Internet Protocol Security (IPsec)
Internet Protocol Security (IPsec) is a set of services and protocols for securing Internet Protocol (IP) communications. IP packets constituting the data stream are encrypted and authenticated and the cryptographic keys used by IP endpoints are also negotiated for use during the session, thereby keeping sensitive information hidden from unauthorized parties while also checking the received data for integrity. Data passed between users, servers, routers, firewalls, and the like is protected using IPsec.
IPsec is not a requirement of IPv4 implementations although it is widespread within the current landscape as a means of providing secure IP connections. IPsec is required for IPv6 implementations. IPsec provides access control, connectionless integrity, data origin authentication, detection and rejection of replays, confidentiality and limited traffic flow confidentiality.
IPsec operates only in the IP layer and can be implemented either as a host (ie. Security Gateway) or as an independent device (ie. router with IPsec enabled). The form of these implementations can be Native, Bump-In-The-Stack (BITS) or Bump-In-The-Wire (BITW).
- Native – Integrated into the native IP stack, requires access to IP source code
- Bump-In-The-Stack (BITS) – Implemented underneath an existing IP stack implementation between the native and local network drivers, source code access not needed.
- Bump-In-The-Wire (BITW) – Implemented in an in line security protocol processor. This is commonly used for military implementations and occasionally in commercial devices. The processor is usually IP addressable.
Two main protocols are key to the implementation of IPsec:
- Internet Key Exchange (IKEv2) Protocol – This provides the mechanism for setting up and maintaining Security Associations (SA).
- Encapsulating Security Payload (ESP) Protocol – This protocol provides access control, connectionless integrity, data origin authentication, detection and rejection of replays, confidentiality and limied traffic flow confidentiality.
The Authentication Header (AH) Protocol is an optional protocol that provides integrity and data origin authentication, with optional anti-replay features which are the same services that ESP can provide.
There are multiple encryption and authentication options that can be employed in an IPsec connection.
AES, DES, and TDES are the commonly used encrytpion algorithms. Authentication algorithms commonly used with IPsec are HMAC, CBC- AC and GMAC. There are also algorithms that can be used to do both encryption and Authentication like CCM and GCM. VOCAL provides support for those as well as other cryptographic algorithms.
IPSec can be used in either Transport or Tunnel modes. Transport mode encrypts only the data portion of the packet. Tunnel mode encrypts the header as well and is, therefore, a more secure connection and is often used to create a Virtual Private Network (VPN).
NAT-T (NAT Traversal) is a method of enabling IPsec data to pass through a Network Address Translator ( NAT). It is often used by IPsec VPN clients. NAT-T protects IPsec data by encapsulating it with another layer of UDP and IP headers. NAT-T allows systems behind NATs to establish secure, encrypted connections on demand. It also allows multiple machines behind the same NAT device to build a tunnel to the outside world.
VOCAL engineers have implemented IPsec on uClinux running in an Analog Devices Blackfin DSP hardware environment.
For more information regarding IPsec for Blackfin uClinux or other IPsec implementations, please contact us.