I P S E C U R I T Y ( I P S E C ) P R O T O C O L S
I P S E C U R I T Y ( I P S E C ) P R O T O C O L S
IP datagrams must usually be routed between two devices over unknown networks, any information in them is subject to being intercepted and even possibly changed. With the increased use of the Internet for critical applications, security enhancements were needed for IP. To this end, a set of protocols called IP Security or IPsec was developed.
three topics cover the three main IPsec protocols:
1. IPsec Authentication Header (AH),
3. IPsec Internet Key Exchange (IKE).
NOTE IPsec was initially developed with IPv6 in mind, but has been engineered to provide security for both IPv4 and IPv6 networks, and operation in both versions is similar. There are some differences in the datagram formats used for AH and ESP. These differences depend on whether you use IPsec in IPv4 or IPv6, because the two versions have different datagram formats and addressing. I highlight these differences where appropriate.
IPsec Overview, History, and Standards
What was really needed was a solution to allow security at the IP level so all higher-layer protocols in TCP/IP could take advantage of it. When the decision was made to develop a new version of IP (IPv6), this was the golden opportunity to resolve not just the addressing problems in the older IPv4, but the lack of security as well. New security technology was developed with IPv6 in mind, but since IPv6 has taken years to develop and roll out, and the need for security is now, the solution was designed to be usable for both IPv4 and IPv6.
The technology that brings secure communications to the IP is called IP Security, commonly abbreviated IPsec. The capitalization of this abbreviation is variable, so you’ll see IPSec and IPSEC.
Overview of IPsec Services and Functions
IPsec is not a single protocol, but rather a set of services and protocols that provide a complete security solution for an IP network. These services and protocols combine to provide various types of protection. Since IPsec works at the IP layer, it can provide these protections for any higher-layer TCP/IP application or protocol without the need for additional security methods, which is a major strength. Some of the kinds of protection services offered by IPsec include the following:
1. Encryption of user data for privacy
2. Authentication of the integrity of a message to ensure that it is not changed en route
3. Protection against certain types of security attacks, such as replay attacks
4. The ability for devices to negotiate the security algorithms and keys required to meet their security needs
5. Two security modes, tunnel and transport, to meet different network needs
KEY CONCEPT IPsec is a contraction of IP Security, and it consists of a set of services and protocols that provide security to IP networks. It is defined by a sequence of several Internet standards.
IPsec Standards
Since IPsec is actually a collection of techniques and protocols, it is not defined in a single Internet standard. Instead, a collection of RFCs defines the architecture, services, and specific protocols used in IPsec. Some of the most important of these are shown in Table 29-1, all of which were published in November 1998. Table 29-1: Important IP Security (IPsec) Standards
RFC Number | Name | Description |
2401 | Security Architecture for the Internet Protocol | The main IPsec document, describing the architecture and general operation of the technology, and showing how the different components fit together. |
2402 | IP Authentication Header | Defines the IPsec Authentication Header (AH) protocol, which is used for ensuring data integrity and origin verification. |
2403 | The Use of HMAC-MD596 within ESP and AH | Describes a particular encryption algorithm for use by the AH and Encapsulation Security Payload (ESP) protocols called Message Digest 5 (MD5), HMAC variant. |
(continued)
Table 29-1: Important IP Security (IPsec) Standards (continued)
RFC Number | Name | Description |
2404 | The Use of HMAC-SHA- 1-96 within ESP and AH | Describes a particular encryption algorithm for use by AH and ESP called Secure Hash Algorithm 1 (SHA-1), HMAC variant. |
2406 | IP Encapsulating Security Payload (ESP) | Describes the IPsec ESP protocol, which provides data encryption for confidentiality. |
2408 | Internet Security Association and Key Management Protocol (ISAKMP) | Defines methods for exchanging keys and negotiating security associations. |
2409 | The Internet Key Exchange (IKE) | Describes the IKE protocol that’s used to negotiate security associations and exchange keys between devices for secure communications. Based on ISAKMP and OAKLEY. |
2412 | The OAKLEY Key Determination Protocol | Describes a generic protocol for key exchange. |
IPsec General Operation, Components, and Protocols
it provides security services at the IP layer for other TCP/IP protocols and applications to use. What this means is that IPsec provides the tools that devices on a TCP/IP network need in order to communicate securely. When two devices (either end-user hosts or intermediate devices such as routers or firewalls) want to engage in secure communications, they set up a secure path between themselves that may traverse across many insecure intermediate systems. To accomplish this, they must perform (at least) the following tasks:
1. They must agree on a set of security protocols to use so that each one sends data in a format the other can understand.
2. They must decide on a specific encryption algorithm to use in encoding data.
3. They must exchange keys that are used to “unlock” data that has been cryptographically encoded.
4. Once this background work is completed, each device must use the protocols, methods, and keys previously agreed upon to encode data and send it across the network.
IPsec Core Protocols
To support these activities, a number of different components make up the total package known as IPsec, as shown in Figure 29-1. The two main pieces are a pair of technologies sometimes called the core protocols of IPsec, which actually do the work of encoding information to ensure security:
IPsec Authentication Header (AH) This protocol provides authentication services for IPsec. It allows the recipient of a message to verify that the supposed originator of a message was actually fact the one that sent it. It also allows the recipient to verify that intermediate devices en route haven’t changed any of the data in the datagram. It also provides protection against so-called replay attacks, whereby a message is captured by an unauthorized user and resent.
Encapsulating Security Payload (ESP) AH ensures the integrity of the data in datagram, but not its privacy. When the information in a datagram is “for your eyes only,” it can be further protected using ESP, which encrypts the payload of the IP datagram.
Figure 29-1: Overview of IPsec protocols and components IPsec consists of two core protocols, AH and ESP, and three supporting components.
IPsec Support Components
AH and ESP are commonly called protocols. They are not really distinct protocols but are implemented as headers that are inserted into IP datagrams, as you will see. can be used together to provide both authentication and privacy. However, they cannot operate on their own. To function properly, they need the support of several other protocols and services (see Figure 29-1). The most important of these include the following:
Encryption/Hashing Algorithms AH and ESP are generic and do not specify the exact mechanism used for encryption. This gives them the flexibility to work with a variety of such algorithms and to negotiate which one to use as needed. Two common ones used with IPsec are Message Digest 5 (MD5) and Secure Hash Algorithm 1 (SHA-1). These are also called hashing algorithms because they work by computing a formula called a hashbased on input data and a key.
Security Policies, Security Associations, and Management Methods Since IPsec provides flexibility in letting different devices decide how they want to implement security, they require some means to keep track of the security relationships between themselves. This is done in IPsec using constructs called security policies and security associations, and by providing ways to exchange security association information.
Key Exchange Framework and Mechanism For two devices to exchange encrypted information, they need to be able to share keys for unlocking the encryption. They also need a way to exchange security association information. In IPsec, a protocol called the Internet Key Exchange (IKE) provides these capabilities.
KEY CONCEPT IPsec consists of a number of different components that work together to provide security services. The two main ones are protocols called the Authentication Header (AH)and Encapsulating Security Payload (ESP), which provide authenticity and privacy to IP data in the form of special headers added to IP datagrams.
0 Response to "I P S E C U R I T Y ( I P S E C ) P R O T O C O L S"
Post a Comment