IPsec ton tp

IPsec (IP security) bao gm mt h thng cc giao thc bo mt qu trnh truyn thng tin trn nn tng Internet Protocol (IP). Bao gm xc thc v/hoc m ho (Authenticating and/or Encrypting) cho mi gi IP (IP packet) trong qu trnh truyn thng tin. IPsec cng bao gm nhng giao thc cung cp cho m ho v xc thc. Ni dung 1. Tng quan 2. Cu trc bo mt 3. Cc chun ho 4. Thit k v s dng theo yu cu. 5.1. Transport mode 5.2. Tunnel mode 6. Phng thc 6.1. Authentication header (AH) 6.2. Encapsulating Security Payload (ESP) 7. trin khai s dng 1. Tng quan Giao thc IPsec c lm vic ti tng Network Layer layer 3 ca m hnh OSI. Cc giao thc bo mt trn Internet khc nh SSL, TLS v SSH, c thc hin t tng transport layer tr ln (T tng 4 ti tng 7 m hnh OSI). iu ny to ra tnh mm do cho IPsec, giao thc ny c th hot ng t tng 4 vi TCP, UDP, hu ht cc giao thc s dng ti tng ny. IPsec c mt tnh nng cao cp hn SSL v cc phng thc khc hot ng ti cc tng trn ca m hnh OSI. Vi mt ng dng s dng IPsec m (code) khng b thay i, nhng nu ng dng bt buc s dng SSL v cc giao thc bo mt trn cc tng trn trong m hnh OSI th on m ng dng s b thay i ln. 2. Cu trc bo mt IPsec c trin khai (1) s dng cc giao thc cung cp mt m (cryptographic protocols) nhm bo mt gi tin (packet) trong qu trnh truyn, (2) phng thc xc thc v (3) thit lp cc thng s m ho.

Xy dng IPsec s dng khi nim v bo mt trn nn tng IP. Mt s kt hp bo mt rt n gin khi kt hp cc thut ton v cc thng s (v nh cc kho keys) l nn tng trong vic m ho v xc thc trong mt chiu. Tuy nhin trong cc giao tip hai chiu, cc giao thc bo mt s lm vic vi nhau v p ng qu trnh giao tip. Thc t la chn cc thut ton m ho v xc thc li ph thuc vo ngi qun tr IPsec bi IPsec bao gm mt nhm cc giao thc bo mt p ng m ho v xc thc cho mi gi tin IP. Trong cc bc thc hin phi quyt nh ci g cn bo v v cung cp cho mt gi tin outgoing (i ra ngoi), IPsec s dng cc thng s Security Parameter Index (SPI), mi qu trnh Index (nh th t v lu trong d liu Index v nh mt cun danh b in thoi) bao gm Security Association Database (SADB), theo sut chiu di ca a ch ch trong header ca gi tin, cng vi s nhn dng duy nht ca mt tho hip bo mt (tm dch t - security association) cho mi gi tin. Mt qu trnh tng t cng c lm vi gi tin i vo (incoming packet), ni IPsec thc hin qu trnh gii m v kim tra cc kho t SADB. Cho cc gi multicast, mt tho hip bo mt s cung cp cho mt group, v thc hin cho ton b cc receiver trong group . C th c hn mt tho hip bo mt cho mt group, bng cch s dng cc SPI khc nhau, tuy nhin n cng cho php thc hin nhiu mc bo mt cho mt group. Mi ngi gi c th c nhiu tho hip bo mt, cho php xc thc, trong khi ngi nhn ch bit c cc keys c gi i trong d liu. Ch cc chun khng miu t lm th no cc tho hip v la chn vic nhn bn t group ti cc c nhn. 3. Hin trng IPsec l mt phn bt bc ca IPv6, c th c la chn khi s dng IPv4. Trong khi cc chun c thit kt cho cc phin bn IP ging nhau, ph bin hin nay l p dng v trin khai trn nn tng IPv4. Cc giao thc IPsec c nh ngha t RFCs 1825 1829, v c ph bin nm 1995. Nm 1998, c nng cp vi cc phin bn RFC 2401 2412, n khng tng thch vi chun 1825 1929. Trong thng 12 nm 2005, th h th 3 ca chun IPSec, RFC 4301 4309. Cng khng khc nhiu so vi chun RFC 2401 2412 nhng th h mi c cung cp chun IKE second. Trong th h mi ny IP security cng c vit tt li l IPsec. S khc nhau trong quy nh vit tt trong th h c quy chun bi RFC 1825 1829 l ESP cn phin bn mi l ESPbis. 4. Thit k theo yu cu. IPsec c cung cp bi Transport mode (end-to-end) p ng bo mt gia cc my tnh giao tip trc tip vi nhau hoc s dng Tunnel mode (portal-to-portal) cho cc giao tip gia hai mng vi nhau v ch yu c s dng khi kt ni VPN.

