You are previewing IPSec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks, Second Edition.
O'Reilly logo
IPSec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks, Second Edition

Book Description

The insider's guide to IPSec for every network professional—updated for the newest standards, techniques, and applications.

Using IPSec, companies can build VPNs and other Internet-centered applications with confidence that their data will remain secure. IPSec, Second Edition is the most authoritative, comprehensive, accessible, and up-to-date guide to IPSec technology. Two leading authorities in IPSec standardization and implementation cover every facet of IPSec architecture and deployment, review important technical advances since IPSec was first standardized, and present new case studies that show how IPSec can provide end-to-end security in real business environments. Coverage includes:

  • New, in-depth deployment guidance: policy definition, representation, distribution, and management

  • New IPSec enhancements: compression, multicast, key recovery, L2TP support, PKI integration, and more

  • IPSec architecture and components: payloads, headers, Internet Key Exchange, security associations, and more

  • Implementation architecture and techniques, including overlapping and shared security associations, nested and chained tunnels, and more

  • IPSec security in host-to-host, host-to-gateway, and gateway-to-gateway scenarios

  • Establishing secure VPN tunneling

  • A detailed look inside the IPSec kernel

IPSec, Second Edition delivers the techniques and insight you need to protect all your digital assets, wherever they are—on the Internet, your intranet, your extranet, or your VPN. Whether you're a networking or Web professional, software developer, or security specialist, you'll find it indispensable.

Table of Contents

  1. Copyright
    1. Dedication
  2. Preface
    1. Organization
    2. Acknowledgments
    3. Network Diagram Key
  3. 1. Cryptographic History and Techniques
    1. Secrets in History
    2. Rise of the Internet
    3. Internet Security
    4. Cryptographic Building Blocks
      1. One-Way Functions and Trap Doors
      2. One-Way Hash Functions
      3. Ciphers
        1. Symmetric Ciphers
        2. Asymmetric Ciphers
          1. RSA
          2. El-Gamal
      4. Authentication and Integrity
        1. Authentication
          1. RSA
          2. DSA
        2. Message Integrity
      5. Key Exchanges
        1. Diffie-Hellman
        2. RSA Key Exchange
    5. Crypto Concepts
      1. Perfect Forward Secrecy
      2. Denial of Service
    6. More Information
  4. 2. TCP/IP Overview
    1. Introduction to TCP/IP
      1. Protocol Stack
      2. Data Flow
      3. Network Layer
        1. IPv4
    2. Addressing
      1. IPv4 Header
      2. IPv6
        1. Addressing
        2. IPv6 Header
        3. Extension Headers
      3. Fragmentation
      4. ICMP
      5. Multicast
      6. Transport Layer
    3. Domain Name System
    4. Security—at What Level?
      1. Application Layer
      2. Transport Layer
      3. Network Layer
      4. Data Link Layer
  5. 3. IP Security Overview
    1. The Architecture
      1. Security Association
      2. Policy
      3. Anti-Replay
    2. Encapsulating Security Payload (ESP)
    3. Authentication Header (AH)
    4. Internet Key Exchange
  6. 4. IPSec Architecture
    1. The IPSec Roadmap
    2. IPSec Implementation
      1. Host Implementation
      2. OS Integrated
        1. Bump in the Stack
      3. Router Implementation
    3. IPSec Modes
      1. Transport Mode
      2. Tunnel Mode
    4. Security Associations
      1. Security Parameter Index (SPI)
      2. SA Management
        1. Creation
        2. Deletion
      3. Parameters
        1. Sequence Number
        2. Sequence Number Overflow
        3. Antireplay Window
        4. Lifetime
        5. Mode
        6. Tunnel Destination
        7. PMTU parameters
      4. Security Policy
        1. Selectors
          1. Source Address
          2. Destination Address
          3. Name
          4. Protocol
          5. Upper Layer Ports
    5. IPSec Processing
      1. Outbound
      2. Inbound
    6. Fragmentation
    7. ICMP
  7. 5. The Encapsulating Security Payload (ESP)
    1. The ESP Header
    2. ESP Modes
    3. ESP Processing
      1. Outbound Processing
      2. Input Processing
  8. 6. The Authentication Header (AH)
    1. The AH Header
    2. AH Modes
      1. Transport Mode
      2. Tunnel Mode
    3. AH Processing
      1. Output Processing
      2. Input Processing
  9. 7. The Internet Key Exchange
    1. ISAKMP
      1. Messages and Payloads
      2. Messages
      3. Exchanges and Phases
      4. Cookies
      5. Policy Negotiation
    2. IKE
      1. IKE Exchanges
      2. Main Mode Exchange
      3. Aggressive Mode Exchange
      4. Quick Mode Exchange
      5. Other IKE Exchanges
    3. The IPSec DOI
    4. Summary
  10. 8. Policy
    1. Policy Definition Requirement
    2. Policy Representation and Distribution
    3. Policy Management System
      1. Kernel Support
      2. IKE Support
    4. Deployment
    5. Setting Up the Policy
  11. 9. IPSec Implementation
    1. Implementation Architecture
      1. IPSec Base Protocols
      2. SPD and SADB
      3. IKE
      4. Policy Management System
    2. IPSec Protocol Processing
      1. Outbound Processing
        1. SPD Processing
      2. IKE Processing
      3. SA Processing
        1. Transport Mode Header Processing
        2. ESP Processing
        3. AH Processing
        4. Tunnel Mode Processing
          1. IPv4 Tunnel Header
          2. IPv6 Tunnel Header
        5. Multiple Header Processing
      4. Inbound Processing
    3. Fragmentation and PMTU
      1. Host Implementation
      2. Router Implementation
    4. ICMP Processing
  12. 10. IP Security in Action
    1. End-to-End Security
      1. Virtual Private Networks
      2. Road Warriors
      3. Nested Tunnels
      4. Chained Tunnels
  13. 11. Deployment Scenarios (Using IPsec to Secure the Network)
    1. Site-to-Site Policies
    2. Remote Access Policies
      1. Firewall and VPN Gateway Interaction
      2. A Few Words About Addressing
    3. Four Office Company Example
      1. Fully-Meshed Configuration
      2. Hub-And-Spoke Configuration
    4. Multiple Company Extranet Example
      1. Single Site Hosts Extranet
      2. Each Site Hosts Extranet
    5. Outsourcing Networks
      1. PE versus CE based solution
      2. Deployment Scenarios
        1. Intranets
        2. Extranets
        3. Third Party Extranet
      3. Issues in Outsourced Networks
        1. Policy
        2. Security In ISP Network
        3. Multiple ISP's Issues
    6. Summary
  14. 12. IPSec Futures
    1. Compression
      1. Output Processing
      2. Input Processing
    2. Multicast
      1. Source Authentication
      2. Key Management
        1. Key Management for Multicast
        2. Secure Multicast Key Distribution
        3. MKMP
    3. Key Recovery
      1. IPSec and Key Recovery
    4. L2TP
    5. Public Key Infrastructure
  15. Bibliography
    1. Books
    2. Journals and Technical Reports
    3. IETF Documents-RFC's
    4. IETF Documents-Internet Drafts