IPSec¾÷¨î±´°Q

 

°ê¥ßªFµØ¤j¾Ç¸ê¤u¨t    ·¨¼y¶©§U²z±Ð±Â

E-mail : cnyang@mail.ndhu.edu.tw

 


¤@¡B«e¨¥

ºô»Úºô¸ô§Þ³Nªº¿³°_¡A¤¬³s§Þ³Nªº¦¨ªø¡A¨Ï±o¤j®a·U¨Ó·U¥õ¿àInternet³o­ÓÀ³¥Î¼sªxªº¤½²³ºô¸ô¡C¦]¦¹¦p¦óÅý¨Ï¥ÎªÌ³z¹Lºô»Úºô¸ô³q°T¡A¦Ó¤£¥Î¾á¤ß¶Ç°eªº«H®§«Ê¥]³QºI¨ú¡B°²«_¡A´NÅã±o¬Û·í­«­n¡C¦]¬°³o¨Ç«Ê¥]¤º®e¥i¯à¦³§AªºID¡A«H¥Î¥d¸¹½Xµ¥­«­nªº­Ó¤H¸ê®Æ¡C

¨Æ¹ê¤W¡A³o´X¦~¨Óºô»Úºô¸ô¤Wªº¦w¥þ¼Ð·Ç¦³«Ü¦h¡C¨Ò¦p:RFC1508©M1509©Ò³W©wªºGSSAPI(Generic Security Service Application Program Interface)¡ATelnet¡AFTP©MHTTP³£¥i¥H¨Ï¥Î;ºô»Úºô¸ô¤uµ{¤p²Õ(Internet Engineering Task Force; IETF)ªºPSRG¤p²Õ©Ò­q©wªºPEM¼Ð·Ç¥i¥H¹F¨ìE-mailªº¦w¥þ©Ê¡A¦Óºô¸ô³ÌµÛ¦WªºE-mail¦w¥þ³nÅé«h¬OP. ZimmermannªºPGP(Pretty Good Privacy);¨ä¥L¦pEITªºS-HTTP(Secure HTTP)¡ANetscapeªºSSL(Secure Sockets Layer)¡AMicrosoftªºPCT¥H¤Î¤W­±´£¤ÎªºGSSAPI§¡¥i«Ø¥ßHTTPªº¦w¥þ¾÷¨î¡AVisaªºSET(Secure Electronic Transfer)«h¯à¹F¨ì¦w¥þªº¹q¤l°Ó°È(Electric Commerce)¡C³o¨Ç¤£½×¬O¹ï¸Ü¼h(Session Layer)©ÎÀ³¥Î¼h(Application Layer)¤Wªº¦w¥þ¾÷¨î¡A¨Ï¥ÎªÌ¥²¶·¨Ï¥Î±MÄݪº³q°T¨ó©w¡A©Î¯S©w¼t°Óªº²£«~¡C

©Ò¥H·|¦³³o¼Ëªº°ÝÃD¡A¥i¥H»¡³£¬OTCP/IP·Sªºº×¡AIP¼ÐÀY¤¤¦³¨Ó·½(Source)¡A¥Øªº(Destination)¦ì§}¡A¸Ë¸ü¸ê®Æ(Payload)¡A¦ÓTCP¥u­t³d±N«H®§¤Á³Î¦¨«Ê¥]¡A­Y¿ò¥¢«Ê¥]TCP¦A­«°e¡A©Ò¥HTCP/IP®Ú¥»¨S¦³¦w¥þ©Ê¥i¨¥¡A¨Ï¥Î¤@¯ëSniffing³nÅé¤u¨ã¡A§Y¥i¤@¥ØÁAµM¦a¬Ý¨ì³o¨Ç«H®§¡C

