IP Security(IPsec) Overview
一种可靠的三层点到点加密技术
IPSec 是一组通信规则或协议,用于在网络上建立安全连接。
IPsec安全框架包含以下协议和算法
- Authentication Header(AH).
- Encapsulating Security Payload (ESP).
- Internet Key Exchange (IKE).
- Algorithms for authentication and encryption.
AH and ESP are security protocols that provide security services.
IKE performs automatic key exchange.
IKE provides automatic key negotiation and automatic IPsec security association (SA) setup and maintenance.
Security protocols and encapsulation modes
Security protocols
AH (protocol 51) defines the encapsulation of the AH header in an IP packet.
AH can provide date origin authentication,date integrity,and anti-replay service to prevent data tampering,
but cannot eavesdropping(窃听)。
AH supports authentication algorithms HMAC-MD5 and HMAC-SHA1.
ah提供数据源认证、完整性、抗重放(防止数据干扰),但不能阻止数据被窃听,一般用来传输非机密数据(所以AH只支持认证算法)ESP (protocol 50) defines the encapsulation of the ESP header and trailer in an IP packet。
ESP can provide data encryption, data origin authentication, data integrity, and anti-replay services.
Unlike AH, ESP can guarantee data confidentiality because it can encrypt the data before encapsulating the data to IP packets.
ESP supports encryption algorithms such as DES, 3DES, and AES, and authentication algorithms HMAC-MD5 and HMAC-SHA1.
esp提供数据加密、数据源认证、数据完整性、抗重放(抗干扰)
不同于AH,esp需要配置加密算法和认证算法,且esp加密保护数据在封装IP包之前
Encapsulation modes
- Transport mode—The security protocols protect the upper layer data of an IP packet.
Only the transport layer data is used to calculate the security protocol headers.
The calculated security protocol headers and the encrypted data (only for ESP encapsulation) are placed after the original IP header.
You can use the transport mode when end-to-end security protection is required
The transport mode is typically used for protecting host-to-host communications, as shown in Figure 1.
transport模式保护的是IP包的上层数据(传输层),意味着你的ipsec两个节点是三层互通的,访问的每个ip地址是可见的。 典型的应用场景是主机到主机的通信。
Tunnel mode—The security protocols protect the entire IP packet.
The entire IP packet is used to calculate the security protocol headers.
The calculated security protocol headers and the encrypted data (only for ESP encapsulation) are encapsulated in a new IP packet.
In this mode, the encapsulated packet has two IP headers. The inner IP header is the original IP header. The outer IP header is added by the network device that provides the IPsec service.
You must use the tunnel mode when the secured transmission start and end points are not the actual start and end points of the data packets(for example, when two gateways provide IPsec but the data start and end points are two hosts behind the gateways).
The tunnel mode is typically used for protecting gateway-to-gateway communicationsTunnel 模式将加密一个完整的ip数据包,然后再封装新的IP包头。由于tunnel模式有内部ip头和外部ip头,典型使用场景是让两处局域网建立通信,所以一般应用在两个网关之间。
Security association (安全联盟。。。达成安全共识)
ps. 这里的SA是至IPSec SA ,非IKE SA
A security association (SA) is an agreement negotiated between two communicating parties called IPsec peers.
An SA comprises the following parameters for data protection:
- Security protocols (AH, ESP, or both).
- Encapsulation mode (transport mode or tunnel mode).(封装模式确定了应用场景)
- Authentication algorithm (HMAC-MD5 or HMAC-SHA1).
- Encryption algorithm (DES, 3DES, or AES). (esp协议才提供加密算法)
- Shared keys and their lifetimes.
An SA is unidirectional. At least two SAs are needed to protect data flows in a bidirectional communication.
sa是单向的,双方互相通信最少要建立两个sa.
If two peers want to use both AH and ESP to protect data flows between them, they construct an independent SA for each protocol in each direction
An SA is uniquely identified by a triplet,which consists of the security parameter index (SPI), destination IP address, and security protocol identifier.
SA是唯一的(identified),由三个东西组成一体: security parameter index (SPI), destination IP address, and security protocol identifier.
An SPI is a 32-bit number that identifies an SA. SPI代表了SA的身份证(唯一) It is transmitted in the AH/ESP header.
An SA can be set up manually or through IKE.
- Manual mode—Configure all parameters for the SA through commands. This configuration mode is complex and does not support some advanced features (such as periodic key update), but it can implement IPsec without IKE. This mode is mainly used in small and static networks or when the number of IPsec peers in the network is small.
(手动配sa的参数?太累了,除非设备不支持ike,快速食用直接跳过) - IKE negotiation mode — The peers negotiate and maintain the SA through IKE.
This configuration mode is simple and has good expansibility. In medium- and large-scale dynamic networks, H3C recommends(大家都推荐) setting up SAs through IKE negotiations.
