Applications of IPSec
Download
Report
Transcript Applications of IPSec
IPSec
IPSec.1
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Applications of IPSec
•
•
•
IPSec.2
IPSec provides the capability to secure
communications across a LAN, across private
and public WANs, and across the Internet.
Examples of its use include:
Secure branch office connectivity over the
Internet
Secure remote access over the Internet
CEENet ‘2000 - Understanding and using Remote Access and VPN services
IPSec Explained
With thanks to William Stallings and,
IPSec.3
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Applications of IPSec
•
•
•
IPSec.4
Establishment of extranet and intranet
connectivity with partners
Enhancement of electronic commerce security
encrypt or authenticate all traffic at the IP level
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Applications of IPSec
•
Using IPSec all distributed applications can be
secured,
– Remote logon,
– client/server,
– e-mail,
– file transfer,
– Web access
– etc.
IPSec.5
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Applications of IPSec
IPSec.6
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Where can IPSec be used
•
These protocols can operate in
– networking devices,
• such as a router or firewall
– or they may operate directly on the workstation or
server.
IPSec.7
CEENet ‘2000 - Understanding and using Remote Access and VPN services
How can IPSec be used
•
Secure Communications between devices
– Workstation to Workstation
– Protection against data changes
• Accidental or Intentional
– Contents can be hidden
•
IPSec.8
Secure communicatoins through IPSec tunnels
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Benefits of IPSec
•
The benefits of IPSec include:
– Strong security that can be applied to all traffic
crossing the perimeter.
– Transparent to applications.
– No need to change software on a user or server
system
• When IPSec is implemented in a router or firewall
IPSec.9
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Benefits of IPSec
•
The benefits of IPSec include:
– IPSec can be transparent to end users.
– There is no need to train users on security
mechanisms
– PSec can provide security for individual
IPSec.10
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Is IPSec the Right Choice?
•
•
•
IPSec.11
For transport level (personal) services IPSec
must be a part of the network code deployed on
all participating platforms.
Individual protocols may implement their own
security:
– E-Mail: PGP
– Web: SSL
– E-Commerce: SET
– Etc.
As a tunnel protocol it is available to all services
on the network.
CEENet ‘2000 - Understanding and using Remote Access and VPN services
The Scope of IPSec
•
IPSec provides three main facilities
– An authentication-only function,
• Referred to as Authentication Header (AH)
– Acombined authentication/ encryption function
• Called Encapsulating Security Payload (ESP)
– A key exchange function.
• IKE (ISAKMP / Oakley)
IPSec.12
CEENet ‘2000 - Understanding and using Remote Access and VPN services
The Scope of IPSec
•
Both authentication and encryption are generally
desired,
– (1) assure that unauthorized users do not penetrate the
virtual private network
– (2) assure that eavesdroppers on the Internet cannot read
messages sent over the virtual private network.
•
IPSec.13
Because both features are generally desirable,
most implementations are likely to use ESP
rather than AH.
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Security Associations (SA)
•
•
Used for both the authentication (AH) and
confidentiality (ESP)
A one-way relationship between a sender and a
receiver that affords security services to the
traffic carried on it.
– If a peer relationship is needed, for two-way
secure exchange, then two security associations
are required.
•
IPSec.14
Security services are afforded to an SA for the
use of AH or ESP, but not both.
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Security Associations (SA)
•
Each SA is uniquely identified by three
parameters:
– Security Parameters Index (SPI)
– IP destination address
– Security protocol identifier
IPSec.15
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Security Associations (SA)
•
Security Parameters Index (SPI)
– The SPI is a bit string assigned to the SA that has
local significance only.
– The SPI is carried in AH and ESP headers to
enable the receiving system to select the SA
under which a received packet will be processed.
IPSec.16
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Security Associations (SA)
•
IP destination address
– The IP address of the destination endpoint of the
SA
• May be an end-user system
• Or, a network system such as a firewall or router.
– Currently, only unicast addresses are allowed
IPSec.17
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Security Associations (SA)
•
Security Protocol Identifier
– Indicates which IPSec protocol is in use on the SA
• AH (Authentication only)
• ESP (complete encryption and possibly
Authentication)
IPSec.18
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Security Associations (SA)
•
•
•
IPSec.19
For any IP packet, the security association is
uniquely identified by
the destination address
SPI in the enclosed extension header
(AH or ESP).
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Security Associations (SA)
•
•
IPSec.20
IPSec includes a security association database
The database defines the parameters associated
with each SA
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Security Associations (SA)
•
IPSec.21
Each SA is defined by (contains):
– Sequence number counter
– Sequence counter overflow
– Anti-replay window
– AH information
– ESP information
– Lifetime of this security association
– IPSec protocol mode
– Path MTU
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Security Associations (SA)
•
Sequence number counter
– A 32-bit value used to generate the sequence
number field in AH or ESP headers
•
Sequence counter overflow
– A flag indicating whether overflow of the sequence
number counter should generate an auditable
event and prevent further transmission of packets
on this SA
•
Anti-replay window
– Used to determine whether an inbound AH or ESP
packet is a replay, by defining a sliding window
within which the sequence number must fall
IPSec.22
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Security Associations (SA)
•
AH information
– Authentication algorithm, keys, key lifetimes, and
related parameters being used with AH
•
ESP information
– Encryption and authentication algorithm, keys,
initialization values, key lifetimes, and related
parameters being used with ESP
•
IPSec protocol mode
– Tunnel, transport, or wildcard (required for all
implementations)
IPSec.23
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Security Associations (SA)
•
Lifetime of this security association
– A time interval or byte count after which an SA
must be replaced with a new SA (and new SPI) or
terminated, plus an indication of which of these
actions should occur
•
Path MTU
– Any observed path maximum transmission unit
(maximum size of a packet that can be transmitted
without fragmentation) and aging variables
(required for all implementations)
IPSec.24
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Security Associations (SA)
•
•
IPSec.25
The key management mechanism that is used to
distribute keys is coupled to the authentication
and privacy mechanisms only by way of the
Security Parameters Index.
Therefore, authentication and privacy are
specified independent of any specific key
management mechanism.
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Authentication Header (AH)
•
•
•
•
•
IPSec.26
Provides support for data integrity and
authentication of IP packets
Ensures that content changes of a packet in
transit can be detected
Enables an end system or network device to
authenticate the user or application and filter
traffic accordingly
Prevents the address spoofing attacks
Guards against the replay attack
CEENet ‘2000 - Understanding and using Remote Access and VPN services
IPSec Authentication Header
IPSec.27
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Authentication Header (AH)
•
•
•
Authentication is based on the use of a Message
Authentication Code (MAC)
The two parties must share a secret key.
Uses the following elements to guarantee data
integrity
– Payload length
– SPI
– Sequence number
– Integrity Check Value (ICV) or Message
Authentication Code (MAC)
IPSec.28
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Anti-Replay Service
•
•
•
IPSec.29
A replay attack is one in which an attacker
obtains a copy of an authenticated packet and
later transmits it to the intended destination.
The receipt of duplicate, authenticated IP packets
may disrupt service in some way or may have
some other undesired consequence.
The Sequence Number field is designed to thwart
such attacks.
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Anti-Replay Service
•
•
When a new SA is established, the sender initializes a sequence
number counter to 0
Each time that a packet is sent on this SA, the sender increments
the counter and places the value in the Sequence Number field
– Thus, the first value to be used is 1
•
If anti-replay is enabled (the default), the sender must not allow
the sequence number to cycle past 232 – 1 back to zero
– Otherwise, there would be multiple valid packets with the same
sequence number
•
IPSec.30
If the limit of 232 – 1 is reached, the sender should terminate this
SA, and negotiate a new SA with a new key
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Anti-Replay Service
•
•
•
IPSec.31
Because IP is a connectionless, unreliable
service, the protocol does not guarantee that
packets will be delivered in order and does not
guarantee that all packets will be delivered
Therefore, the IPSec authentication document
dictates that the receiver should implement a
window of size W, with a default of W = 64
The protocol describes means to determine that a
sequence number is correct in respect to it's
position in or above the window
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Message Authentication Code
•
•
•
•
•
Uses an algorithm known as HMAC
HMAC takes as input a portion of the message and a secret
key and produces a MAC as output
This MAC value is stored in the Authentication Data field of
the AH header
The calculation takes place over the entire enclosed TCP
segment plus the authentication header
When this IP packet is received at the destination, the same
calculation is performed using the same key
– If the calculated MAC equals the value of the received MAC,
then the packet is assumed to be authentic
IPSec.32
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Message Authentication Code
•
The authentication data field is calculated over:
– IP header fields that either do not change in transit
(immutable) or that are predictable in value upon
arrival at the endpoint for the AH SA
– The AH header other than the Authentication Data
field
– The entire upper-level protocol data, which is
assumed to be immutable in transit (for instance, a
TCP segment or an inner IP packet in tunnel
mode)
IPSec.33
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Message Authentication Code
•
For IPv4, examples of immutable fields are
– Internet Header Length
– Source Address.
