Document Information
Preface
Part I TCP/IP Administration
1. Solaris TCPIP Protocol Suite (Overview)
2. Planning an IPv4 Addressing Scheme (Tasks
3. Planning an IPv6 Addressing Scheme (Overview)
4. Planning an IPv6 Network (Tasks)
5. Configuring TCP/IP Network Services and IPv4 Addressing (Tasks)
6. Administering Network Interfaces (Tasks)
7. Enabling IPv6 on a Network (Tasks)
8. Administering a TCP/IP Network (Tasks)
9. Troubleshooting Network Problems (Tasks)
10. TCP/IP and IPv4 in Depth (Reference)
11. IPv6 in Depth (Reference)
Part II DHCP
12. About Solaris DHCP (Overview)
13. Planning for DHCP Service (Tasks)
14. Configuring the DHCP Service (Tasks)
15. Administering DHCP (Tasks)
16. Configuring and Administering DHCP Clients
17. Troubleshooting DHCP (Reference)
18. DHCP Commands and Files (Reference)
Part III IP Security
19. IP Security Architecture (Overview)
What's New in IPsec?
IPsec Packet Flow
IPsec Security Associations
IPsec Protection Mechanisms
IPsec Protection Policies
Transport and Tunnel Modes in IPsec
Virtual Private Networks and IPsec
IPsec and NAT Traversal
IPsec and SCTP
IPsec and Solaris Zones
IPsec Utilities and Files
Changes to IPsec for the Solaris 10 Release
20. Configuring IPsec (Tasks)
21. IP Security Architecture (Reference)
22. Internet Key Exchange (Overview)
23. Configuring IKE (Tasks)
24. Internet Key Exchange (Reference)
25. Solaris IP Filter (Overview)
26. Solaris IP Filter (Tasks)
Part IV Mobile IP
27. Mobile IP (Overview)
28. Administering Mobile IP (Tasks)
29. Mobile IP Files and Commands (Reference)
Part V IPMP
30. Introducing IPMP (Overview)
31. Administering IPMP (Tasks)
Part VI IP Quality of Service (IPQoS)
32. Introducing IPQoS (Overview)
33. Planning for an IPQoS-Enabled Network (Tasks)
34. Creating the IPQoS Configuration File (Tasks)
35. Starting and Maintaining IPQoS (Tasks)
36. Using Flow Accounting and Statistics Gathering (Tasks)
37. IPQoS in Detail (Reference)
Glossary
Index
|
Introduction to IPsec
IPsec protects IP packets by authenticating the packets, by encrypting the packets, or
by doing both. IPsec is performed inside the IP module, well below the
application layer. Therefore, an Internet application can take advantage of IPsec while not
having to configure itself to use IPsec. When used properly, IPsec is an
effective tool in securing network traffic. IPsec protection involves five main components:
Security protocols – The IP datagram protection mechanisms. The authentication header (AH) signs IP packets and ensures integrity. The content of the datagram is not encrypted, but the receiver is assured that the packet contents have not been altered. The receiver is also assured that the packets were sent by the sender. The encapsulating security payload (ESP) encrypts IP data, thus obscuring the content during packet transmission. ESP also can ensure data integrity through an authentication algorithm option. Security associations database (SADB) – The database that associates a security protocol with an IP destination address and an indexing number. The indexing number is called the security parameter index (SPI). These three elements (the security protocol, the destination address, and the SPI) uniquely identify a legitimate IPsec packet. The database ensures that a protected packet that arrives to the packet destination is recognized by the receiver. The receiver also uses information from the database to decrypt the communication, verify that the packets are unchanged, reassemble the packets, and deliver the packets to their ultimate destination. Key management – The generation and distribution of keys for the cryptographic algorithms and for the SPI. Security mechanisms – The authentication and encryption algorithms that protect the data in the IP datagrams. Security policy database (SPD) – The database that specifies the level of protection to apply to a packet. The SPD filters IP traffic to determine how the packets should be processed. A packet can be discarded. A packet can be passed in the clear. Or, a packet can be protected with IPsec. For outbound packets, the SPD and the SADB determine what level of protection to apply. For inbound packets, the SPD helps to determine if the level of protection on the packet is acceptable. If the packet is protected by IPsec, the SPD is consulted after the packet has been decrypted and has been verified.
When you invoke IPsec, IPsec applies the security mechanisms to IP datagrams that
travel to the IP destination address. The receiver uses information in its SADB
to verify that the arriving packets are legitimate, and to decrypt them. Applications
can invoke IPsec to apply security mechanisms to IP datagrams on a per-socket
level as well. Note that sockets behave differently from ports:
Per-socket SAs override their corresponding port entry in the SPD. Also, if a socket on a port is connected, and IPsec policy is later applied to that port, then traffic that uses that socket is not protected by IPsec. Of course, a socket that is opened on a port after IPsec policy is applied to the port is protected by IPsec policy.
IPsec RFCs
The Internet Engineering Task Force (IETF) has published a number of Requests for
Comment (RFCs) that describe the security architecture for the IP layer. All RFCs
are copyrighted by the Internet Society. For a link to the RFCs, see
http://ietf.org/. The following list of RFCs covers the more general IP security references:
RFC 2411, “IP Security Document Roadmap,” November 1998 RFC 2401, “Security Architecture for the Internet Protocol,” November 1998 RFC 2402, “IP Authentication Header,” November 1998 RFC 2406, “IP Encapsulating Security Payload (ESP),” November 1998 RFC 2408, “Internet Security Association and Key Management Protocol (ISAKMP),” November 1998 RFC 2407, “The Internet IP Security Domain of Interpretation for ISAKMP,” November 1998 RFC 2409, “The Internet Key Exchange (IKE),” November 1998 RFC 3554, “On the Use of Stream Control Transmission Protocol (SCTP) with IPsec,” July 2003 [ not implemented in the Solaris 10 release ]
IPsec Terminology
The IPsec RFCs define a number of terms that are useful to
recognize when implementing IPsec on your systems. The following table lists IPsec terms, provides
their commonly used acronyms, and defines each term. For a list of terminology
used in key negotiation, see Table 22-1. Table 19-1 IPsec Terms, Acronyms, and UsesIPsec Term |
Acronym |
Definition |
|---|
Security association |
SA |
A unique connection between two
nodes on a network. The connection is defined by a triplet: a security
protocol, a security parameter index, and an IP destination. The IP destination can
be an IP address or a socket. |
Security associations database |
SADB |
Database that contains all
active security associations. |
Security parameter index |
SPI |
The indexing value for a security association. An
SPI is a 32-bit value that distinguishes among SAs that have the same
IP destination and security protocol. |
Security policy database |
SPD |
Database that determines if outbound packets and
inbound packets have the specified level of protection. |
Key exchange |
|
The process of generating keys
for asymmetric cryptographic algorithms. The two main methods are RSA protocols and the
Diffie-Hellman protocol. |
Diffie-Hellman protocol |
DH |
A key exchange protocol that involves key generation and key
authentication. Often called authenticated key exchange. |
RSA protocol |
RSA |
A key exchange protocol that involves key generation and
key distribution. The protocol is named for its three creators, Rivest, Shamir, and
Adleman. |
Internet Security Association and Key Management Protocol |
ISAKMP |
The common framework for establishing the
format of SA attributes, and for negotiating, modifying, and deleting SAs. ISAKMP is
the IETF standard for handling IPsec SAs. |
|