Ipsec: Difference between revisions
No edit summary |
|||
| (One intermediate revision by one other user not shown) | |||
| Line 1: | Line 1: | ||
=== IPsec === | === IPsec === | ||
[[IPsec]] (outlined in [[RFC]] 2401) is a security enhancement to the [[IP]] and [[IPv6]] protocols in [[Internet]] communication. Since [[IPsec]] is a combination of | [[IPsec]] (outlined in [[RFC]] 2401) is a security enhancement to the [[IP]] and [[IPv6]] protocols in [[Internet]] communication. Since [[IPsec]] is a combination of keyed-hash, symmetric [[cryptography]] as well as assymetric cryptography it's proper to make this a seperate section outlining all functions of the protocol here. | ||
[[IPsec]] has three protocols Authenticated Header ([[AH]]), Encapsulating Security Payload ([[ESP]]), and IP Compression ([[IPComp]]). In a short explanation [[AH]] adds a [[message authentication check]] to the header ensuring integrity of the payload. [[ESP]] encrypts the payload following the [[IPsec]] header making it safer from [[sniffing]], and also adds a [[message authentication check]]. | |||
[[IPsec]] usually uses the [[IKE]] protocol to do symmetric key setup, and to provide authentication of end-points (vs authentication of individual packets). | |||
== OS Implementations == | == OS Implementations == | ||
Latest revision as of 13:25, 27 October 2005
IPsec
IPsec (outlined in RFC 2401) is a security enhancement to the IP and IPv6 protocols in Internet communication. Since IPsec is a combination of keyed-hash, symmetric cryptography as well as assymetric cryptography it's proper to make this a seperate section outlining all functions of the protocol here.
IPsec has three protocols Authenticated Header (AH), Encapsulating Security Payload (ESP), and IP Compression (IPComp). In a short explanation AH adds a message authentication check to the header ensuring integrity of the payload. ESP encrypts the payload following the IPsec header making it safer from sniffing, and also adds a message authentication check.
IPsec usually uses the IKE protocol to do symmetric key setup, and to provide authentication of end-points (vs authentication of individual packets).
OS Implementations
For GNU/Linux the popular implementation is openswan which is the result of the disbandment of freeswan.
FreeBSD IPsec requires you build it into your kernel, this will require:
options IPSEC options IPSEC_ESP
in /usr/src/sys/i386/conf/$YOUR_FIREWALL and a kernel recompile.
OpenBSD has a built-in IPsec stack. It has a daemon called isakmpd which speaks the ISAKMP/Oakley aka. IKE Key management protocol is used for establishing security associations (private encryption keys) between peers.
Microsoft WinXP Pro apparently has ipsec built in as well.
