IPSec - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

IPSec

Description:

Symmetric keys can be manually set instead of using IKE ... Example: IpSecOut(pack, key) TCP. DATA. orig IP. hdr. ESP. hdr. ESP. pad. ESP. auth. new IP ... – PowerPoint PPT presentation

Number of Views:49
Avg rating:3.0/5.0
Slides: 16
Provided by: tes80
Learn more at: https://web.ecs.syr.edu
Category:
Tags: ipsec | keys

less

Transcript and Presenter's Notes

Title: IPSec


1
IPSec
  • 11/10/2005

2
IPSec Protocol Mode
  • IP AH and IP ESP operate in two mode

Transport Mode
Original Packet
Tunnel Mode
3
Key Assumptions
  • Symmetric keys can be manually set instead of
    using IKE
  • Key management is host-based or protocol-based
    depending on students policy

4
What you need to do in demo
Computer3 192.168.10.3
Computer4 192.168.10.4
add_key d 192.168.10.1 k 2345678901
Computer2 192.168.10.2
Computer1 192.168.10.1
add_key d 192.168.10.2 k 1234567890 add_key d
192.168.10.3 k 2345678901 add_key p tcp k
1234567890 pr_key d 192.168.10.2 pr_key -a
add_key d 192.168.10.1 k 1234567890 add_key p
tcp k 1234567890 del_key d 192.168.10.1
5
Implement Key Table
  • The key idea to implement set key when inet
    server bootup, create a static struct array in
    kernel, which maintain the peer IP address and
    corresponding key if host-based policy is
    applied.

6
How to deal with compatibility
  • /usr/src/commands/simple/pr_routes.c
  • /usr/src/commands/simple/add_routes.c
  • /usr/src/inet/generic/ip_ioctl.c
  • /usr/src/inet/generic/ip.c

7
How and where to put IPSec Functionalities
  • IPSEC is implemented in IP layer before
    fragmentation.
  • Outgoing IP packets are processed in ip_write.c
  • All incoming IP packets sent to up layer
    (TCP/UDP) are processed in ip_read.c

8
How to implement padding
  • We use AES encryption in IPSEC, in which data
    must be encrypted as data chunk with 16 bytes
    unit.
  • If data is not multiple of 16, we need to padding
    data after it, and saving how many bytes we have
    padded, which will be used to restore original
    data in decryption.

9
How to encrypt/decrypt
TCP header
DATA
IP header
padding
Buf1
Buf2
Buf3
Buf4
Buf1
Buf2
Buf3
Buf4
10
For Outgoing Packets
  • Check whether IP packets need to be processed
  • Construct new IP header
  • Construct ESP header
  • Calculate the size of encryption block and pad it
  • Encrypt (padded data)
  • Do HMAC (ESP headerencrypted data, key) to
    calculate hash value and save it in ESP tail
  • Add new IP header, do checksum and send new
    packet to next layer

11
Implement
Example IpSecOut(pack, key)
ESP auth
new IP hdr
ESP hdr
ESP pad
  • Expecting time two weeks

12
For Incoming Packets
  • Check whether the IP packet need IPSEC processing
  • Do HMAC(IP_data, key) to calculate hash value, do
    authentication
  • Decrypt data block
  • Delete padding to get original data
  • Now original data is the original old IP header
    data, do IP header verification and send it to
    upper layer

13
Modularize project
  • Process outgoing packets in ip_write.cIpSecOut(p
    acket, key)
  • Process incoming packets in ip_read.cIpSecIn(pac
    ket, key)
  • Maintain key table in kernelipsec_get_entry(sec_
    ent)ipsec_add_entry(sec_ent)ipsec_del_entry(sec_
    ent)
  • Expecting time one weeks

14
How to handle large packets
  • From RFC, the max size of IP packet is 64K Bytes
  • In Minix, IP_MAX_PACKSIZE (40,000) Bytes defined
    in /usr/include/net/gen/in.h
  • IPSEC brings more overload, the size of new
    overloadNew IP header(20) ESP header(8)
    padding(lt16) ESP tail (16) lt 60 Bytes
  • 40000-6439936

15
How to avoid frequent crash
  • Shell script /usr/src/inet/compilemv
    /usr/bin/inet /usr/bin/inetestmake install
  • Press ESC during bootup, enter boot
    monitord0p0s0gtserversinetest (default
    inet)d0p0s0gtboot
Write a Comment
User Comments (0)
About PowerShow.com