¬°¤F½T«O¦b¥ô¦óIPºô¸ô¤W¾Ö¦³¦w¥þªº¨p±K³q«H¡A¤]¬°¤F¾ã¦X¤£¦P¼Ð·Ç¤Î¤£¦P¼t°Ó²£«~¡A IETFµÛ¤â­q©w¤F¤@®M¶}©ñ¼Ð·Çºô¸ô¦w¥þ¨ó©wIPSec (IP Security)¡C±N±K½X§Þ³NÀ³¥Î¦bºô¸ô¼h¡A¥H´£¨Ñ¶Ç°e¡B±µ¦¬ºÝ°µ¸ê®ÆªºµýÃÒ(Authentication)¡B§¹¾ã©Ê(Integrity)¡B¦s¨ú±±¨î(Access Control)¡B¥H¤Î¾÷±K©Ê(Confidentiality)µ¥¦w¥þªA°È¡C°ª¼hªºÀ³¥Î¨ó¤]¥i¥Hª½±µ©Î¶¡±µ¦a¨Ï¥Î³o¨Ç¦w¥þªA°È¡C

IPSec¬O³]­p¨Ó¹F¨ìºô¸ô¼h¤¤ºÝ¹ïºÝ¦w¥þ³q°Tªº²Ä¤T¼h¨ó©w¡A¥¦¥D­nªº¬[ºc¬OIP»{µý¼ÐÀY(Authentication Header; AH)¥H¤ÎIP«Ê¸Ë¦w¥þ¸Ë¸ü(Encapsulating Security Payload; ESP)¡CIP AH´£¨Ñ¸ê®Æªº§¹¾ã©Ê©M»{ÃÒ¡A¦ý¤£¥]¬A¾÷±K©Ê¡A¦ÓIP ESP­ì«h¤W¥u´£¨Ñ¾÷±K©Ê¡A¦ý¤]¥i¦bESP Header¤¤­q©w¾A·íªººtºâªk¤Î¼Ò¦¡¨Ó½T«O¸ê®Æªº§¹¾ã©Ê¨Ã»{ÃÒ¡AIP AH©MIP ESP¥i¥H¤À¶}¨Ï¥Î©Î¤@°_¨Ï¥Î¡C§¹¾ãªºIPSecÁÙÀ³¥]¬AIP AH©MESP¤¤©Ò¨Ï¥Îª÷Æ_ªº¥æ´«©MºÞ²z¡A¤]´N¬O¦w¥þ¸s²Õ(Security Assocication; SA)©Mª÷Æ_ºÞ²zIKE(Internet Key Exchange)¡A¹Ï(¤@)¬OIPSec¬[ºc¹Ï¡A¨ä¤¤DOI(Domain of interpretation)¬O¬°¤FÅý¨ä¥L¨ó©w¥i¥H¨Ï¥ÎISAKMP¦Ó­q©wªºFramework¡A¹Ï(¤@)Åý§Ú­Ì«Ü²M·¡ª¾¹DIPSec©MIKE©Ò§êºtªº¨¤¦â¡C

¥»¤åªº²Ä¤G³¡¥÷±N¤¶²ÐIP AH¡A²Ä¤T³¡¥÷ªº¤º®e¬OIP ESP¡A²Ä¥|³¡¥÷±Ô­z¦w¥þ¸s²ÕSAªºÆ[©À¡A²Ä¤­³¡¥÷«h¬O¥H¤@­Ó¹ê»Úªº¨Ò¤l¨Ó»¡©úIP AH©MIP ESP¹ê»Ú¹B§@ªº±¡§Î¡A²Ä¤»³¡¥÷¤¶²ÐSKIP¤ÎISAKMP/Qakley¨â­ÓIETF©Ò°Ñ¦Òªºª÷Æ_ºÞ²z¨ó©w¡CISAKMP/Oakley¸û¦³¼u©Ê¥B¯à¤ä´©¸û¦hªº¨ó©w¡A¤w³Q¿ï¬°IPv6ªºIPSecª÷Æ_ºÞ²z¨ó©w¡C³Ì«á¤@³¡¥÷«h¬O¥HISPecªº¨¤«×¨Ó¬Ý¥¦¦bVPN¤WªºÀ³¥Î¡A¨Ã¾ã²z¦C¥X¥Ø«eVPN²Å¦XIPSec¼Ð·Çªº°Ó¥Î²£«~¡C

ÁöµM°w¹ïIP¼hªº¦w¥þ¾÷¨î©|¦³¨ä¥LªºIP Tunneling§Þ³N¡A¨Ò¦p°ò´Ó©óPPP¦Óµo®iªºPPIP(Point-to-Point Tunneling Protocol)¡A³o¬O¥ÑMicrosoft©MAscend©Ò¦@¦P´£¥X¡A¥i¤ä´©IP/IPX/NetBEUI¡A¤ä´©ªº¼t°Ó«h¦³Nortel¡A3COM¡C¥t¥~L2TP(Layer 2 Tunneling Protocol)«h¬O¿Ä¦X¤FPPTP©MCiscoªºL2F(Layer 2 Forwarding)¡A¥D­nªº¼t°Ó¦³Nortel©MIBM¡C