A manually configured SA never ages out. An IKE-created SA has a lifetime, which comes in two types:
- Time-based lifetime—Defines how long the SA can be valid after it is created.
- Traffic-based lifetime—Defines the maximum traffic that the SA can process.
If both lifetime timers are configured for an SA, the SA becomes invalid when either of the lifetime timers expires. Before the SA expires, IKE negotiates a new SA, which takes over immediately after its creation.
基于时间的超时和基于流量(单位kilobytes)的超时。如果两个都设置,哪个先触发哪个就生效。
SA到期之前,ike会协商一个新的SA,协商完成后将立即切换到新的SA
Authentication and encryption
Authentication algorithms
IPsec uses hash algorithms to perform authentication.A hash algorithm produces a fixed-length digest for an arbitrary-length message. IPsec peers respectively calculate message digests for each packet. The receiver compares the local digest with that received from the sender. If the digests are identical, the receiver considers the packet intact and the sender’s identity valid. IPsec uses the Hash-based Message Authentication Code (HMAC) based authentication algorithms, including HMAC-MD5 and HMAC-SHA1. Compared with HMAC-SHA1, HMAC-MD5 is faster but less secure.
Ipsec使用hash算法进行认证,hash算法可对不同长度的报文产生固定长度摘要信息,双方通过此信息验证数据报是否有效。【Hash-based Message Authentication Code (HMAC)基于哈希的认证代码】
对比HMAC-SHA1,HMAC-MD5更快但低了一点安全性。 (报文的认证而已,感觉也不需要太安全)
Encryption algorithms
对称加密,加密解密用相同的密钥
IPsec uses symmetric encryption algorithms, which encrypt and decrypt data by using the same keys. The following encryption algorithms are available for IPsec on the device:
- DES—Encrypts a 64-bit plaintext block with a 56-bit key. DES is the least secure but the fastest algorithm.
- 3DES—Encrypts plaintext data with three 56-bit DES keys. The key length totals up to 168 bits. It provides moderate security strength and is slower than DES.
- AES—Encrypts plaintext data with a 128-bit, 192-bit, or 256-bit key. AES provides the highest security strength and is slower than 3DES.
安全性逐渐增强,速度逐渐降低
IPsec implementation
To implement IPsec protection for packets between two peers, complete the following tasks on each peer:
Configure an IPsec policy, which defines the range of packets to be protected by IPsec and the security parameters used for the protection.
Apply the IPsec policy to an interface or an application.
When you apply an IPsec policy to an interface, you implement IPsec based on the interface. Packets received and sent by the interface are protected according to the IPsec policy. When you apply an IPsec policy to an application, you implement IPsec based on the application. Packets of the application are protected according to the IPsec policy, regardless of the receiving and sending interface of the packets.
IPsec protects packets as follows:
- When an IPsec peer identifies the packets to be protected according to the IPsec policy, it sets up an IPsec tunnel and sends the packet to the remote peer through the tunnel.The IPsec tunnel can be manually configured beforehand, or it can be set up through IKE negotiation triggered by the packet. The IPsec tunnels are actually the IPsec SAs. The inbound packets are protected by the inbound SA, and the outbound packets are protected by the outbound SA.
- When the remote IPsec peer receives the packet, it drops, de-encapsulates, or directly forwards the packet according to the configured IPsec policy.
Interface-based IPsec supports setting up IPsec tunnels based on ACLs.
ACL-based IPsec
To implement ACL-based IPsec, configure an ACL to define the data flows to be protected, reference the ACL in an IPsec policy, and then apply the IPsec policy to an interface. When packets sent by the interface match the permit rule of the ACL, the packets are protected by the outbound IPsec SA and encapsulated with IPsec. When the interface receives an IPsec packet whose destination address is the IP address of the local device, it searches for the inbound IPsec SA according to the SPI carried in the IPsec packet header for de-encapsulation.
发送时跟据acl匹配流加密,接收时查SPI(前面提到,SPI是SA的唯一标识)
If the de-encapsulated packet matches the permit rule of the ACL, the device processes the packet. Otherwise, it drops the packets.(接收包也要检查ACl)
Each ACL rule matches both the outbound traffic and the returned inbound traffic.
未匹配将丢弃
对发往设备自身的IPsec报文进行解封装。默认情况下,将解封装的数据包与 ACL 规则进行比较。只有那些与acl声明相匹配的才会被处理。其他数据包被丢弃。如果关闭对解封装报文的ACL检查,则解封装报文不与ACL规则进行比对,直接被其他模块处理。
The device supports the following data flow protection modes:
- Standard mode—One IPsec tunnel protects one data flow. The data flow permitted by an ACL rule is protected by one IPsec tunnel that is established solely for it.
