mywiki:linux:ipsec
This is an old revision of the document!
Table of Contents
IPSec Implementation in Linux
IPSEC Basic
| Security Scheme | Difference |
|---|---|
| IPSEC | Security scheme operating in the Internet Layer of the Internet Protocol Suite |
| TLS/SSH | Security scheme operating in the upper layers of the TCP/IP model, like transport layer |
| IPSEC Protocol | Note |
|---|---|
| AH (Authentication Header) | provides source authentication & data integrity for IP datagrams. But it is not designed to provide confidentiality. |
| ESP(Encapsulating Security Payload) | provides source authentication, data integrity, and confidentiality. |
| IPSEC Mode | Protocol | Note |
|---|---|---|
| Transport | AH | only the payload of the IP packet is usually authenticated |
| ESP | only the payload of the IP packet is usually encrypted and/or authenticated | |
| Tunnel Mode | AH | the entire IP packet is authenticated |
| ESP | the entire IP packet is encrypted and/or authenticated |
Terms
| SP(Security policy) | a rule which decides whether a given flow needs to go for IPSec processing or not |
| SA(Security Association) | a bundle of algorithms and parameters (such as keys) that is being used to encrypt and authenticate a particular flow in one direction. IPsec uses the Security Parameter Index (SPI: an index to the security association database - SADB), along with the destination address in a packet header, which together uniquely identify a security association for that packet. |
mywiki/linux/ipsec.1449713651.txt.gz · Last modified: (external edit)