¥»¤å¥D­n¤¶²ÐIFTF©Ò¨î©wªº¶}©ñ¼Ð·ÇIPSec¡A¦]¬°¥¦¯à¾ã¦X¤£¦PªºVPN¨t²Î¦Ó¹F¨ì¦w¥þ¦aºô¸ô¤¬³s¥Øªº¡C

 

¤G¡BIP AH®æ¦¡

IP AH´£¨Ñ»{µý¤Î¸Ë¸ü¸ê®Æªº§¹¾ã©Ê¡A¦ý¤£§t¾÷±K©Ê¡C¥Ñ©ó¥¦¤£´£¨Ñ¾÷±K©Ê¡A©Ò¥H¤£¨ü±K½X¤¸¥ó¦³¹ï¥~¿é¥Xªº©x¤è­­¨î¡A¬G¯à¾î¸ó¤£¦Pªº°ê®aªººô»Úºô¸ô¨Ï¥Î¡C

IP AH¨Ï¥Î»Ý­n128¦ì¤¸ª÷Æ_ªºMD5(Message Digest 5)­pºâ¥X¾ã­Ó¸ê®ÆªºÂø´ê¨ç¼Æ­È(µù:¦¹³æ¦VÂø´ê¼Æ¤]¥i¨Ï¥ÎSHA-1 (Secure Hash Algorithm 1))¡A¨Ï±o±µ¦¬ºÝ(ª¾¹Dª÷Æ_ªº¤H)¤]¥i¥HÅçµý¡B­pºâ¬O§_¨Ï¥Î¬Û¦Pªº±KÆ_¥HÀˬd¸ê®Æ¬O§_¥¿½T§¹¾ã¡A­YÀˬd¤£²Å«h±N¦¹«Ê¥]¥á±ó¡C¨Ì¾ÚIPSec³W©w¡AIPv6¨C³¡¥D¾÷§¡À³¯à´£¨Ñ±KÆ_ªø«×128¦ì¤¸ªºMD5¡A¦Ó©Ò¦³IPv4¤]À³«Å§i¯à¤ä´©¦¹¶µAH¥\¯à¡C

IP AHªº®æ¦¡¦p¹Ï(¤G).a©Ò¥Ü¡A¨ä¤¤¨C¶µÄæ¦ìªº·N¸q¤À§O±Ô­z¦p¤U:Next Headerªø«×8­Ó¦ì¤¸¡A³o­Ó¼ÐÀY¬O©w¸qAH«á­±¸ê®ÆªºÃþ«¬;¸ê®Æªø«×Äæ¦ì¤]¬O8­Ó¦ì¤¸¡A¥¦¨M©w»{ÃÒ¸ê®ÆÄæ¦ìªºªø«×¡A¥t¥~ÁÙ¦³16­Ó«O¯d¦ì¤¸°µ¥¼¨Ó¤§¥Î¡C¦w¥þ°Ñ¼Æ¯Á¤Þ(Security Parameter Index; SPI)¬Oªø«×32­Ó¦ì¤¸ªºµêÀÀ¶Ã¼Æ¡A¨M©w¦w¥þ¸s²ÕSAªº¤º®e¡A¨Ò¦p¡¨0¡¨¬Oªí¥Ü¨S¦³SA¡A¦Ó1~255«h¬O«O¯d­È¡C¦bSPI«á­±ªº¬O¶¶§Ç¸¹½XÄæ¦ì(Sequence Number Field)¡A¥[¤J³o­Ó¸¹½X¥i¨¾¤î­«°e§ðÀ»(Replay Attack)¡C³Ì«á¤@­ÓÄæ¦ì¬O»{ÃÒ¸ê®Æªø«×¬O¥iÅܪº(32¦ì¤¸ªº­¿¼Æ)¡C¹Ï(¤G).bÅã¥Ü¤F¨Ï¥Î«H®§ºK­n¨ç¼ÆMD5¡A¥¦²£¥Í128¦ì¤¸ªºÂø´ê¨ç¼Æ­È¡C±q¹Ï¤¤¤]¥i¬Ý¥X¹ïIPv4©ÎIPv6¦Ó¨¥¡CIP AH ¬O¦bIP¼ÐÀY©MTCP(©ÎUDP)¤§¶¡¡C

