Sunday, 27 May 2012

IPsec

What is IPsec?


IPsec is a list of protocols for securing network connections, but the details and many variations quickly become overwhelming. 


Why is there many settings which "quickly becomes overwhelming"?


IPsec provides mechanism, not policy.
Rather than define such-and-such encryption algorithm or a certain authentication function, it provides a framework that allows an implementation to provide nearly anything that both ends agree upon.




IKE versus manual keys
Since both sides of the conversation need to know the secret values used in hashing or encryption, there is the question of just how this data is exchanged. Manual keys require manual entry of the secret values on both ends, presumably conveyed by some out-of-band mechanism, and IKE (Internet Key Exchange) is a sophisticated mechanism for doing this online.
Main mode versus aggressive mode
These modes control an efficiency-versus-security tradeoff during initial IKE key exchange. "Main mode" requires six packets back and forth, but affords complete security during the establishment of an IPsec connection, while Aggressive mode uses half the exchanges providing a bit less security because some information is transmitted in cleartext.



AH versus ESP
"Authentication Header" (AH) and "Encapsulating Security Payload" (ESP) are the two main wire-level protocols used by IPsec, and they authenticate (AH) and encrypt+authenticate (ESP) the data flowing over that connection. They are typically used independently, though it's possible (but uncommon) to use them both together.



IP Datagram


IP header have all the traffic in it, therefore we will take a look at it first.

Some IP protocol codes
Protocol
code		Protocol Description
1ICMP — Internet Control Message Protocol
2IGMP — Internet Group Management Protocol
4IP within IP (a kind of encapsulation)
6TCP — Transmission Control Protocol
17UDP — User Datagram Protocol
41IPv6 — next-generation TCP/IP
47GRE — Generic Router Encapsulation (used by PPTP)
50IPsec: ESP — Encapsulating Security Payload
51IPsec: AH — Authentication Header

Authentication Algorithms

AH carries an Integrity Check Value in the Authentication Data portion of the header, and it's typically (but not always) built on top of standard cryptographic hash algorithms such as MD5 or SHA-1.
Rather than use a straight checksum, which would provide no real security against intentional tampering, it uses a Hashed Message Authentication Code (HMAC) which incorporates a secret value while creating the ICV. Though an attacker can easily recompute a hash, without the secret value he won't be able to recreate the proper ICV.

http://www.unixwiz.net/techtips/iguide-ipsec.html
Posted by at

1 comment:

  1. CCD2C01-P03-1100621J27 May 2012 at 07:42

    Hi, Adi here.

    I think you need to explain more directly what IPSec means, as it isn't so clear from your post what it is exactly.

    There is also a discontinuity between each point you've listed up above. They don't seem to be related to the previous points, nor do they flow together at all. I had a hard time understanding what you were trying to say.

    The images were not very helpful either. Sorry to be so harsh.

    ReplyDelete

Subscribe to: Post Comments (Atom)