IPsec c th c s dng trong cc giao tip VPN, s dng rt nhiu trong giao tip. Tuy nhin trong vic trin khai thc hin s c s khc nhau gia hai mode ny. Giao tip end-to-end c bo mt trong mng Internet c pht trin chm v phi ch i rt lu. Mt phn b l do tnh ph thng ca no khng cao, hay khng thit thc, Public Key Infrastructure (PKI) c s dng trong phng thc ny. IPsec c gii thiu v cung cp cc dch v bo mt: 1. M ho qu trnh truyn thng tin 2. m bo tnh nguyn ven ca d liu 3. Phi c xc thc gia cc giao tip 4. Chng qu trnh replay trong cc phin bo mt. 5. Modes Cc mode C hai mode khi thc hin IPsec l: Transport mode v tunnel mode. Transport mode Trong Transport mode, ch nhng d liu bn giao tip cc gi tin c m ho v/hoc xc thc. Trong qu trnh routing, c IP header u khng b chnh sa hay m ho; tuy nhin khi authentication header c s dng, a ch IP khng th bit c, bi cc thng tin b hash (bm). Transport v application layers thng c bo mt bi hm bm (hash), v chng khng th chnh sa (v d nh port number). Transport mode s dng trong tnh hung giao tip host-to-host. iu ny c ngha l ng gi cc thng tin trong IPsec cho NAT traversal c nh ngha bi cc thng tin trong ti liu ca RFC bi NAT-T. Tunnel mode Trong tunnel mode, ton b gi IP (bao gm c data v header) s c m ho v xc thc. N phi c ng gi li trong mt dng IP packet khc trong qu trnh routing ca router. Tunnel mode c s dng trong giao tip network-to-network (hay gia cc routers vi nhau), hoc host-to-network v host-to-host trn internet. 6. Technical details. C hai giao thc c pht trin v cung cp bo mt cho cc gi tin ca c hai phin bn IPv4 v IPv6: IP Authentication Header gip m bo tnh ton vn v cung cp xc thc.

IP Encapsulating Security Payload cung cp bo mt, v l option bn c th la chn c tnh nng authentication v Integrity m bo tnh ton vn d liu. Thut ton m ho c s dng trong IPsec bao gm HMAC-SHA1 cho tnh ton vn d liu (integrity protection), v thut ton TripleDES-CBC v AES-CBC cho m m ho v m bo an ton ca gi tin. Ton b thut ton ny c th hin trong RFC 4305. a. Authentication Header (AH) AH c s dng trong cc kt ni khng c tnh m bo d liu. Hn na n l la chn nhm chng li cc tn cng replay attack bng cch s dng cng ngh tn cng sliding windows v discarding older packets. AH bo v qu trnh truyn d liu khi s dng IP. Trong IPv4, IP header c bao gm TOS, Flags, Fragment Offset, TTL, v Header Checksum. AH thc hin trc tip trong phn u tin ca gi tin IP. di y l m hnh ca AH header. 5. Cc modes thc hin 0 - 7 bit Next header 8 - 15 bit Payload length 16 - 23 bit 24 - 31 bit

RESERVED

Security parameters index (SPI) Sequence number Authentication data (variable) ngha ca tng phn: Next header Nhn dng giao thc trong s dng truyn thng tin. Payload length ln ca gi tin AH. RESERVED S dng trong tng lai (cho ti thi im ny n c biu din bng cc s 0). Security parameters index (SPI)

