Results 1 to 5 of 5

Thread: IPSec tut

  1. #1
    Senior Member
    Join Date
    Nov 2002
    Posts
    382

    Arrow IPSec tut

    Few daze ago I proposed to write a brief tut about IPsec, & some folks told me they were interested.

    I'm not a crypto expert & this tut does not provide many info about PKI.

    That is IPSEC?

    It's the state of the art against Man In the Middle Attacks (MIM attacks).
    This protocol implement 3 mains features:
    - VPN tunneling
    - Anti-Replay
    - Authentication
    - Data encryption
    - "Static routing"
    - "Known-of-need"

    The VPN features may be disabled, it introduc 2 modes of using IPSec: Transport mode (wihtout Tunnelling) & Tunnel mode.
    I think you all know the benefit of tunneling. (The WAN, e.g. the ISP, is not aware of ur private addresses. In theory
    only ppl at the other end of the tunnel can connect u.)
    Most people use the tunnel mode, but transport mode may be useful in some case(for instance when a NAT of ur public
    addresses is somehow required).

    The anti-replay feauture is the real benefit of the IPsec standard. It uses an ESP encapsulation (ESP fills in the
    protocol IP header field).
    Its a windows sliding mechanism. Each packet as an incremental identifier value, the IPsec box keep in memory a set of
    received packets identifier for a given connection. A windows of n packet is defined because memory is not illimitate
    e.g. 32 conscutive packet ID starting from ID= [10; 42].
    The box will drop the packet with the following rules:
    - if a packet with an id that have been already memorised => packet is dropped
    - if a packet with an id that is less than the minimum value of the window => packet is dropped (e.g. packet_id=8)
    - if a packet with an id that is greater than the maximum value of the window => the window slide to be with that
    maximum value (e.g. packet_id=50 then window=[18;50])

    Authentication
    The ESP header offers a authentication mechanism by scelling the packet (without third party).

    Data encryption
    Data are encrypted thanx to private keys. Many IPsec boxes uses some hardware smartcards containing encryption keys
    to exclude the risk of public key interception. But mostly ppl use it with PKI.

    To resume in tunnel mode the packet looks like: cf figure


    "Static routing" features is called (i'm not sure of the technical translation in english) Security Association table.
    A given IPSec box X will protect a network Net_X and have a public address Z_X, the Security Association table contains the
    information about which IPsec tunnel data should be forwarded to.
    For instance data to destination NET_B from NET_A, will go through the table that should contains a kind of static route saying
    "To reach NET_B forward packet to Z_B"

    "Known-of-need" (I'm not sure of the translation) is an other feature of the Security Association table, sying that source NET_A
    is authorized to communicate with destination NET_B. It's a firewall like feature.(the one described by kadeng in thread http://www.antionline.com/showthread...486#post625486)

    There much more to say about the principle ... Feel free to update it.

    IPsec Problems
    1- One big problem of IPsec is that a check is down on tunnel IP address, like any VPN architecture it's therefore not compatible
    with NAT. Unless u use it in transport mode.

    2- An other one is dynamic routing and multicast frames. Let's take an example: u have two site with internet in the middle.
    An IPsec tunnel provide inter site connectivity. If a new route is added on one site, that very route won't be accessible. A
    manual Security Association table update is required.
    Nevertheless asing a routing protocol like RIP or OSPF would not work since IPSec tunnels do not support multicast frames.
    that IETF internet Draft may help u to resolve the pb

    3- IPsec & QoS: Let's imagine ISP provides QoS, the sequence of receiving packets could be scrambled, this resulting in sliding
    the anti-replay window to quickly and then drop some legit packets
    [shadow] SHARING KNOWLEDGE[/shadow]

  2. #2
    Very good man. I learned something. *again* lol i learn new stuff on this forum everyday. Very nice tut. love it. keep up the good work.

  3. #3
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    anjali post in this thread deleted. Source is here. Please read the Legal Notices, specifically Section 3 that states:


    In connection with your use of the Site, you agree you will not:

    <snip>

    c) Post or transmit any Material that you do not have a right to reproduce, display or transmit under any law or under contractual or fiduciary relationships (such as nondisclosure agreements);

    Source of post was (for those interested): http://www.networkmagazine.com/article/NMG20000711S0001
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  4. #4
    Senior Member
    Join Date
    May 2003
    Posts
    159
    I am sorry... I shall take due care in future for the same....

    But if need be can we link the article from here........

    Regards

    Kalp
    ****** Any man who knows all the answers most likely misunderstood the questions *****

  5. #5
    Few daze ago I proposed to write a brief tut about IPsec, & some folks told me they were interested.
    I had not asked you but now I know that I would have owed.
    Thanx for the informations Networker

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •