The full name of IP Sec: IP Security, The IPSec protocol is not a single protocol, but a collection of protocols and services that provide complete security for IP networks.
IPSec protocol is a protocol that works at the IP network layer
Implemented VPN communication as a tunnel protocol
The third layer tunneling protocol can create a secure tunnel on the IP layer to connect two remote private networks, or allow computers on the public network to access the remote corporate private network.
2. IPSec function
1. Ensure reliable data sources
Before IPSec communication, both parties must first use IKE to authenticate each other's identity and negotiate a key. Only after IKE negotiation is successful can they communicate. Since it is impossible for a third party to know the verification and encryption algorithm and related keys, it cannot impersonate the sender. Even if impersonated, it will be detected by the receiver.
2. Ensure data integrity
IPSec uses a verification algorithm to ensure that any data tampering and loss during data transmission from the sender to the receiver can be detected.
3. Ensure data confidentiality
IPSec uses encryption algorithms so that only the real receiver can obtain the real content of the transmission, and others cannot know the real content of the data
3. Authentication method
3.1, pre-shared key
Pre-shared key authentication is a key manually specified by both IPSec parties during configuration, and there is no need to inform each other of the key on the network
3.2, digital certificate
The responder sends the digital certificate to the client
After the sender receives the digital certificate from the responder, it will take out the attached digital certificate, read the issuing authority (Issuer) in the certificate, and then find the public key of the issuing authority from the list of trusted certificate authorities in the operating system. If it cannot be found, it means that the certificate authority is untrusted and the information sent by the responder is not secure.
Use the public key of the certificate authority obtained in the previous step to extract the digital certificate and obtain the user information and digital signature of the responder
The sender uses the encryption algorithm specified in the certificate to hash the user information on the responder
The encrypted result is compared with the digital signature decoded in the certificate. If they are the same, it means that the user information is indeed the responder, which means that the public key contained in the user information is indeed the responder.
The subsequent responder uses the private key to encrypt the data, and the sender uses the public key to decrypt it.
The sender uses the public key to encrypt, and the responder uses the private key to decrypt
4. ESP encryption algorithm
4.1, ESP integrity detection
The ESP message has a verification data field at the end, and the data verification field contains an integrity check value (ICV), also called a message authentication code, which is used to verify the identity and integrity of the message. The receiver calculates the ICV value and checks it against the value calculated by the sender to verify integrity. ICV is calculated by ESP header, load data and ESP tail end.
4.2, ESP anti-replay
As an optional feature, ESP can also perform anti-replay protection. Anti-replay protection verifies that each message is unique and has not been copied. This protection ensures that hackers cannot intercept messages and insert changed messages into the data stream.
The working principle of anti-replay:
Track the message sequence number and use a sliding window at the destination. When a connection is established between the source and destination, the counters at both ends are initialized to 0.
Every time a message is sent, the source adds a sequence number to the message, and the destination uses a sliding window to determine the expected sequence number. The sequence numbers of the packets verified by the destination are not copied and are received in the correct order.
example:
1. The client sends an ESP encapsulated message to the server, the serial number is 81
2. The server response message is encrypted by ESP, and the sequence number of the response message is 81
3. After the client receives the ESP message sent by the server, it checks the ESP sequence number. If the sequence number is correct, there will be no replay, and if the sequence number is wrong, there will be replay.
4.3, ESP anti-eavesdropping
ESP encrypts data through 3DES, DES, AES confidential algorithms to achieve anti-eavesdropping function
5. IPSec working principle
ESP has two modes: tunnel mode and transmission mode.
The tunnel mode treats the entire data message sent as a whole data, adding a new IP before the whole data for transmission, and does not modify the original message.
For the transmission mode, it is necessary to disassemble the message, process the data part of the original message, add the ESP header, and then install the IP part of the original message.
5.1, transmission mode
ESP processing flow:
1. Separate the IP header and the data message part of the original IP message, and add an ESP tail to the end of the data message part. The ESP tail contains: the selected encryption algorithm needs to fill the plaintext data Padding, the padding length, and the next header Next Header to indicate the type of the encrypted data message, such as the TCP protocol.
2. Encrypt the overall information (the original data message and ESP tail) obtained in the first step. The specific encryption algorithm and key are given by SA.
3. Add the ESP header (SPI and serial number) to the encrypted information obtained in the second step, and assemble it into Enchilada.
