Shulou(Shulou.com)06/02 Report--

This article is to share with you about what protocols ipsec is made of. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Ipsec consists of "IKE key Exchange Protocol", "ESP Encapsulation Security Payload" and "AH Authentication header". IKE provides the survival and exchange of keys for symmetrical passwords; ESP provides confidentiality, data source authentication, connectionless integrity, replay prevention and limited transport stream confidentiality; and AH is used for integrity verification.

The operating environment of this tutorial: windows7 system, Dell G3 computer.

1. IPsec introduction

IPsecurity is a complete encryption system.

IPsec-VPN provides three features:

Authentication of each IP package of authentication

Data integrity verifies data integrity to ensure that it is not artificially altered during transmission.

Encryption of confidentiality (privacy) packets

2. IPsec composition

The IPsec protocol set consists of three protocols:

① internet keyexchange (IKE) key Exchange Protocol

Establish a tunnel between the two peers to complete the key exchange, negotiate and then use the following method to encapsulate the data.

IKE updates keys dynamically and periodically between two PEER

② encapsulating secutitypayload (ESP) encapsulates security payload

Data packets can be authenticated, encrypted, encapsulated, and the protocol number in IP is-50. Usually, 3DES is used for encryption.

③ authentication header (AH)

Only provide authentication, encapsulation, no encryption, plaintext transmission, IP protocol number-51

IKE principle

① composition

It consists of three different protocols:

ISAKMP: defines the architecture of information exchange, that is, the format

SKEME: a mechanism for implementing public key encryption authentication

Oakley: provides a mechanism for achieving the basic mode of the same encryption key between two IPsec peers

ISAKMP is based on UDP, and the source and destination ports are all 500.

Security Alliance (SecurityAssociation, SA)

SA is a protocol established by two communication entities through negotiation. They determine the IPsec protocol, the transcoding mode, the key and the effective existence time of the key used to protect the security of the data packet. Any IPsec implementation will always build a SA database (SADB) to maintain the IPsec protocol and secure packets.

SA is unidirectional: if two hosts, such as An and B, are communicating securely through ESP, then Host A needs to have a SA, SA (OUT), to process outgoing packets, and a different SA, SA (IN), to process incoming packets. Host A's SA (OUT) and host B's SA (IN) will share the same encryption parameters (such as keys).

SA should also be distinguished according to the protocol. If both ESP and AH are used between two hosts, different SA will be generated for ESP and AH.

There are two types of SA:

IKE (ISAKMP) SA negotiates algorithms for encrypting IKE data streams and authenticating peers (encryption of keys and authentication of peer)

IPsec SA negotiates an algorithm for encrypting IP data streams between peers

There can be only one IKE SA between peers

There can be multiple IPsec SA between peers

The negotiation process of site-to-site ipsecVPN is divided into two stages

In order to securely transmit IP data streams between two sites, they must first negotiate the encryption algorithm, encapsulation technology and key used between them.

Phase 1: establish a secure management connection between two peer devices. There is no actual data through this connection. This management connection is used to protect the second stage negotiation process.

Phase 2: when peers have secure administrative connections, they can then negotiate security parameters for building secure data connections, which is secure and encrypted. After the negotiation is completed, a secure data connection will be formed between the two sites. Users can use these secure data connections to transfer their own data.

The first phase: the establishment of ISAKMPSA negotiates the following information:

1. What kind of authentication is used between peers, whether it is a pre-shared key or a digital certificate.

2. Which encryption algorithm is used by both parties (DES, 3DES)

3. Which HMAC method is used by both parties, MD5 or SHA

4. Which Diffie-Hellman key group is used by both parties

5. Which negotiation mode should be used (main mode or active mode)

6. Negotiate the lifetime of SA

The second phase: the establishment of the IPsecSA negotiates the following information:

1. Which packaging technology is used by both parties, AH or ESP

2. Which encryption algorithm is used by both parties

3. Which HMAC method is used by both parties, MD5 or SHA

4. Which transmission mode is used, tunnel mode or transmission mode

5. Negotiate the lifetime of SA

Why do you need two SA and what is the relationship between them?

The first tunnel ISAKMP SA is used to protect subsequent renegotiation

The parameters of the second tunnel negotiation were carried out in a fully encrypted environment, and then were obtained.

IPsecSA really encrypts the data!

The first stage strategy set object-oriented is the second stage negotiation package, and the second stage transformation set object-oriented is the final packet.

Overview of ESP

Encapsulationsecurity payload, used for data confidentiality and integrity verification.

Sub-packaged security payload

There are two modes of ESP

Transmission mode: only encrypts the data above the IP header, but does not encrypt the IP header (applicable to GRE (Universal routing Protocol) over IPSEC) the encrypted location is the communication location.

Tunnel mode: encrypt the original data packet, then add a new header encryption location, non-communication location.

Overview of AH

Authenticationheader, authentication header, used to implement integrity verification

Thank you for reading! This is the end of this article on "what protocols does ipsec consist of?". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.