This article conducts in-depth research and analysis on the IPsec support mechanism in the Linux 2.6 kernel, and provides a comprehensive design method for building a VPN gateway: including user gateway console, kernel module communication and IKE module, designing and implementing an IPsec VPN Security gateway prototype.
Security is an important prerequisite for the development of the Internet. In February 1998, the IETF released the IP security protocol, commonly known as IPsec. This is a set of protocols at the network layer that provide data source authentication, data integrity and data confidentiality for IPv4 and IPv6. As an extensible network security set, IPsec is supported and increasingly widely adopted. IPsec security architecture consists of four parts:
(1) Security protocol: The Authentication Header (AH) is used to provide connectionless integrity and data source authentication for IP datagrams. ESP provides confidentiality, data source authentication, connectionless integrity, network layer confidentiality and limited traffic confidentiality. Both AH and ESP support two usage modes: transport mode and tunnel mode. The protocol in transport mode mainly provides protection for upper layer protocols. In tunnel mode, the protocol is suitable for tunneling IP packets.Passerelle industrielle
(2) Security associations and security policies. A security association (SA) is a simple “connection” that can use AH or ESP to provide one-way security services. If both AH and ESP protection are applied to the traffic flow, you need to create two (or more) SA.To ensure typical, bidirectional communication between two hosts, or between two security gateways, two security associations (one in each direction) are required
required. Security policies target multiple communication parameters (such as IP addresses, port numbers, protocols, etc.) to define network security services specifically applied to specific network traffic.
(3) Password interaction protocol. Internet Key Exchange (IKE) is an important IPsec protocol. Its purpose is to negotiate and provide security association certified key material in a protected manner.The current version of the protocol is IKEv2, which defines
More efficient types of key exchange, keys, more secure authentication and encryption mechanisms, and the creation of new methods.
(4) Security algorithm. IPsec specified algorithms include HMAC-MD5-96, HMAC-SHA-96, DES-CBC cryptographic algorithm and many other algorithms.
1 Linux IPSec support
The Linux 2.6 kernel provides a new support mechanism for IPSec. The IPSec support mechanism in the Linux 2.6 kernel mainly includes: IPSec processing/seamless access 0 in the kernel network protocol stack, AH protocol, ESP protocol processing, the data structure and related data structures of the important IPSec components security association SA and security policy SP Access algorithm, construction and access of security association database SAD and security policy database SPD, support of IPSec encryption algorithm function library, communication support between kernel mode and user mode based on Netlink socket, and management of kernel IPSec, etc. 2VPN gateway overall design and implementation
The VPN security gateway is divided into user console module and kernel space module. As shown in Figure 1.
The security gateway management console provides administrators with a management configuration interface. VPN administrators can turn on or off the security gateway function through the console. When the security gateway is turned on, they can manually establish a secure channel through the management console and configure security policies, security associations and other secure communication parameters.
The security gateway and kernel interaction module is a communication hub that is responsible for connecting the user space process and the kernel space IPSec part. It mainly performs two tasks:
(1) Receive messages actively initiated by user space processes, including requests sent by the management console and IKE daemon, encapsulate the user process’s requests into a message format acceptable to kernel IPSec management, send them to the kernel, and finally monitor the results of kernel processing ;
(2) Monitor messages actively initiated by the kernel, including: request to establish SA, SA lifetime expiration notification, and security policy lifetime expiration notification.
The kernel IPSec management part also includes the communication interface provided by the kernel for the interaction between kernel IPSec and user space. This part receives user space messages, calls the corresponding functions provided in the kernel, and completes specific operations.
The security association database SAD contains all security associations used to protect communications, and the security policy database SPD contains all used policy entries. All inbound and outbound packets pass through the IP layer. When receiving IPSec processing, SAD and SPD must be queried to take corresponding processing measures.
IPSec processing provides encryption and integrity protection for outgoing data, decrypts and integrity checks for received data, and truly realizes the security guarantee function of the security gateway. This part of the functional core is provided. The kernel encryption algorithm library provides IPSec with the functions required for various encryption operations.