•
IPSec.34
An example of a mutable but predictable field is
the Destination Address
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Encapsulating Security
Payload (ESP)
•
Provides confidentiality service, including
– message contents and limited traffic flow
confidentiality
– As an optional feature, ESP can also provide a
authentication services like AH
IPSec.35
CEENet ‘2000 - Understanding and using Remote Access and VPN services
IPSec ESP Format
IPSec.36
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Encapsulating Security
Payload (ESP)
•
•
•
•
•
•
•
IPSec.37
Security Prameters Index (32bits)
Sequence Number (32 bits)
Payload Data (variable)
Padding (0–255 bytes)
Pad Length (8 bits)
Next Header (8 bits)
Authentication Data (variable
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Encapsulating Security
Payload (ESP)
•
Security Prameters Index (32bits)
– Identifies a security association
•
Sequence Number (32 bits)
– A monotonically increasing counter value.
•
Payload Data (variable)
– A transport-level segment (transport mode) or IP
packet (tunnel mode) that is protected by
encryption.
IPSec.38
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Encapsulating Security
Payload (ESP)
•
Padding (0–255 bytes)
– Extra bytes that may be required if the encryption
algorithm requires the plaintext to be a multiple of
some number of octets
•
Pad Length (8 bits)
– Indicates the number of pad bytes immediately
preceding this field
IPSec.39
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Encapsulating Security
Payload (ESP)
•
Next Header (8 bits)
– Identifies the type of data contained in the payload
data field by identifying the first header in that
payload (for example, an upper-layer protocol
such as TCP)
•
Authentication Data (variable)
– A variable-length field (must be an integral
number of 32-bit words) that contains the integrity
check value computed over the ESP packet minus
the Authentication Data field
IPSec.40
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Encryption and Authentication
Algorithms
•
•
IPSec.41
The Payload Data, Padding, Pad Length, and Next
Header fields are encrypted by the ESP service.
The current IPSec specification dictates that a
compliant implementation must support the Data
Encryption Standard (DES).
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Encryption and Authentication
Algorithms
•
•
IPSec.42
A number of other algorithms have been
assigned identifiers and could, therefore, be used
for encryption;
These include
– Three-key Triple DES
– RC5
– International Data Encryption Algorithm (IDEA)
– Three-key Triple IDEA
– CAST
– Blowfish
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Transport and Tunnel Modes
•
AH and ESP each support two modes of use
–Transport mode
–Tunnel mode
IPSec.43
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Transport and Tunnel Modes
IPv4
Orig IP
Header
TCP
Data
Original IP Packet
Authenticated
Encrypted
IPv4
Orig IP
Header
ESP
Hdr
ESP ESP
Trlr Auth
Data
TCP
Transport Mode
Authenticated
Encrypted
IPv4
New IP
Header
ESP
Hdr
Orig IP
Header
TCP
Data
ESP ESP
Trlr Auth
Tunnel Mode
IPSec.44
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Transport Mode
•
Provides protection primarily for upper-layer
protocols.
– Extends to the payload of an IP packet.
• TCP
• UDP
• (ICMP), etc.
