An IP Packet with tunnel mode ESP

5.4.3.4.1.3Security Associations

RFC2401 defines a Security Association (SA) as a simplex or one-way connection that affords security services to the traffic it carries. Separate SAs must exist for each direction. IPSec stores the SAs in the Security Association Database (SAD), which resides in the Linux kernel.

5.4.3.4.1.4Security Policy

A Security Policy is a general plan that guides the actions taken on an IP datagram. Upon processing an incoming or outgoing IP datagram, the security policy is consulted to determine what to do with the IP datagram. One of three actions will occur: the datagram is to be discarded, the datagram is to bypass IPSec processing, or IPSec processing is to be applied.

If IPSec processing is to be done, the policy will indicate which SA to access in the SAD. This SA will indicate the keys and service and other information related to the securing of the IP datagram. Security policies are stored in the Security Policy Database (SPD), which resides in the Linux kernel.

5.4.3.4.1.5SA, SP, and Key Management

There are services for both manual and automated SA creation and maintenance. Manual management refers to an administrative user interface that allows for the creation and deletion of policy, SAs, and keys. Automated SA and key management is done through the IKE protocol.

5.4.3.4.1.6Internet Key Exchange Protocol (IKE)

The Internet Key Exchange (IKE) protocol is designed so it can be used to negotiate SAs on behalf of any service, such as IPSec, RIPv2, or OSPF. Each service has a Domain of Interpretation (DOI) document describing the attributes required to establish an SA. IPSec’s DOI is RFC 2407.

IKE has two basic phases, which it takes from Internet Security Association and Key Management Protocol (ISAKMP). The first phase establishes an authenticated and secure channel between two remote peers. During this phase the two peers exchange necessary information and keying material with each other. The result is an ISAKMP SA for each peer. This ISAKMP SA is then used to set up a secure and authenticated traffic stream when the two peers wish to negotiate an IPSec SA or an SA for any other service.

5.4.3.4.1.7Socket API

The PF_KEY API, defined in RFC 2367, is a socket protocol family that allows userspace manual and automated key management tools to communicate with the kernel.

Linux also has xfrm_user, which makes use of the Netlink API, to communicate with the kernel.

The PF_KEY API defines interfaces for adding, deleting, updating, and retrieving SAs as well as maintaining the state and lifetime. The API has been extended in the Linux kernel to include SPD management too.

77

Page 88 Page 90
Page 89
Image 89
IBM 10 SP1 EAL4 manual An IP Packet with tunnel mode ESP
Page 88 Page 90
Top Page Image Contents