IPSec ( Internet Protocol Security ) is a whole of protocols (layer 3 OSI model) using algorithms allowing the transport of data protected on a network IP.

Presentation

Realized with an aim of functioning with the protocol IPv6, the continuation of IPSec protocols was adapted for current protocol IP (IPv4).

Its objective is to authenticate and quantify the data: flow could be comprehensible only by the final recipient (coding) and the modification of the data by intermediaries could not be possible (integrity).

IPsec is often component of VPN, it is at the origin of its aspect safety (protected channel or tunneling ).

The installation of an architecture made safe containing IPsec is detailed in the RFC 2401.

Operation

During the establishment of a IPsec connection, several operations are carried out:

; Exchange keys

  • a channel of exchange of keys, on a connection UDP since and towards port 500 ( ISAKMP for Internet Security Association and Key Management Protocol ), defined in the RFC 2408.

The protocol IKE is in responsibility of negotiate connection. This protocol allows two types of authentifications, PSK ( Pre-Shared Key or shared secrecy) for the generation of keys of sessions or using certificates/signatures RSA .

; Transfer of the data

  • one or more channels of data by which the traffic of the private network is conveyed, two protocols are possible:
    • the protocol n°50, ESP ( Encapsulating Security Payload ), defined in the RFC 2406 which provides the integrity and the confidentiality
    • the protocol n°51, AH , ( Authentication Header ), defined in the RFC 2402 and which provides only the integrity.

Operating processes

Independently of two possible protocols AH/ESP, two modes are possible, tunnel or transport:

  • Within the framework of the mode transport , one can choose the protocol AH, ESP or both.
  • Within the framework of the mode tunnel , one must choose between protocol AH or ESP. This mode creates a new package IP encapsulating that which must be transported.

List RFC relative to IPsec

; RFC 2367: PF_KEY Interfaces ; RFC 2401 (obsoleted by RFC 4301): Security Structures for the Internet Protocol ; RFC 2402 (obsoleted by RFC 4302 and RFC 4305): Authentication Header ; RFC 2403: The Uses off HMAC-MD5-96 within ESP and AH ; RFC 2404: The Uses off HMAC-SHA-1-96 within ESP and AH ; RFC 2405: The ESP DES-CBC Cipher Algorithm With Explicit IV ; RFC 2406 (obsoleted by RFC 4303 and RFC 4305): Encapsulating Security Payload ; RFC 2407 (obsoleted by RFC 4306): IPsec Domain off Interpretation for ISAKMP (IPsec DOI) ; RFC 2408 (obsoleted by RFC 4306): Internet Security Association and Key Management Protocol (ISAKMP) ; RFC 2409 (obsoleted by RFC 4306): Internet Key Exchange (IKE) ; RFC 2410: NULL The Encryption Algorithm and Its Uses With IPsec ; RFC 2411: IP Security Roadmap Document ; RFC 2412: The OAKLEY Key Protocol Determination ; RFC 2451: The ESP CBC-Mode Cipher Algorithms ; RFC 2857: The Uses off HMAC-RIPEMD-160-96 within ESP and AH ; RFC 3526: More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) ; RFC 3706: With Traffic-Based Method off Detecting Dead Internet Key Exchange (IKE) Peers ; RFC 3715: IPsec-Network Address Translation (NAT) Compatibility Requirements ; RFC 3947: Negotiation off NAT-Traversal in the IKE ; RFC 3948: UDP Encapsulation off IPsec ESP Packets ; RFC 4106: The Uses off Welsh/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP) ; RFC 4301 (obsolete RFC 2401): Security Structures for the Internet Protocol ; RFC 4302 (obsolete RFC 2402): IP Authentication Header ; RFC 4303 (obsolete RFC 2406): IP Encapsulating Security Payload (ESP) ; RFC 4304: Extended Sequence Number (ESN) Addendum to IPsec Domain off Interpretation (DOI) for Internet Security Association and Key Management Protocol (ISAKMP) ; RFC 4305: Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH) ; RFC 4306 (obsolete RFC 2407, RFC 2408, and RFC 2409): Internet Key Exchange (IKEv2) Protocol ; RFC 4307: Cryptographic Algorithms for Uses in the Internet Key Exchange Version 2 (IKEv2) ; RFC 4308: Cryptographic Continuations for IPsec ; RFC 4309: Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP) ; RFC 4478: Repeated Authentication in Internet Key Exchange (IKEv2) Protocol ; RFC 4543: The Uses off Welsh Message Authentication Code (GMAC) in IPsec ESP and AH ; RFC 4555: IKEv2 Mobility and Multihoming Protocol (MOBIKE) ; RFC 4621: Design off the IKEv2 Mobility and Multihoming (MOBIKE) Protocol ; RFC 4806: Online Certificate Status Protocol (OCSP) Extensions to IKEv2 ; RFC 4809: Requirements for year IPsec Certificate Management Profiles ; RFC 4835 (obsolete RFC 4305): Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH)

See too

Random links:Thistle with the asses | Arbonne | Asajj Ventress | Evanna Lynch | Lynn Flewelling

© 2007-2008 speedlook.com; article text available under the terms of GFDL, from fr.wikipedia.org