IP security encryption — IPSec uses a network communication encryption technology.
Although you cannot encrypt the packets of the head and tail of the information (such as source/destination IP address, port number, CRC checksum value, etc.), but you can encrypt the packets of data. Because the encryption process happens at the IP layer, so you can not change the protocols such as POP/WWW under network protocols for security encryption. At the same time it can also be used to implement LAN (Internet) connection. IP protocol of the security architecture of the IPv4 packet itself did not provide any security protection, hacker can packet detection, IP spoofing, connection interception, replay attack (is a continually FA the same serial number of the package crash the system, methods of attack) to attack. Therefore, we received a packet with the following hazard: do not come from a legitimate sender; data during the transfer process be modified; data content has been people steal (e.g. military secrets, and other important information dialogue). IPsec is aimed to achieve data transfer integrity (source address verification and guarantee that data has not been modified) and confidentiality (not to be seen), and provides a degree of protection against replay attacks. IPsec can use it to IP and upper layer protocols (TCP and UDP, etc.) to provide security protection. The basic structure of IPsec, it is the use of authentication headers (AH) and Encapsulating Security Payload (ESP) for authentication and encryption of data. The former is used to implement the integrity of the data, which is used to implement the confidentiality of data. At the same time for data transport provides two modes: transport mode and channel mode. In transport mode, the IP header and the upper layer protocol headers embedded between a new IPsec header (AH or ESP); in channel mode, to protect the entire IP packet is encapsulated into another IP packets, while in the external and internal embedded between the IP header to a new IPsec header. Two IPsec header that can simultaneously to transfer mode and channel mode. The original packet transfer mode protected packet channel mode protected packet IPsec packets of IPsec protection mechanism is determined by the four main components, which are the Internet key exchange process, the IPsec process itself, Security Alliance database and security policy database. IPsec has two important databases, namely Security Alliance database SAD and the security policy database SPD.SAD in each tuple is a Security Alliance SA, which constitute the basis for IPsec are two communication entities following consultations established an agreement that determines the packet used to protect the security of IPSec protocols, transcoding, keys, and key of a valid age, etc. SPD in each tuple is a policy, the policy is applied to packets of security services, and how the packets are processed, is human-machine interface between security, including the policy definition, representation, management, and policy and IPsec system interaction between various components. Combine the two databases. For senders, each SPD tuple has a pointer to the associated SAD tuple. If a SPD tuple does not point to a suitable for sending packages SA, will create new SA or SA bundles and SPD tuple and new link SA tuple. For the recipient, through the IP header contains the destination address, type the IP Security Protocol (AH or ESP) and SPI (security parameter index) in the SAD to find the corresponding SA.SA in other fields in the serial number, serial number overflow flag, Anti-replay window, AH authentication algorithm and key, ESP encryption algorithm and key and initialization matrix, ESP authentication algorithms and keys, and so on. Internet key exchange (IKE) is the most important part of IPsec, use IPsec to protect an IP packets, you must first establish a SA, IKE is used to dynamically build SA.IKE representatives to consult on the IPsec SA and fill the SAD database. IKE is a mixed agreement, it builds upon the Internet Security Association and key management protocol (ISAKMP) defined a framework. IKE uses two stages of ISAKMP. the first stage of establishment of IKE security association, the second stage uses the established Security Alliance for IPSec negotiation of specific security alliance. IPsec process itself is used to implement the entire IPSec daemon, the user can deal with this process and to manage their own security policy, implementation of suits their requirements for network security. Of course, each development organization of source code, but they must comply with RFC specifications, the ultimate aim should be the same. In General, IPsec is embedded into the source code of the kernel source code of the IP layer, and it was suggested in its level in the IP, TCP, can be in two ways. IPSec virtual private network when IPsec is used for the router, you can establish a virtual private network. Router attached to one end of the internal network, is a protected network and the other is unsecured public networks. Two such routers to establish a secure channel, communication through this channel protection from a local subnet is sent to a remote subnet of protection, which forms a VPN. In the VPN, each one with IPsec router is a network aggregation points, try to communicate to VPN analysis will fail. Destination is VPN all communication passes through a router on the SA to define encryption or authentication algorithm and key parameters, that is, from a VPN router out packets if it meets a security policy, corresponding to the encryption or authentication SA (plus the AH or ESP header). The entire security transfer process control by IKE, key automatically generate, protect the subnet and the user does not need to consider security, all encrypted and decrypted by the sole agent of routers on both sides.
No comments:
Post a Comment