (Internet Engineering Task Force)
to enable secure communications between two or more hosts via IP. It can
provide access control (establish communication based on policy i.e. server
refusal to communicate with a client who cannot speak IPSec), data origin
authentication (can I believe this person says who he says he is?), message
integrity (packets are not accepted if they are altered), protection against
replay attacks (cannot send a previously sent packet) and confidentiality
(message is encrypted).

Other Benefits

Because it is built "on top" of IP and in essense encapsulates it you get
end-to-end security for both IPv4 and IPv6 although the implementations are
somewhat different. Additionally because the security is implemented at the
IP level you are inherently securing any TCP or UDP protocols running under it!

Ingredients

AH Authentication Header [rfc 2402]
this handles the message integrity, data origin authentication and
anti-replay
tunnel mode packet [[iphdr][ah][iphdr2][tcphdr][data]]
transport mode packet [[iphdr][ah][tcphdr][data]]

ESP Encapsulating Security Payload [rfc2406]
this handles all AH stuff in addition to encryption
tunnel mode packet [[iphdr][ah][esp][iphdr2][tcphdr][data]]
transport mode packet [[iphdr][ah][esp][tcphdr][data]]

ISAKMP Internet Security Association Key Management Protocol
framework protocol for key generation and crypto negotiation for SAs

SPI Security Parameter Index
a 32bit number in AH and ESP used to uniquely identify conversations

SA Security Association
combination of the destination IP + the SPI + AH/ESP

More about SAs

Security Associations are simplex (one-way) connections that handle the security
services for the secured traffic. Basically for each ESP or AH that you use to
communicate the host is gonna have an SA for conversations that it is holding
with others that it either initiates OR receives.

Modes

IPSec can be run in TRANSPORT mode or TUNNEL mode. Transport mode works
between two individual hosts and because these hosts are known there is less
packet overhead for IPSec. Tunnel mode however allows conversation with many
hosts. Because it needs to be routed it has to generate a new packet to wrap
the IP packet it intends to deliver. A new IP header is generated, etc.
Tunnel mode is the mode you use if you are implementing IPSec as a VPN solution.

Algorithms

My information is probably a bit out of date, but there are several algorithms
that are recognized in the IPSec standard domain as useable for both
encryption and authentication. Algorithms on the encryption (ESP) side include
DES, 3DES, CAST128, IDEA, and RC5. I also suspect that Blowfish, AES
(Rijndael) are also supported. On the authentication (AH) side you have MD5,
ripem and SHA1. I also suspect that there are other options available, but this
is the best information I have to date.

Protocols, Ports, and Packet Filters

For those who like a bit more detail, AH is identified as IP protocol number 51.
This isn't port 51, just protocol number 51. Likewise ESP is protocol number
50. ISAKMP however does listen on udp/500 which IS a port for key management
purposes. In order to allow IPSec, you need a packet filter that can filter on
protocol types like the ones I just mentioned above (50 and 51). Firewall's
can't modify or possibly even inspect the packets as it will ruin the
conversation and IPSec will just say no!

Proxies

You can proxy with IPSec with one condition. Proxies must be tunnellers too,
running IPSec in TUNNEL mode. Otherwise they mess with the packet and screw up
IPSec. IPSec can also work with SOCKS. However it causes an increase in
resources as SOCKS must now hold it's own conversation with the destination.
Basically for every IPSec conversation that is initiated with a SOCKS proxy,
it now must hold 2 IPSec conversations. One with the source and one with the
destination.

NAT

NAT (Network Address Translation) is possible with one condition. You NAT
before you tunnel, and decrypt before you hit the NAT gateway.

Implementations

Win2K security policy
OpenBSD ipsecadm

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

RFCs and Links

The RFCs that describe IPSec include 2401-2409.
RFC 2411 is an IPSec roadmap and is a useful read as well.
Read "A Cryptographic Evaluation of IPsec" -Schneier
[www.counterpane.com]
IETF IPSec charter
[www.ietf.org/html.charters/ipsec-charter.html]
Win2k IPSec guide
[www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp]
OpenBSD IPSec guide
[www.openbsd.org/faq/faq13.html]

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
� 2600SLC.ORG 2001
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT