Chapter4: Internet Protocol Security
4.1 IP Security overview
IP Security history
In 1994, the Internet Architecture Board (IBA) issued a report, which states the general consensus that the Internet needs more better security, and it identified key areas for security mechanisms. Among these were need to secure the network infrastructure from unauthorized monitoring and control of network traffic and the need to secure end-user-to-end-user traffic using authentication and encryption mechanisms.
These concerns are fully justified. As confirmation, the 1998 annual report from the Computer Emergency Response Team (CERT) lists over 1300 reported security incidents affecting nearly 20,000 sites. The most serious types of attacks included IP spoofing , in which intruders create packets with false IP addresses and exploit applications that use authentication based on IP addresses and exploit applications that use authentication based on IP address, and carious forms of eavesdropping and packet sniffing, in which attackers read transmitted information , including logon information and database contents.
In response to these issues, the IBA included authentication and encryption as necessary security features in the next-generation IP, which has been issued as IPv6. Fortunately, these security capabilities were designed to be usable both with IPv4 and IPv6. This means that vendors can begin offering these features now, and many vendors do now have some IPsec capability in their product
Benefits of IP Security
When IPsec is implemented in a firewall or router, it provides strong security that can be applied to all traffic crossing the perimeter. Traffic within a company or workgroup does not incur the overhead of security-related processing.
IPsec in a firewall is resistant to bypass if all traffic from the outside must use IP and the firewall is the only means of entrance from the Internet into the organization.
IPsec is below the transport layer (TCP, UDP) and so is transparent to applications. There is no need to change software on a user or server system when IPsec is implemented in the firewall or router. Even if IPsec is implemented in end systems, upper-layer software, including application, is not affected.
IPsec can be transparent to end users. There is no need to train users on security mechanisms, issue keying material on a per-user basis, or revoke keying material when users leave the organization.
IPsec can provide security for individual users if needed. This is useful for off-site workers and for setting up a secure virtual subnetwork within an organization for sensitive applications
Applications of IPsec
IPsec provides the capability to secure communications across a LAN, across private and public WANs, and across the Internet. Examples of its use include the following:
Secure branch office connectivity over the Internet: A company can build a secure virtual private network over the Internet or over a public WAN. This enables a business to relay heavily on the Internet and reduce its need for private network, saving costs and network management overhead.
Secure remote access over the Internet: An end user whose system is equipped with IP security protocols can make a local call to an Internet service provider (ISP) and gain secure access to company network. This reduces the cost of toll charges for traveling employees and telecommuters.
Establishing extranet and intranet connectivity with partners: IPsec can be used to secure communication with other organizations, ensuring authentication and confidentiality and providing a key exchange mechanism.
Enhancing electronic commerce security: Even through some Web and some electronic commerce applications have built-in security protocols , the use of IPsec enhances that security
The principal feature of IPsec that enables it to support these varied applications is that it can encrypt and/or authenticate all traffic at the IP level. Thus, all distributed applications, including remote logon, client/server, e-mail, file transfer, Web access, and so on, can be secured.
Routing Applications
In addition to supporting end users and protecting premises systems and networks, IPsec can play a vital role in the routing architecture required for internetworking. IPsec can assure that.
A router advertisement (a new router advertise its presence) comes from an authorized router.
A neighbor advertisement (a router seeks to establish or maintain a neighbor relationship with a router in another routing domain) comes from an authorized router.
A redirect message comes from the router to which the initial packet was sent.
A routing update is not forge
Without such security measure, an opponent can disrupt communications or divert some traffic. Routing protocols such as OSPF should be run on the top of security associations between routers that are defined by IPsec.
4.2 IP security Architecture
IPsec Documents
The IPsec specification consists of numerous documents. The most important of these, issued in December of 2005, are RFCs 4301, 4302, 4303 and 4306(they obsolete RFCs 2401, 2402, 2406 and 2408):
RFC 4301 : Security Architecture for the Internet protocol
RFC 4302 : IP Authentication Header
RFC 4303 : IP Encapsulating Security Payload
RFC 4306 : Internet Key Exchange ( IKEv2 ) Protocol
Support for these features is mandatory for IPv6 and option for IPv4. In both cases, the security features are implemented as extension headers that follow the main IP header; that for encryption is known as ESP header.
In addition these four RFCs, a number of additional drafts have been published by the IP Security Protocol Working Group set up by the IETF. The documents are divided into sever groups, as exhibited in the following figure.
IPsec Architecture
Architecture: Covers the general concepts, security requirements, definitions, and mechanisms defining IPsec technology.
Encapsulating Security Payload (ESP): Covers the packet format and general issues related to the use of the ESP for packet encryption and, optionally, authentication.
Authentication Header (AH): Covers the packet format and general issues related to the use of AH for packet authentication.
Encryption Algorithm: A set of documents that describe how various encryption algorithm are used for ESP.
Authentication Algorithm: A set of documents that describe how various authentication algorithm are used for AH and for the authentication option for ESP.
Key management: Documents that describe key management schemes.
Domain Of Interpretation (DOI): Contains values needed for the other documents to relate to each other. These include identifiers for approved encryption and authentication algorithms, as well as operational parameters such as key lifetime
IPsec Services
IPsec provides security service at the IP layer enabling a system to select required security protocols, determine the algorithm(s) to use for the service(s), and put in place any cryptographic keys required to provide the requested services. Two provide security: an authentication protocol designated by the header of the protocol, Authentication Header (AH), and a combined encryption/authentication protocol designated by the format of the packet for that protocol, Encapsulating Security Payload (ESP). The services lists as
上一页 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] ... 下一页 >>