4. Summarize the Enchilada obtained in the third step to obtain the integrity measurement result (ICV), which is appended to the end of the Enchilada
5. Add the original IP header before the data obtained in the fourth step, and change the value in the Protocol in the original IP header to 50, representing ESP
5.2, tunnel mode
ESP processing flow:
1. Add the tail (ESP trailer) information at the end of the original IP message. As shown in the figure above, the tail contains three parts. The selected encryption algorithm may be block encryption, then when the last block length is not enough, padding is required, and the pad length is attached to facilitate the unpacking to find the piece of data used to fill. The Next header is used to indicate the type of encrypted data message, such as the TCP protocol.
2. Encrypt the original IP message and the ESP tail obtained in step 1 as a whole. The specific encryption algorithm and key are given by SA.
3. Add an ESP header to the encrypted data obtained in step 2. As shown in the figure above, the ESP header is composed of two parts, SPI and Sequence number. The encrypted data and the ESP header are collectively called "enchilada".
4. Additional integrity measurement results (ICV, Integrity check value). Summarize the "enchilada" obtained in the third step to obtain an integrity measurement value and attach it to the end of the ESP message.
5. Add a new IP header. The newly constructed IP header is attached to the front of the ESP message to form a new IP message. Note that the destination address and source address of this new IP header can be different. The protocol type is 50, which means it contains an IPsec message.
IPSec negotiation mode
IPSec establishment is divided into two stages, the first connection is IKE negotiation, and the second stage is IPSec negotiation.
6.1, active mode
6.1.1, Ikev1 negotiation
Package 1: The initiator negotiates the SA, using the UDP protocol, the port number is 500, and the upper layer protocol is ISAKMP. This protocol provides a framework. The next payload is similar to the module and can be used freely. You can see that the initiator provides its own cookie value and SA encryption suite. The encryption suite is mainly encryption algorithm, hash algorithm, authentication algorithm, time to live, etc.
Initiator SPI: b0b5887b632a532b
The SPI value of the initiator tells the responding host which IPSEC key to use to encrypt the packet.
Responder SPI:
The SPI value of the responder, the first packet has only the initiator and no responder, so the SPI of the responder is empty
Version: 1.0
IKE version number, 1.0 means use ikev1 to establish a connection
Exchange type:Identity Protection (Main Mode) (2)
IKE negotiation mode is the main mode
IKE Attribute (t=12,l=4): Life-Duration: 86400
The key period is 86400, after the key period exceeds 86400, IKE will be renegotiated
IKE Attribute (t=1,l=2): Encryption-Algorithm: DES-CBC
IKE uses DES-CBC encryption algorithm to encrypt data
IKE Attribute (t=2,l=2): Hash-Algorithm: MD5
IKE uses MD5 algorithm to verify data integrity
IKE Attribute (t=3,l=2): Authentication-Method: Pre-shared key
Use pre-shared key authentication
IKE Attribute (t=4,l=2): Group-Description: Alternate 1024-bit MODP group
The strength of the 1024-bit key used by the Diffie-Hellman (DH) group in the key exchange process.
Package 2: After the responder receives the cipher suite sent by the sender, it compares whether it has a corresponding cipher suite. If so, it uses the same cipher suite as the sender to encrypt the data, and puts its cookie value and the selected cipher suite. Sent to the sender; if there is no same cipher suite, IKE establishment failure response.
Initiator SPI: b0b5887b632a532b
The sender's SPI value tells the responding host which IPSEC key to use to encrypt the packet.
Responder SPI: e5dd838c8d5138b9
The SPI value of the responder tells the sender which key to use to encrypt the packet
Version: 1.0
IKE version number, 1.0 means use ikev1 to establish a connection
Exchange type:Identity Protection (Main Mode) (2)
IKE negotiation mode is the main mode
IKE Attribute (t=12,l=4): Life-Duration: 86400
The key period is 86400, after the key period exceeds 86400, IKE will be renegotiated
IKE Attribute (t=1,l=2): Encryption-Algorithm: DES-CBC
IKE uses DES-CBC encryption algorithm to encrypt data
IKE Attribute (t=2,l=2): Hash-Algorithm: MD5
IKE uses MD5 algorithm to verify data integrity
IKE Attribute (t=3,l=2): Authentication-Method: Pre-shared key
Use pre-shared key authentication
IKE Attribute (t=4,l=2): Group-Description: Alternate 1024-bit MODP group
The strength of the 1024-bit key used by the Diffie-Hellman (DH) group in the key exchange process.
