SPECIFICATION
IPSEC is a simple version of the emerging Internet IP security
protocol. It uses a one-byte SAID which is an algorithm identifier.
The algorithm-SAID correspondence is determined by the protocol graph,
as described below. In conjunction with a full suite of supprting
cryptographic protocols and key management, it can provides host-host
security services such as privacy, authentication, and message integrity.
REALM
IPSEC is in the ASYNC realm.
PARTICIPANTS
IPSEC passes participants to the lower protocols without manipulating them.
CONTROL OPERATIONS
CONFIGURATION
IPSEC must be configured over a datagram protocol that preserves
packet boundaries. However, the complete environment for constructing
a sensible security service based on IPSEC is considerably more complicated.
The cryptographic services for the system should be configured over
IPSEC, and they should use active key management.
IPSEC can manage several cryptographic handling stacks, as long as they adhere to a special naming convention. The numeric characters of the security service instance name is used as an algorithm identifier. Machines usig IPSEC for communication must have the same naming conventions to assure proper decryption or message validation. The graph.comp shown belown uses "1" to mean the DES algorithm, "2" to mean the md5 algorithm. Also, the scheme should below negotiates only one key for each host pair. A later version of IPSEC will support an arbitrary number.
Example of a graph.comp file:
---------------------------------
@;
name=simeth;
name=eth protocols=simeth;
name=arp protocols=eth;
name=vnet protocols=eth,arp;
name=ip protocols=vnet dir=ip files=ip,ip_frag,ip_input,ip_gc,
ip_util,ip_rom,ip_control,ip_hdr,iproute;
name=ipsec protocols=ip dir=ipsec files=ipsec_simple;
name=km/sig dir=km files=km;
name=km/dh;
name=dhkx dir=dhkx files=dhkx protocols=dss,km/dh;
name=sha dir=sha files=sha;
name=dss dir=dss files=dss,dssaux protocols=ip,sha,km/sig
trace=TR_FULL_TRACE;
name=km/said;
#
name=km/md5 protocols=dhkx,km/dh trace=TR_FULL_TRACE;
name=md5/m2 protocols=ipsec,km/md5 dir=md5 files=md5 trace=TR_FULL_TRACE;
name=crypt/c1 protocols=ipsec,km/cr dir=crypt files=crypt trace=TR_FULL_TRACE;
name=udp protocols=md5/m2 trace=TR_DETAILED;
#
name=udptest protocols=udp;
name=confounder dir=confounder trace=TR_DETAILED;
@;
prottbl=/cs/xkernel.v3.2/etc/prottbl.std;
romopt crypt/c1 numparts 2;
romopt md5/m2 numparts 2;
romopt dhkx numparts 2;
romopt dhkx delay 30;
romopt confounder zerofill 4;
@;
prottbl = ../../../etc/prottbl.nonstd;
---------------------------------
AUTHOR
Hilarie Orman