Authenticated
Encrypted
IPv4
Orig IP
Header
ESP
Hdr
TCP
Data
ESP ESP
Trlr Auth
Transport Mode
IPSec.45
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Transport Mode
•
Typically used for end-to-end communication
between two hosts
– for example, between a workstation and a server,
or between two servers
•
When a host runs AH or ESP over IPv4, the
payload is the data that normally follows the IP
header
Authenticated
Encrypted
IPv4
Orig IP
Header
ESP
Hdr
TCP
Data
ESP ESP
Trlr Auth
Transport Mode
IPSec.46
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Transport Mode
•
•
ESP in transport mode encrypts and optionally
authenticates the IP payload but not the IP header
AH in transport mode authenticates the IP
payload and selected portions of the IP header
Authenticated
Encrypted
IPv4
Orig IP
Header
ESP
Hdr
TCP
Data
ESP ESP
Trlr Auth
Transport Mode
IPSec.47
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Transport Mode
•
As an example, consider a Telnet session within
an ESP packet in transport mode
– The IP header would contain 51 in the Next
Header field
– In the ESP header, the Next Header field would be
6 for TCP
– Within the TCP header, Telnet would be identified
as port 23
IPSec.48
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Transport Mode
•
Transport mode operation may be summarized
for ESP as follows:
– At the source, the block of data consisting of the
ESP trailer plus the entire transport-layer segment
is encrypted
– The plaintext of this block is replaced with its
ciphertext to form the IP packet for transmission
– Authentication is added if this option is selected
IPSec.49
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Transport Mode
– The packet is then routed to the destination
– Each intermediate router needs to examine and
process the IP header plus any plaintext IP
extension headers but will not need to examine
the ciphertext
– The destination node examines and processes the
IP header plus any plaintext IP extension headers
IPSec.50
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Transport Mode
– Then, on the basis of the SPI in the ESP header,
the destination node decrypts the remainder of the
packet to recover the plaintext transport-layer
segment
– This process is similar for AH, however the
payload (upper layer protocol) is not encrypted
IPSec.51
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Tunnel Mode
•
•
Tunnel mode encapsulates an entire IP packet
within an IP packet to ensure that no part of the
original packet is changed as it is moved through
a network
The entire original, or inner, packet travels
through a tunnel from one point of an IP network
to another
– No routers along the way need to examine the
inner IP header
Authenticated
Encrypted
IPv4
New IP
Header
ESP
Hdr
Orig IP
Header
TCP
Data
ESP ESP
Trlr Auth
Tunnel Mode
IPSec.52
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Tunnel Mode
•
Tunnel mode is used when one or both ends of
an SA is a security gateway, such as a firewall or
router that implements IPSec, etc.
Authenticated
Encrypted
IPv4
New IP
Header
ESP
Hdr
Orig IP
Header
TCP
Data
ESP ESP
Trlr Auth
Tunnel Mode
IPSec.53
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Tunnel Mode
•
•
•
With tunnel mode, a number of hosts on networks
behind firewalls may engage in secure
communications without implementing IPSec.
The unprotected packets generated by such
hosts are tunneled through external networks
These paths use SAs set up by the IPSec process
in the firewall or secure router at the boundary of
the local network
Authenticated
Encrypted
IPv4
New IP
Header
ESP
Hdr
Orig IP
Header
TCP
Data
ESP ESP
Trlr Auth
Tunnel Mode
IPSec.54
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Tunnel Mode
•
Transport mode is suitable for protecting
connections between hosts that support the ESP
feature
Authenticated
Encrypted
IPv4
New IP
Header
ESP
Hdr
Orig IP
Header
TCP
Data
ESP ESP
Trlr Auth
Tunnel Mode
IPSec.55
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Tunnel Mode
•
Tunnel mode is useful in a configuration that
includes a firewall or other sort of security
gateway that protects a trusted network from
external networks
– Encryption occurs only between an external host
and the security gateway or between two security
gateways
– This setup relieves hosts on the internal network
of the processing burden of encryption and
simplifies the key distribution task by reducing the
number of needed keys
IPSec.56
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Transport and Tunnel Modes
IPSec.57
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Tunnel Mode
•
The user system prepares an inner IP packet with
a destination address of the target host on the
internal LAN.
– For a Telnet session, this packet would be a TCP
packet with the original SYN flag set with a
destination port set to 23.
•
IPSec.58
This entire IP packet is prefixed by an ESP
header; then the packet and ESP trailer are
encrypted and Authentication Data may be added.
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Tunnel Mode
•
•
The Next Header field of the ESP header would be
decimal 4 for IP-in-IP, indicating that the entire
original IP packet is contained as the ìpayload
The resulting block is encapsulated with a new IP
header whose destination address is the firewall
– This forms the outer IP packet
– The Next Header field for this IP packet is 50 for
ESP
IPSec.59
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Tunnel Mode
•
The outer packet is routed to the destination
firewall.
– Each intermediate router needs to examine and
process the outer IP header plus any outer IP
extension headers but does not need to examine
the ciphertext.
IPSec.60
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Tunnel Mode
•
The destination firewall examines and processes
the outer IP header plus any outer IP extension
headers
– On the basis of the SPI in the ESP header, the
gateway decrypts the remainder of the packet to
recover the plaintext inner IP packet
•
IPSec.61
This inner packet (tunnel contents) is then
transmitted on the internal network
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Tunnel Mode
•
The inner packet is routed through zero or more
routers in the internal network to the destination
host
– The receiver would have no indication that the
packet had been encapsulated and protected by
the tunnel between the user system and the
gateway.
– It would see the packet as a request to start a
Telnet session and would respond back with a
TCP SYN / ACK
IPSec.62
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Tunnel Mode
•
•
IPSec.63
The return packet would go back to the gateway.
The gateway would encapsulate that packet into
an IPSec packet and transport it back to the user
system through this tunnel, etc
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Key Management
•
IPSec.64
Manual: Configures each system with its own
keys and with the keys of other communicating
systems.
– This is practical for small, relatively static
environments.
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Key Management
•
IPSec.65
Automated: Enables on-demand creation of keys
for SAs and facilitates the use of keys in a large
distributed system with an evolving
configuration.
– An automated system is the most flexible…
– But requires more effort to configure and requires
more software, so smaller installations are likely to
opt for manual key management.
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Key Management
•
•
IPSec.66
Default automated key management protocol for
IPSec is referred to as Internet Key Exchange
(IKE)
IKE provides a standardized method for
dynamically authenticating IPSec peers,
negotiating security services, and generating
shared keys
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Key Management
•
IKE has evolved from many different protocols
and can be thought of as having two distinct
capabilities
– ISAKMP (Key Management)
– Oakley (Key Distribution)
IPSec.67
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Key Management
•
ISAKMP (Pronounced Ice-Uh-Kamp)
– provides a framework for Internet key
management
– provides the specific protocol support, including
formats, for negotiation of security attributes
– Does not dictate a specific key exchange
algorithm
• Consists of a set of message types that enable the
use of a variety of key exchange algorithms.
IPSec.68
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Key Management
•
•
•
The actual key exchange mechanism in IKE is
derived from Oakley
Plus several other key exchange protocols that
had been proposed for IPSec
Key exchange is based on the use of the Diffie
Hellman algorithm
– But provides added security
– In particular, Diffie-Hellman alone does not authenticate the
two users that are exchanging keys, making the protocol
vulnerable to impersonation
– IKE includes mechanisms to authenticate the users
IPSec.69
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Public Key Certificates
•
•
•
IPSec.70
An important element of IPSec key management
is the use of public key certificates
A public key certificate is provided by a trusted
Certificate Authority (CA) to authenticate a user's
public key
The essential steps include…
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Public Key Certificates
•
Step 1
– Client software creates a pair of keys, one public
and one private
– The client prepares an unsigned certificate that
includes a user ID and the user's public key
– The client then sends the unsigned certificate to a
CA in a secure manner
IPSec.71
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Public Key Certificates
•
Step 2
– A CA creates a signature by calculating the hash
code of the unsigned certificate and encrypting the
hash code with the CA's private key
• The encrypted hash code is the signature
– The CA attaches the signature to the unsigned
certificate and returns the now signed certificate to
the client
IPSec.72
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Public Key Certificates
•
Step 3
– The client may send its signed certificate to any
other user
– That user may verify that the certificate is valid by
• Calculating the hash code of the certificate (not
including the signature)
• Decrypting the signature using the CA's public key
• Comparing the hash code to the decrypted
signature.
IPSec.73
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Public Key Certificates
•
•
•
If all users subscribe to the same CA, then there
is a common trust of that CA
User certificates can be placed in the directory
for access by all users.
Or a user can transmit his or her certificate
directly to other users.
– In either case, once B is in possession of A's
certificate, B has confidence that messages it
encrypts with A's public key will be secure from
eavesdropping and that messages signed with A's
private key are unforgeable
IPSec.74
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Public Key Certificates
•
•
•
IPSec.75
If there is a large community of users, it may not
be practical for all users to subscribe to the same
CA
Because it is the CA that signs certificates, each
participating user must have a copy of the CA's
own public key to verify signatures
This public key must be provided to each user in
an absolutely secure
CEENet ‘2000 - Understanding and using Remote Access and VPN services
Recommended Web Sites
•
The IPSec Working Group of the IETF. Charter for
the group and latest RFCs and Internet Drafts for
IPSec:
– http://ietf.org/html.charters/ipsec-charter.html
•
IPSec Resources: List of companies
implementing IPSec, implementa-tion survey, and
other useful material:
– http://web.mit.edu/tytso/www/ipsec/index.html
IPSec.76
CEENet ‘2000 - Understanding and using Remote Access and VPN services