Package 3: The sender generates random numbers and DH public values. The main purpose of package 3 is to send its own DH public values and Nonce random numbers to the responder. Used to generate the KEY value required for encryption.
Version: 1.0
IKE version number, 1.0 means use ikev1 to establish a connection
Exchange type:Identity Protection (Main Mode) (2)
IKE negotiation mode is the main mode
Key Exchange Data: aba538345be9d5bfa1dff1e169b2db2a72d3771038f4cc8e...
DH public value, DH public value is calculated by the Diffie-Hellman algorithm; the algorithms negotiated in package 1 and package 2, they must require the same KEY (that is, the password set in the shared key), but at the same time this KEY It cannot be passed on the link. Therefore, the purpose of this process is to independently generate a DH common value between the two peers, and then send it to the opposite end in the message, and the opposite end calculates the same KEY value through the formula
Package 4: After receiving package 3, the responder generates a random number by itself, then calculates the DH public value through the Diffie-Hellman algorithm, and transmits the random number and the DH public value to the sender.
Version: 1.0
IKE version number, 1.0 means use ikev1 to establish a connection
Exchange type:Identity Protection (Main Mode) (2)
IKE negotiation mode is the main mode
Key Exchange Data: 74d204991cd082a20289989380d3b953e1505fc21af6bafc...
DH public value, used to generate the KEY value needed for encryption
Package 5: The initiator initiates identity verification, and the message contains the authenticated data (pre-shared key or digital signature). Since package 1 and package 2 have negotiated the encryption algorithm, package 3 and package 4 have negotiated the encrypted KEY value, so the message of package 5 is encrypted.
Version: 1.0
IKE version number, 1.0 means use ikev1 to establish a connection
Exchange type:Identity Protection (Main Mode) (2)
IKE negotiation mode is the main mode
Package 6: The responder responds to the message, and also sends the authenticated data (pre-shared key or digital signature) to verify the identity of the other party. The data of package 6 also uses the algorithm negotiated by package 1 and package 2 and the key value negotiated by package 3 and package 4 to encrypt data, so the authentication data of package 6 is encrypted. After both parties have passed the authentication, the IKE negotiation ends.
Version: 1.0
IKE version number, 1.0 means use ikev1 to establish a connection
Exchange type:Identity Protection (Main Mode) (2)
IKE negotiation mode is the main mode
6.1.2, IPSec encryption negotiation
Package 7: The initiator mainly conducts IPSEC SA negotiation and establishes a security alliance. The content of the message is mainly the encapsulation method used for negotiation, the subsequent encryption algorithm, the survival time, and the flow of interest, etc. The data cannot be viewed due to encryption.
Initiator SPI: b0b5887b632a532b
The initiator's SPI value is determined during the previous IKE negotiation, so the IPSec negotiation still uses the previous SPI
Responder SPI: e5dd838c8d5138b9
The responder's SPI value is determined during the previous IKE negotiation, so the IPSec negotiation still uses the previous SPI
Version: 1.0
IKE version number, 1.0 means use ikev1 to establish a connection
Exchange type: Quick Mode (32)
The exchange type uses fast mode, and only fast mode is available for IPSec negotiation
Packet 8: The responder returns the packet and agrees with the encapsulation method, encryption algorithm, time-to-live, stream of interest, etc. sent by packet 7. At the same time, it can also play a role in confirming the receipt of the message from the opposite end. The data cannot be viewed due to encryption.
Version: 1.0
IKE version number, 1.0 means use ikev1 to establish a connection
Exchange type: Quick Mode (32)
The exchange type uses fast mode, and only fast mode is available for IPSec negotiation
Package 9: Send confirmation message. It contains a HASH, which is used to confirm the recipient's message and prove that the sender is in the active state (indicating that the sender's first message is not forged). The data cannot be viewed due to encryption.
Version: 1.0
IKE version number, 1.0 means use ikev1 to establish a connection
Exchange type: Quick Mode (32)
The exchange type uses fast mode, and only fast mode is available for IPSec negotiation
6.2, brutal mode
The aggressive mode uses 3 messages to exchange messages such as encryption methods
The initiator negotiates SA, and the initiator provides its own cookie value and SA transmission set
After the responder receives it, it will attach its own sa negotiation message with the signature authentication information and send it back to the sa initiator
The initiator sends its own digital signature authentication and other information
The aggressive mode supports NAT traversal regardless of shared key authentication or certificate authentication
7. IPsec traverses NAT
7.1. Problems encountered by IPSec traversing NAT
1. Identity confirmation problem after traversing NAT
The standard identity in IPSec VPN is the IP address, and the IP address will be changed during NAT processing. Therefore, the IPSec identity confirmation mechanism must be able to adapt to the change of IP address;
There are two main ways to solve this problem: the first is to use a digital certificate to replace the IP address as the identity, and the second is to use a string to replace the IP address as the identity.
