Title: IPSec
1IPSec
2IPSec Protocol Mode
- IP AH and IP ESP operate in two mode
Transport Mode
Original Packet
Tunnel Mode
3Key Assumptions
- Symmetric keys can be manually set instead of
using IKE - Key management is host-based or protocol-based
depending on students policy
4What you need to do in demo
Computer3 192.168.10.3
Computer4 192.168.10.4
add_key d 192.168.10.1 k 2345678901
Computer2 192.168.10.2
Computer1 192.168.10.1
add_key d 192.168.10.2 k 1234567890 add_key d
192.168.10.3 k 2345678901 add_key p tcp k
1234567890 pr_key d 192.168.10.2 pr_key -a
add_key d 192.168.10.1 k 1234567890 add_key p
tcp k 1234567890 del_key d 192.168.10.1
5Implement Key Table
- The key idea to implement set key when inet
server bootup, create a static struct array in
kernel, which maintain the peer IP address and
corresponding key if host-based policy is
applied.
6How to deal with compatibility
- /usr/src/commands/simple/pr_routes.c
- /usr/src/commands/simple/add_routes.c
- /usr/src/inet/generic/ip_ioctl.c
- /usr/src/inet/generic/ip.c
7How and where to put IPSec Functionalities
- IPSEC is implemented in IP layer before
fragmentation. - Outgoing IP packets are processed in ip_write.c
- All incoming IP packets sent to up layer
(TCP/UDP) are processed in ip_read.c
8How to implement padding
- We use AES encryption in IPSEC, in which data
must be encrypted as data chunk with 16 bytes
unit. - If data is not multiple of 16, we need to padding
data after it, and saving how many bytes we have
padded, which will be used to restore original
data in decryption.
9How to encrypt/decrypt
TCP header
DATA
IP header
padding
Buf1
Buf2
Buf3
Buf4
Buf1
Buf2
Buf3
Buf4
10For Outgoing Packets
- Check whether IP packets need to be processed
- Construct new IP header
- Construct ESP header
- Calculate the size of encryption block and pad it
- Encrypt (padded data)
- Do HMAC (ESP headerencrypted data, key) to
calculate hash value and save it in ESP tail - Add new IP header, do checksum and send new
packet to next layer
11Implement
Example IpSecOut(pack, key)
ESP auth
new IP hdr
ESP hdr
ESP pad
12For Incoming Packets
- Check whether the IP packet need IPSEC processing
- Do HMAC(IP_data, key) to calculate hash value, do
authentication - Decrypt data block
- Delete padding to get original data
- Now original data is the original old IP header
data, do IP header verification and send it to
upper layer
13Modularize project
- Process outgoing packets in ip_write.cIpSecOut(p
acket, key) - Process incoming packets in ip_read.cIpSecIn(pac
ket, key) - Maintain key table in kernelipsec_get_entry(sec_
ent)ipsec_add_entry(sec_ent)ipsec_del_entry(sec_
ent) - Expecting time one weeks
14How to handle large packets
- From RFC, the max size of IP packet is 64K Bytes
- In Minix, IP_MAX_PACKSIZE (40,000) Bytes defined
in /usr/include/net/gen/in.h - IPSEC brings more overload, the size of new
overloadNew IP header(20) ESP header(8)
padding(lt16) ESP tail (16) lt 60 Bytes - 40000-6439936
15How to avoid frequent crash
- Shell script /usr/src/inet/compilemv
/usr/bin/inet /usr/bin/inetestmake install - Press ESC during bootup, enter boot
monitord0p0s0gtserversinetest (default
inet)d0p0s0gtboot