IPSec

1
IPSec

• 11/10/2005

2
IPSec Protocol Mode

• IP AH and IP ESP operate in two mode

Transport Mode
Original Packet
Tunnel Mode
3
Key Assumptions

• Symmetric keys can be manually set instead of
  using IKE
• Key management is host-based or protocol-based
  depending on students policy

4
What you need to do in demo
Computer3 192.168.10.3
Computer4 192.168.10.4
add_key d 192.168.10.1 k 2345678901
Computer2 192.168.10.2
Computer1 192.168.10.1
add_key d 192.168.10.2 k 1234567890 add_key d
192.168.10.3 k 2345678901 add_key p tcp k
1234567890 pr_key d 192.168.10.2 pr_key -a
add_key d 192.168.10.1 k 1234567890 add_key p
tcp k 1234567890 del_key d 192.168.10.1
5
Implement Key Table

• The key idea to implement set key when inet
  server bootup, create a static struct array in
  kernel, which maintain the peer IP address and
  corresponding key if host-based policy is
  applied.

6
How to deal with compatibility

• /usr/src/commands/simple/pr_routes.c
• /usr/src/commands/simple/add_routes.c
• /usr/src/inet/generic/ip_ioctl.c
• /usr/src/inet/generic/ip.c

7
How and where to put IPSec Functionalities

• IPSEC is implemented in IP layer before
  fragmentation.
• Outgoing IP packets are processed in ip_write.c
• All incoming IP packets sent to up layer
  (TCP/UDP) are processed in ip_read.c

8
How to implement padding

• We use AES encryption in IPSEC, in which data
  must be encrypted as data chunk with 16 bytes
  unit.
• If data is not multiple of 16, we need to padding
  data after it, and saving how many bytes we have
  padded, which will be used to restore original
  data in decryption.

9
How to encrypt/decrypt
TCP header
DATA
IP header
padding
Buf1
Buf2
Buf3
Buf4
Buf1
Buf2
Buf3
Buf4
10
For Outgoing Packets

• Check whether IP packets need to be processed
• Construct new IP header
• Construct ESP header
• Calculate the size of encryption block and pad it
• Encrypt (padded data)
• Do HMAC (ESP headerencrypted data, key) to
  calculate hash value and save it in ESP tail
• Add new IP header, do checksum and send new
  packet to next layer

11
Implement
Example IpSecOut(pack, key)
ESP auth
new IP hdr
ESP hdr
ESP pad

• Expecting time two weeks

12
For Incoming Packets

• Check whether the IP packet need IPSEC processing
• Do HMAC(IP_data, key) to calculate hash value, do
  authentication
• Decrypt data block
• Delete padding to get original data
• Now original data is the original old IP header
  data, do IP header verification and send it to
  upper layer

13
Modularize project

• Process outgoing packets in ip_write.cIpSecOut(p
  acket, key)
• Process incoming packets in ip_read.cIpSecIn(pac
  ket, key)
• Maintain key table in kernelipsec_get_entry(sec_
  ent)ipsec_add_entry(sec_ent)ipsec_del_entry(sec_
  ent)
• Expecting time one weeks

14
How to handle large packets

• From RFC, the max size of IP packet is 64K Bytes
• In Minix, IP_MAX_PACKSIZE (40,000) Bytes defined
  in /usr/include/net/gen/in.h
• IPSEC brings more overload, the size of new
  overloadNew IP header(20) ESP header(8)
  padding(lt16) ESP tail (16) lt 60 Bytes
• 40000-6439936

15
How to avoid frequent crash

• Shell script /usr/src/inet/compilemv
  /usr/bin/inet /usr/bin/inetestmake install
• Press ESC during bootup, enter boot
  monitord0p0s0gtserversinetest (default
  inet)d0p0s0gtboot