IPSec (IP security), including a system of protocols for the secure transmission of information based on Internet Protocol (IP). Including authentication and / or encryption (authenticating and / or Encrypting) for each IP packet (IP packet) in the transmission of information. IPSec also includes the protocol to provide encryption and authentication.

1. Overview:

IPSec protocol to work at Network Layer layer - layer 3 of OSI model. The security protocols on the Internet such as SSL, TLS and SSH, the implementation of transport layer from the floor up (from layer 4 to layer 7 OSI model). This creates the flexible for IPSec, this protocol can work from 4 storeys with TCP, UDP, most protocols used at this level. IPSec features a more advanced SSL and other methods in the levels of the OSI model. With an application using IPSec code (code) not been changed, but if the application is required to use SSL and the security on the floor in the OSI model, the application code will be changed huge.

2. Security structure :

IPSec is implemented (1) using the supplied encryption (cryptographic protocols) to secure packets (packet) in the media, (2) authentication methods and (3) set the parameters of code goods.

Building IPSec uses the concept of security based on IP. A combination of security is simply the combination of algorithms and parameters (such as the key - keys) is a platform for encryption and authentication in a way. However, in the two-way communication, the security protocol will work together and meet the communication. Actual choice of encryption algorithms and the validation depends on the administrator by IPSec IPSec consists of a group of security protocols meet encryption and authentication for each IP packet.

Steps in the implementation must decide what it should protect and provide for an outgoing packet (go outside), use IPSec parameters Security Parameter Index (SPI), each of the Index (đánh order and save of data - Index as a book telephone directory), including Security Association Database (SADB), throughout the length of the destination address in the header of packets, with the unique identity of a confidential entente (from temporary - security association) per packet. A similar process is done with packets to (incoming packet), the IPSec implementation process by the code and check the key from SADB.

Multicast packets for a security agreement that will provide a group, and made for the entire group in the receiver. There may be a security placate a group, using the SPI different, but it also allows implementation of multiple security levels for a group. Each sender can have more placate security, allow authentication, while the receiver only knows the keys are sent in data. Note the standard does not describe how to placate and selected from the group of people to private.

3. Status

IPSec is a mandatory part of IPv6, can be selected when using IPv4. While standards have been set for the IP version of the same, most current is applied and implemented based on IPv4.

The IPSec protocols are defined from RFCs 1825 - 1829, and was popular in 1995. In 1998, the upgraded version with RFC 2401 - 2412, it is not compatible with standard 1825 to 1929. 12 in 2005, the 3rd standard IPSec, RFC 4301 - 4309. It is also compared with other more standard RFC 2401 - 2412 but the new standard provided IKE second. In the new IP security also stands is IPSec.

Differences in regulation stands in the the standard by RFC 1825 - 1829 ESP is the new version is ESPbis.

4. Design demands.

IPSec is provided by Transport mode (end-to-end) security meeting between computers communicate directly with each other or use Tunnel mode (portal-to-portal) for communication between two networks with each other and mainly used when the VPN connection.

IPSec can be used in VPN communications, use a lot in communication. However, in implementation will be the difference between this mode.

Communication end-to-end security in the Internet is developed slowly and waiting a long time. A distribution of the reasons it’s popular is not high, or not practical, Public Key Infrastructure (PKI) used in this method.

IPSec was introduced and provides security services:

1. Encoding the transmitted information

2. Ensure intact data

3. Must be authenticated communication between

4. Anti-replay process in the security.

5. Modes - The mode

There are two mode when IPSec implementation is: Transport mode and tunnel mode.

Transport mode

In Transport mode, only the data the packets are encrypted and / or certified. During the routing, the IP header are not editing or encoding, but the authentication header is used, the IP address can not, because the information has been hash (click). Transport and application layers are usually security-click function (hash), and they can not modify (such as port number). Transport mode used in situations of communication host-to-host.

This means that the packaging information for IPSec NAT traversal is defined by the information in the document by the RFC NAT-T.

Tunnel mode:

In tunnel mode, the entire IP packet (including header and data) will be encrypted and authenticated. It must be packaged in an IP packet in the router’s routing. Tunnel mode is used in communication network-to-network (or between the routers together), or host-to-network and host-to-host on the Internet.

5. Technical details.

There are two protocols are developed and provided security for packets of both IPv4 and IPv6:

IP Authentication Header help ensure the sovereignty and provides authentication.

IP Encapsulating Security Payload provides confidentiality and the option you can select the authentication features and Integrity ensure sovereignty data.

Encryption algorithms used in IPSec include HMAC-SHA1 for the sovereignty of data (integrity protection), and algorithm TripleDES-CBC and AES-CBC for encryption code and ensure safety of packets. The whole algorithm is shown in RFC 4305.

a. Authentication Header (AH)

AH is used in the connection does not guarantee that data. Moreover it is selected to prevent the replay attack attack using technology attacks sliding windows and discarding older packets. AH protects the data using IP. In IPv4, IP header include TOS, Flags, fragment Offset, TTL and Header checksum. AH implemented directly in the first IP packet. below is a model of AH header.

Modes of implementation

1. Meaning of each part:
2. Next header: Identify the use of media information.
3. Payload length: Width of AH packets.
4. RESERVED: Use in the future (until this time it is performed with the number 0).

Security parameters index (SPI): Identify the parameters of security, are integrated with the IP address, and identifying the security negotiation associated with packets.

Sequence number: A number automatically increases each packet, used to prevent replay attack type attacks.

Authentication data: Include parameters Integrity check value (ICV) necessary in packet authentication.

b. Encapsulating Security Payload (ESP)

The ESP provides authentication, the sovereignty, ensure security for packets. ESP also support the configuration used in situations just protection and encryption for authentication, but using encryption without authentication request does not guarantee security. Unlike AH, header of IP packets, including other option. ESP on top of IP using IP protocol and number 50 and bearing number AH 51.

Meaning of section:

Security parameters index (SPI): Identify the parameters are integrated with the IP address.

Sequence number: Automatically increase work against replay attack style attacks.

1. Payload data: for data transmissions
2. Padding: Use several block encryption
3. Pad length: Width of padding.
4. Next header: Identify protocols used in the transmission of information.
   Authentication Data: Include data to authenticate the packet.

6. Implementations - implement:

IPSec is implemented in people with the management of key processes and negotiate security ISAKMP / IKE user. However, a standard interface for key management, it can be controlled by people of IPSec.

Because it provided for the end user, IPSec can be implemented on Linux’s. Project FreeS / WAN is the first project completed the implementation of IPSec in the open source Linux in particular. It includes an IPSec stack (KLIPS), combined with the key management is a lot of deamon and shell scripts. Project FreeS / WAN start on 3 May 2004. Openswan and strongSwan have continued the project FreeS / WAN. KAME project also completed the implementation to use IPSec for NetBSB, FreeBSB. The management course is called racoon. OpenBSB generated ISAKMP / IKE, to name just isakmpd (it is implemented on many systems, including Linux systems).

(Security Team)