- Aggregation mode—One IPsec tunnel protects all data flows permitted by all the rules of an ACL. This mode is only used to communicate with old-version devices.
- Per-host mode—One IPsec tunnel protects one host-to-host data flow. One host-to-host data flow is identified by one ACL rule and protected by one IPsec tunnel established solely for it. This mode consumes more system resources when multiple data flows exist between two subnets to be protected.
Protocols and standards
- RFC 2401, Security Architecture for the Internet Protocol
- RFC 2402, IP Authentication Header
- RFC 2406, IP Encapsulating Security Payload
- RFC 4552, Authentication/Confidentiality for OSPFv3
到这里,我们了解了ipsec协议的工作方式,实际应用中,我们会用到IKE来进行协商ipsec sa
IKE
Built on a framework defined by ISAKMP, Internet Key Exchange (IKE) provides automatic key negotiation and SA establishment services for IPsec.
基于ISAKMP框架,IKE(Internet Key Exchange)为IPsec提供了自动密钥交换和SA建立的服务
IKE provides the following benefits for IPsec:
- Automatically negotiates IPsec parameters.
- Performs DH exchanges to calculate shared keys, making sure each SA has a key that is independent of other keys.
- Automatically negotiates SAs when the sequence number in the AH or ESP header overflows, making sure IPsec can provide the anti-replay service by using the sequence number.
(AH|ESP 序号溢出时可以自动协商,保证IPsec可以提供基于序列号的抗重放攻击)
As shown in Figure 7, IKE negotiates SAs for IPsec and transfers the SAs to IPsec, and IPsec uses the SAs to protect IP packets.
ike为IPsec协商SA并把改SA传输待IPsec,IPsec使用这个SA保护IP数据包。
IKE negotiation process
IKE negotiates keys and SAs for IPsec in two phases:
- Phase 1—The two peers establish an IKE SA, a secure, authenticated channel for communication. In this phase, two modes are available: main mode and aggressive mode.
阶段1,两端建立一个IKE SA,安全的、认证的通道用于通信。 - Phase 2—Using the IKE SA established in phase 1, the two peers negotiate to establish IPsec SAs.
阶段2,使用1阶段建立的IKE SA通道,两端协商建立IPsec SA
As shown in Figure 8, the main mode of IKE negotiation in phase 1 involves three pairs of messages:
- SA exchange—Used for negotiating the IKE security policy.
- Key exchange—Used for exchanging the DH public value and other values, such as the random number. The two peers use the exchanged data to generate key data and use the encryption key and authentication key to ensure the security of IP packets.
- ID and authentication data exchange—Used for identity authentication.
The main difference between the main mode and the aggressive mode is that the aggressive mode does not provide identity information protection and exchanges only three messages, rather than three pairs. The main mode provides identity information protection but is slower.
IKE security mechanism
IKE has a series of self-protection mechanisms and supports secure identity authentication, key distribution, and IPsec SA establishment on insecure networks.
Identity authentication
The IKE identity authentication mechanism is used to authenticate the identity of the communicating peers. The device supports the following identity authentication methods:
- Pre-shared key authentication—Two communicating peers use the pre-configured shared key for identity authentication.
- RSA signature authentication and DSA signature authentication—Two communicating peers use the digital certificates issued by the CA for identity authentication.
多数情况下我们使用pre-shared key认证方法,
证书认证一般用在高安全要求的网络
DH algorithm
The DH algorithm is a public key algorithm. With this algorithm, two peers can exchange keying material and then use the material to calculate the shared keys. Due to the decryption complexity, a third party cannot decrypt the keys even after intercepting all keying materials.
DH算法,在互联网上传输密钥的算法,两端交换密钥材料(非密钥本身),通过计算得到共享的密钥。由于解密的复杂性,三方及时监听到所有的密钥材料也很难去解密
PFS
The Perfect Forward Secrecy (PFS) feature is a security feature based on the DH algorithm. After PFS is enabled, an additional DH exchange is performed in IKE phase 2 to make sure IPsec keys have no derivative relations with IKE keys and a broken key brings no threats to other keys.
PFS基于DH算法,当PFS开启的时候,附加DH交换处理在IKE第二阶段,确保IPsec keys与IKE keys没有关系
IKEconfiguration prerequisites
Determine the following parameters prior to IKE configuration:
- The algorithms to be used during IKE negotiation, including the identity authentication method, encryption algorithm, authentication algorithm, and DH group.
- The pre-shared key or PKI domain for IKE negotiation. For more information about PKI, see “Configuring PKI.”
- The IKE-based IPsec policies for the communicating peers. If an IPsec policy does not reference any IKE profile, the device selects an IKE profile for the IPsec policy. If no IKE profile is configured, the globally configured IKE settings are used. For more information about IPsec, see “Configuring an IKE-based IPsec policy.”