-
Notifications
You must be signed in to change notification settings - Fork 3
IPsec
IP-IP tunnelling type.
Suite of protocols for securing network communication.
Uses orthogonal concepts:
Main L3 protocols, IP packet's proto field point to either AH (51) or ESP(50)
Authentication only, doesn't provide encryption. Auth (hash-based) is computed using all IP header fields (but TTL and header checksum)
Notable headers:
- Security Parameter Index: 32bit identifier, used by recipient to fetch the security context associated with the packet
- Authentication Data: calculated hash value, mismatched hash value means the packet is discarded
Incompatible with NATs since IP addresses are used to compute the hash, intermediate parties doing NAT don't know the secret key to recompute the hash. Thus the receiving site drops the packets.
The modes differ in policy application.
Distinguished only by next header in IP header.
next header (symbolic name) |
mode |
|---|---|
ip |
tunnel mode |
AH or ESP
|
transport mode |
Provides encryption and authentication (or both). The IP header is not encrypted. The IP header determines the policy to be used for the packet
Example for AH mode | IP header | AH header | TCP |
Typically used to secure communication between hosts
The entire IP packet is encapsulated. Implication of that is following: the encapsulated source/destination addresses may be different than these in IP header.
| IP header | AH header | IP header | TCP |
Typically used to secure communication between networks
Arriving packet is stripped off extra headers. Packet is injected into routing process.
- General
- OS
- Networks
- Configuration
- Protocols
- Link layer
- Sockets
- Routing
- Tunneling
- Debugging
- LoRa
- Virtualization
- Infrastructure as a code
- Desktop environments
- Monitoring
- Benchmarking