¦bIPSec¤¤¤£ºÞ¬OIP AH©ÎIP ESP¡A§¡¦³¨âºØ¤£¦Pªº¾Þ§@¼Ò¦¡¡AÀG¹D¼Ò¦¡(Tunneling Mode)¤Î¶Ç°e¼Ò¦¡(Transport Mode)¡CÁÙ¨S¤¶²ÐIP AH¨âºØ¼Ò¦¡«e¡A§Ú­Ì¥ý¥Î¹Ï(¤T)¨Ó¸ÑÄÀ³Ì±`¨Ï¥Îªº§Þ³N ¡§ÀG¹D¼Ò¦¡¡¨ ªºÆ[©À¡A¾ã­ÓIP datagram³Q¥]¦b·sªºdatagram¤¤¡C¹Ï(¥|).a~c¤À§O¬°­ì©lªºIP datagram ¡A AH¶Ç°e¼Ò¦¡¤Î AHÀG¹D¼Ò¦¡¡A¹ï©óAHÀG¹D¼Ò¦¡¦Ó¨¥¡A³Ì«á¥¦¥u¬O¤@­Ó·sªºIP datagram¦Ó¤w¡C

 

¤T¡BIP ESP®æ¦¡

IP ESP¼Ð·Ç´y­z¦p¦ó¥[±KIPªº¸Ë¸ü¸ê®Æ(Payload) ¡A¥[±Kªº½d³ò¥i¥H¬O¾ã­ÓIP Datagram©ÎªÌ¥u¬O¤W¼hTCP¡AUDP¡A©ÎICMP¸ê®Æ(§¹¥þ¨M©w¦b¨Ï¥ÎÀG¹D¼Ò¦¡©Î¶Ç°e¼Ò¦¡)¡CIP ESP©Ò¨Ï¥Îªº«O±K§Þ³N¬O¼Æ¾Ú«O±K¼Ð·Ç(Data Encryption Standard; DES)©Î¬OTriple-DES¡A¼Ò¦¡«h¬O¥[±K°Ï¶ôÃì(Cipher Block Chain ; CBC)¡C°£¤F¥[±K¥H¥~¡AIP ESP¤]¯àÀ³¥Î¦b»{ÃÒ¡A§¹¾ã©Ê¡A¥H¤Î¨¾¤î­«°e§ðÀ»¡C

IP ESPªºÀG¹D¼Ò¦¡¤Î¶Ç°e¼Ò¦¡¦U¦³¨äÀuÂI¡CÀG¹D¼Ò¦¡¥i¥H¦b¨â­ÓSecurity Gateway¶¡«Ø¥ß¤@­Ó¦w¥þ ¡§ÀG¹D¡¨¡A¦p¹Ï(¤­)©Ò¥Ü¡A¸g¥Ñ³o¨â­ÓGateway Proxyªº¶Ç°e§¡¦b³o­ÓÀG¹D¤¤¶i¦æ¡C¤ÏÆ[¶Ç°e¼Ò¦¡¥[±Kªº³¡¥÷¸û¤Ö¡A¨S¦³ÃB¥~ªºIP¼ÐÀY¡A¬G¤u§@®Ä²v¸û¨Î¡C

³o¨âºØ¼Ò¦¡ªº¾Þ§@¸Ô²Ó»¡©ú¦p¤U:

1.¶Ç°e¼Ò¦¡:

¹Ï(¤»).a¬°IP ESPªº¶Ç°e¼Ò¦¡¡AESP¼ÐÀYª½±µ¥[¦b±ý¶Ç°eªº¸ê®Æ«e¡A³oºØ¼Ò¦¡¥i¸`¬ÙÀW¼e¡C¦]¬°IP¼ÐÀY¤£»Ý¥[±K¡A©Ò¥H¤£¹³ÀG¹D¼Ò¦¡¡A¤@­Ó«Ê¥]¤¤¦³¨â­ÓIP¼ÐÀY¡C