Nhn ra cc thng s bo mt, c tch hp vi a ch IP, v nhn dng cc thng lng bo mt c kt hp vi gi tin. Sequence number Mt s t ng tng ln mi gi tin, s dng nhm chng li tn cng dng replay attacks. Authentication data Bao gm thng s Integrity check value (ICV) cn thit trong gi tin xc thc. b. Encapsulating Security Payload (ESP) Giao thc ESP cung cp xc thc, ton vn, m bo tnh bo mt cho gi tin. ESP cng h tr tnh nng cu hnh s dng trong tnh hung ch cn bo m ho v ch cn cho authentication, nhng s dng m ho m khng yu cu xc thc khng m bo tnh bo mt. Khng nh AH, header ca gi tin IP, bao gm cc option khc. ESP thc hin trn top IP s dng giao thc IP v mang s hiu 50 v AH mang s hiu 51. 0 - 7 bit 8 - 15 bit 16 - 23 bit 24 - 31 bit

Security parameters index (SPI) Sequence number

Payload data (variable) Padding (0-255 bytes) Pad Length Next Header

Authentication Data (variable)

ngha ca cc phn: Security parameters index (SPI) Nhn ra cc thng s c tch hp vi a ch IP. Sequence number

T ng tng c tc dng chng tn cng kiu replay attacks. Payload data Cho d liu truyn i Padding S dng vi block m ho Pad length ln ca padding. Next header Nhn ra giao thc c s dng trong qu trnh truyn thng tin. Authentication data Bao gm d liu xc thc cho gi tin. 7. Implementations - thc hin IPsec c thc hin trong nhn vi cc trnh qun l cc key v qu trnh thng lng bo mt ISAKMP/IKE t ngi dng. Tuy nhin mt chun giao din cho qun l key, n c th c iu khin bi nhn ca IPsec. Bi v c cung cp cho ngi dng cui, IPsec c th c trin khai trn nhn ca Linux. D n FreeS/WAN l d n u tin hon thnh vic thc hin IPsec trong m ngun m c th l Linux. N bao gm mt nhn IPsec stack (KLIPS), kt hp vi trnh qun l key l deamon v rt nhiu shell scripts. D n FreeS/WAN c bt u vo thng 3 nm 2004. Openswan v strongSwan tip tc d n FreeS/WAN. D n KAME cng hon thnh vic trin khai s dng IPsec cho NetBSB, FreeBSB. Trnh qun l cc kho c gi l racoon. OpenBSB c to ra ISAKMP/IKE, vi tn n gin l isakmpd (n cng c trin khai trn nhiu h thng, bao gm c h thng Linux). Translation by VNE Research Department

IPsec phn 2 - Public Key Infrastructor

Trong bi vit ny ti s gii thiu vi cc bn tng quan v cch thc lm vic ca Public Key Infrastructure (PKI). Nu bn s dng Active Directory ca cng ngh Windows NT th mi user khi c to ra cng i lin vi n c mt cp Key: Public key v Private key. Ngoi ra cn c nhiu ng dng to ra cp kho ny.

Cp key c to ra ngu nhin vi nhiu ch s hin th. Khi cc keys c to ra t nhiu ch s ngu nhin, s khng th gii m nu ra private key nu bit public key. Nhng c mt s thut ton c th to ra public key t private key. Nhng ch c Public key mi c published cho ton b mi ngi. Hu ht cc cp key c to ra t nhiu s v bng mt thut ton m ho no .

Mt thng tin c m ho vi public key th ch c th gii m bi private key. Nu ch c public key bn s khng th gii m c gi tin. iu ny c ngha khi mt ngi gi thng tin c m ho ti mt ngi khc th ch c ngi nhn mi m c thng tin m thi. Nhng ngi khc c bt c ton b thng tin th cng khng th gii m c nu ch c Public key.

Mt thng tin c m ho vi private key c th gii m vi public key. Khi public key c public cho ton b mi ngi th ai cng c th c c thng tin nu c public key.

 m bo an ton hn trong qu trnh truyn thng tin: Alice kt hp Private key ca c y vi Public key ca Bob to ra v chia s bo mt (share secret). Cng tng t nh vy Bob cng kt hp Private key ca mnh vi Public key ca Alice to ra mt shared secret. Ri hai ngi truyn thng tin cho nhau. Khi Alice truyn thng tin cho Bob bng Shared Secret c to ra, khi Bob nhn c gi tin m ho bi shared secret dng Public key ca Alice kt hp vi Private key ca mnh m thng tin. iu ny cng tng t khi Bob truyn thng tin v cch Alice gii m ly thng tin. Theo - Wikipedia.org - Translation by VNE Research Department