2. IP address multiplexing
IPSec consists of two protocols, AH and ESP.
Because AH checks the integrity of the data, it hashes the entire IP packet including the IP address. And NAT will change the IP address, thereby destroying the Hash value of AH. Therefore, AH packets cannot pass through the NAT gateway.
ESP performs integrity checks on data, excluding external IP headers, and IP address conversion will not destroy the Hash value of ESP. However, the TCP port in the ESP message has been encrypted and cannot be modified, so ESP cannot support the NAT that simultaneously translates the port.
7.2. IKE identity confirmation and negotiation
IPSec’s identity confirmation is most commonly done through the IKE protocol. There are two identity authentication mechanisms supported by IKE:
1. The digital certificate method is the safest and most reliable way to confirm the identity through the CA digital certificate system.
2. Identity + pre-shared key mode. The initiator and responder pre-configure the same key, such as bigtree, to complete the authentication of each other's identity. This is the most common method; in the pre-shared secret key authentication mechanism , Identification can be divided into several categories:
a> Specify the IP address and use the IP address as the identity identifier, which is the default method of IKE. The responder only allows the specified IP address to initiate negotiation, which is more secure;
Successful authentication:
Authentication failed:
b> Specify the IP address range, this method still uses the IP address as the identity identifier, because the initiator must specify the IP address, otherwise the negotiation cannot be initiated. The specified IP address range is a feature of the responder. For example, the responder can specify 2.0.0.0/ Addresses within the range of 8 can initiate negotiation, instead of only allowing 2.1.1.2 to initiate negotiation, which can reduce the configuration, but the security is slightly reduced;
Successful authentication:
Authentication failed:
c> Nothing is specified, and the IP address is used as the identity identifier, but any IP address is allowed to initiate negotiation. As long as the pre-shared key is the same, both parties can pass the identity confirmation. Although this method is not very secure, it can simplify the configuration. Security drops again;
Successful authentication:
Authentication failed:
d> Specify the name of the opposite end. Both the initiator and the responder have pre-configured the local name, and use this name as the identity identifier, similar to specifying the IP address. By specifying the name of the opposite end, even if the pre-shared keys of both parties are the same, just If the end name is illegal, the negotiation will be interrupted immediately. Because the name is not bound to the IP address and the name is transmitted in plain text on the network, the security is not as high as the specified IP address method, but this identification method can traverse NAT.
7.3. Interpretation of packet capture through NAT principle
1. When NAT traversal is enabled, the first two messages in the first stage of IKEv1 negotiation will send the Vendor ID payload (both in main mode and aggressive mode) that identifies the NAT traversal (NAT-T) capability. Used to check whether the communication parties support NAT-T.
When both parties include the payload in their respective messages, the relevant NAT-T negotiation will be conducted.
2. NAT-D (NAT Discovery) payload is sent in main mode message 3 and message 4 (aggressive mode message 2 and message 3). The NAT-D payload is used to detect whether there is a NAT gateway and the location of the NAT gateway between two gateways that are to establish an IPSec tunnel.
By negotiating the hash values of the source and destination IP addresses and ports in both directions, it can be detected whether the addresses and ports have changed during transmission. If the hash value calculated by the negotiation parties is the same as the hash value it receives, it means that there is no NAT between them. Otherwise, it means that NAT translation is performed on the IP or port during transmission.
The first NAT-D payload is the hash value of the peer IP and port, and the second NAT-D payload is the hash value of the local IP and port.
3. After the NAT gateway is found, the port number of subsequent ISAKMP messages (main mode starts from message 5, aggressive mode starts from message 3) is converted to 4500. The ISAKMP message identifies "Non-ESP Marker".
4. NAT traversal negotiation will be enabled in the second phase. Two IPSec packet encapsulation modes have been added to IKE: UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport packets by encapsulating the UDP header for ESP packets, when When the encapsulated message passes through the NAT device, the NAT device performs address and port number conversion on the outer IP header and the added UDP header of the message. The UDP packet port number is changed to 4500.
Report