Shulou(Shulou.com)05/31 Report--

Today, I would like to talk to you about what the principle of IPSec VPN is, many people may not know much about it. In order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

VPNVirtual Private Network: virtual private network. By encrypting messages, a logical virtual private line is established. From a macro point of view, it is like a proprietary communication line between enterprises / individuals located in several different places, but it does not require the real advantages of laying physical lines.

VPN is a kind of functional network based on the actual network. It overcomes the high cost of dedicated lines and the weak security of the public network, while ensuring the integrity, authenticity and privacy of the information transmitted through the public network.

Direct Connect: direct Connect is generally implemented through MPLS VPN in the network of operators. Enterprises can realize the exchange of intranet visits in different regions by leasing the dedicated lines of operators. A dedicated line can be seen as a network that is actually directly connected, while an ordinary VPN is logically directly connected. In fact, it only transmits encrypted messages to the public network.

Classified site to site VPN

Site-to-site VPN: gateways and gateways (also known as: L2L, S2S, lan to lan, site to site, depending on manufacturer and usage scenario)

IPSec, GRE, GRE over IPSec, DSVPN, MPLS NPN all belong to site-to-site VPN

In the practical application scenario: the VPN between the head office and the branch belongs to site to site VPN

Point to site VPN

Point (client client) to site VPN, remote dial-up access: host and gateway

SSLVPN (can limit login users' access to private network resources), IPSec, PPTP, L2TP+IPSec

In the practical application scenario: telecommuters log in to the company's VPN through account passwords (through special VPN software) to access internal resources of the company.

Security framework used by VPN

At present, there are two main security frameworks for VPN: IPSec security standard framework (most common) and SSL transport layer security.

IPSec

IPSec is not a separate protocol, it provides a set of architecture applied to network data security in the upper layer of IP layer.

Components of IPSec

AH (Authentication Header): authentication header

ESP (Encapsulating Security Payload): encapsulating security payload

IKE (Internet Key Exchange): Internet key Exchange Protocol

And some algorithms for network authentication and encryption.

AH and ESP are used to provide security services, and IKE is used for key exchange

Security mechanism provided by IPSec

IPSec provides two security mechanisms: authentication and encryption.

Authentication

The purpose of authentication is to prevent the message from being tampered with during delivery and to confirm the identity of the sender.

Integrity, availability

Encrypt

The purpose of encryption is to prevent data from being monitored during transmission by encrypting data.

Confidentiality

Implementation of IPSec Security Mechanism

In IPSec

The AH protocol defines the application method of authentication, providing data source authentication and integrity authentication.

The ESP protocol defines the application methods of encryption and optional authentication, and provides data reliability.

AH protocol

AH protocol can only provide the functions of data source authentication, data integrity check and anti-message playback, but does not provide encryption function.

AH protocol (IP protocol number 51)

Principle

Data integrity protection is provided by adding an authentication header after the standard IP header in each packet

Optional authentication algorithms are: MD5 (Message Digest), SHA series (128256, etc.) and so on.

Pros and cons of authentication algorithm (all Hash algorithm): MD5 algorithm is fast, but its anti-collision property is low, so it is not safe; SHA speed is slightly slower, but SHA-256 is very safe at present.

ESP protocol

ESP protocol can not only provide data encryption function, but also provide data source authentication, data integrity check and anti-replay function.

ESP protocol (IP protocol number 50)

Principle

Add an ESP header after the standard IP header of each packet, and append an ESP tail to the packet

ESP encrypts the user data that needs to be protected and encapsulates it into an IP message to ensure the confidentiality of the data (AH does not have this feature)

Authentication algorithms include: MD5, SHA, etc.

Encryption algorithms are: DES, 3DES, AES (AES has the highest security, 3DES is the second)

The difference and relation between ESP and AH

Only ESP can provide encryption attributes, but both AH and ESP can provide authentication services, but the authentication services provided by AH are stronger than ESP.

Therefore, the joint use method of AH+ESP can be adopted.

First, the message is encapsulated by ESP, and then the message is encapsulated by AH. The encapsulated message is in the following order: original IP message, ESP header, AH header and external IP header.

IPSec working mode

IPSec has two operating modes: Tunnel (tunnel) mode and Transport (transmission) mode.

The picture comes from the Internet.

Transmission mode

Only the transport layer data is used to calculate the AH or ESP authentication header, and the AH or ESP header and the data encrypted by ESP are placed behind the original IP header (do not encrypt the two private network addresses that actually want to establish a connection)

Because the actual IP header is not encrypted, separate transport modes are rarely used (insecure) and are generally used only within the enterprise or in conjunction with other VPN (suitable for point to site)

Tunnel mode

The user's entire IP packet is used to calculate the AH or ESP authentication header. The AH or ESP authentication header and the user data encrypted by ESP are encapsulated in a new IP packet (the two intranet IP addresses that you actually want to communicate will also be sealed in a new IP packet), and finally put the public network IP on the outside to ensure security (suitable for site to site)

SA-- Security Alliance (Security Association)

The two endpoints of IPSec are called IPSec peers (peer). In order to achieve secure data transmission between the two peers, it is necessary to establish a security association SA between the two peers.

SA (Security Association), SA is the foundation of IPSec and the essence of IPSec.

SA species

IKE negotiates two kinds of SA:IKE SA (bi-directional SA) and IPSec SA (unidirectional SA)

SA composition

SA is uniquely identified by a triple: security index-SPI, destination IP address, protocol used

SPI (Security Parameter Index): a 32-bit value that uniquely identifies the SA (manual configuration of SA requires manual configuration of SPI, which is randomly generated through IKE negotiation)

SA action

SA is used to agree on which factors to use between peers: which protocol (AH, ESP, AH+ESP), the encapsulation mode of the protocol (transport mode, tunnel mode), encryption algorithms (DES, 3DES, AES, etc.), the interaction of the shared key (not sending the shared key directly, calculating the details of the interaction through the DH algorithm), the life cycle of the key, etc.

SA features unidirectional (IPSec SA unidirectional)

To establish two-way communication between two peers, at least two SA need to be established to protect the data flow in both directions (go and back).

And if AH+ESP authentication is used, the peers must establish an independent SA for each protocol.

With a life cycle, when the life cycle reaches the specified time / traffic, the SA will fail. Before the SA fails, the IKE will negotiate to establish a new SA for the IPSec to prevent the communication from being affected by the SA failure.

SA has a life cycle and is only valid for SA established through IKE negotiation (manual SA never ages)

The life cycle of a SA established by IKE negotiation can be defined in two ways:

1: time-based life cycle: defines the time from establishment to failure of a SA

2: traffic-based lifecycle: defines a maximum amount of traffic allowed to be processed by SA

After reading the above, do you have any further understanding of the principle of IPSec VPN? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.