IPSec , , , IETF IP-. IP ver.4 IP ver.6. , IPSec:
- ;
- ;
- ;
- ;
- .
IPSec , () IP-, ( 3.2), . . OSI , , . , ( web-, , . .) , IPSec . IPSec , - -, , . , , .
, . , ( . Security Association, . SA). , IPSec , . :
- IP- ;
- , ;
- , ( );
- , , ;
- ( . Security Parameter Index, . SPI) , SA.
, , SA. , SPI, IP- .
, IPSec :
1) AH ( . Authentication Header), ; - RFC 4302 ( RFC 1826, 2402);
2) ESP ( . Encapsulating Security Payload), , , ; RFC 4303 ( RFC 1827, 2406).
|
|
, . , . IP-, IP- .
-. ESP IP-, . AH . .
AH
IP ver.4 IP-. IP- IP-, ( , TCP UDP, 4.3 ULP . Upper-Level Protocol) .
3.3- ) IP-, ) IP- AH , ) IP- AH
3.3. AH . IP- , . , Next Header, , IP-. IP-, AH, IP-.
(MAC) - . AH HMAC-MD5-96 ( ) HMAC-SHA-1-96, - , - MD5 SHA-1, . , . , ICV ( . Integrity Check Value ) Authentication Data ( 3.4). , .
AH , ICV ULP, IP-. , TTL, - , - 0. IP- . AH ( 3.3).
8 ( Next Header) , . IANA (Internet Assigned Numbers Authority). , TCP 6, ESP 50, AH 51 . .
Payload Len AH 32- . 16 .
3.4. AH
SPI , (SA).
Sequence Number RFC 2402. , , . ( SA), , (, SA).
|
|
Authentication Data, , ICV.
ESP
AH , ESP .
AH, ESP . 3.5 ( , ). ESP , :
- HMAC-MD5-96 ( ) HMAC-SHA-1-96;
- DES ( CBC; ) NULL ( ).
, Triple DES, CAST-128, RC5, IDEA, Blowfish, ARCFour ( RC4) [13].
3.5 | - ) IP-, | |||||
) ESP , | ||||||
) ESP |
ESP ( 4.6). 32- SPI SN. , AH SPI , ; SN . SN SPI . , . - , , .
,
3.6. ESP
(, , , ) .
ESP , , ICV. AH, ESP , IP- ( , ) .
AH ESP, IP- AH, ESP. , ESP , AH .
, IPSec. , - SA. SA . , , SKIP, ISAKMP (Internet Security Association and Key Management Protocol) IKE (Internet Key Exchange).
SKIP
SKIP (Simple Key management for Internet Protocol)
SUN Microsystems 1994 . IP- , OSI [13]. IANA 57.
SKIP . . Kij. .
Kp, . IP- SKIP- ( 3.7). , Kij, , Kij . : Kp Kij Alg, Crypt Alg, MAC Alg,( ) Comp Alg. SKIP- Kp, Kijn ( - ). Source MKID Dest MKID. . , , , .
|
|
ISAKMP IKE
ISAKMP (Internet Security Association Key Management Protocol Internet) IETF . ISAKMP , . OAKLEY, - [13]. IKE (. Internet Key Exchange Internet) ISAKMP OAKLEY SKEMI (. Secure Key Exchange Mechanism for Internet ) . SKIP IKE, , , .
ISAKMP :
- ( IPSec );
- ( SA).
TCP/IP, ISAKMP . IPSec, UDP 500.
ISAKMP ( , , , ):
1) : , ;
2) : ( , 1; - , , );
3) : ;
4) : ;
5) : ,
6) : , .
OAKLEY, 3 4 , . X.509. -, . :
|
|
SKEYID_d , ;
SKEYID_a , ;
SKEYID_e , .
, SKEYID_e SKEYID_a.
(. Main Mode). , . (. Aggressive Mode) , ( 6 3 , ) [11].
ISAKMP . 3.10.
3.10. ISAKMP
, (cookie), ( 1 - , ). .
, . , 1 (SA), 2 ( -); 6 , 7 . .
(-, ). , 0 , 1 -, 4 . .
.-, , , , -, .
-.
( ).
, .
, , , . ESP AH ( , , IPSec ). ESP , ( SA), AH, ESP, SA.
, SA, [13]:
- (AH, ESP, );
- ;
- ( );
- ( );