­º¥ý±NIP¸Ë¸ü¸ê®Æ¨Ï¥ÎESP«Ê¸Ë°_¨Ó(ESP Header©M ESP Trailer)¡C¶Ç°eºÝ§Q¥Î¨Ï¥ÎªÌID©M¥ØªººÝ¦ì§}¥H±o¨ìSAÀô¹Ò(¤U¤@¸`·|¥[¥H¤¶²Ð)¡AµM«á¥Î¥[±Kºtºâªk(DES©ÎTriple-DES)¥[±K¶Ç°eªº¸ê®Æ¡C±µ¦¬ºÝ¦¬¨ìESP«Ê¸Ëªº«Ê¥]®Éª½±µ³B²zIP¼ÐÃD(¦]¬°¨S¦³¥[±K)¡AµM«á±qESP Header®³¨úSPI­È¥H±o¨ì¬Û¹ïªºSA¡A¦A§Q¥ÎSAªº¦w¥þÀô¹Ò©Ò­qªº¸Ñ±K¨ç¼Æ¸Ñ¥X©Ò¥[±Kªº¸ê®Æ¡C

¹ï¶Ç°e¼Ò¦¡¦Ó¨¥¡A¸Ñ±Kªº¤H´N¬O¥Øªº¦ì§}ºÝªº¨Ï¥ÎªÌ¡C¦ý¬O°w¹ïFirewall¡A Gateway Proxy¦Ó¨¥¡A¨Ï¥ÎÀG¹D¼Ò¦¡«h¸û¬°¦X¾A¡A¦]¬°¥L­Ì¨Ã¤£¬O­ì©lªº°e¡A¦¬ºÝ¡C

2.ÀG¹D¼Ò¦¡

¹Ï(¤»).b¬OÀG¹D¼Ò¦¡ªº¬[ºc¹Ï¡AÀG¹D¼Ò¦¡¥i¥H²³æ¦a¥Î¤@¥y¸Ü¨Ó»¡©ú ¡§IP-in-IP¡¨¡C­º¥ý¨Ï¥ÎSAªº¬ÛÃö°T®§±NIPªº«Ê¥]¥[±K(§tIP¼ÐÀY)¡A±µ¤U¨Ó¦b«e­±¥[¤WESP Header¡CµM«áPrepend·sªºIP¼ÐÀY¡C±µ¦¬ºÝ¦¬¨ìESP«Ê¥]«á¡A¨Ï¥ÎESP Header¤º®e¤¤ªºSPI­È¨M©wSA¡AµM«á¸Ñ¥XESP Header«áªº¸Ë¸ü¸ê®Æ¡A´N¥i¥H¨ú¦^­ì©lªºIP¼ÐÀY»P«Ê¥]¡A¥i¥HÄ~Äò¦a©¹¤U¶Ç¡C

¹Ï(¤C)¬OESP Header¤ÎESP Trailerªº¤º®e¡A ESP Header¥]§t¤FSPI­È¡A±Ò©l¤Æ¦V¶qIV¡A¤Î¶¶§Ç¸¹½XÄæ¦ìµ¥¡A¨ä¤¤¶¶§Ç¸¹½X¥i¨¾¤î­«°e§ðÀ»¡C

3.IP AH»PIP ESP²V¦X¨Ï¥Î

IP AH»PIP ESP¥i¥H¿W¥ß©Î¤À¶}¨Ï¥Î¡C¹Ï(¤K).a¬O¥ý¥[±K¦A»{ÃÒ¡A¸ê®Æ»{ÃÒ¤§«e§@¥[±K¡C¹Ï(¤K).b«h¬O¥ý»{ÃÒ¦A¥[±K¡A¥¦ªº¦n³B¬O¹ï»{ÃÒ¸ê®Æ¤]¦³¥[±K¡A¦]¦¹¨S¦³¤H¥i¥H§ó°Ê»{ÃÒ¸ê®Æ¡C

¦b¤¶²Ð§¹¤U¤@¸`¦w¥þ¸s²ÕSAªºÆ[©À¤§«á¡A§Ú­Ì±N·|¥H¤@­Ó¹ê»Úªº¨Ò¤l¨Ó»¡©úIPSec¤¤IP Header ¡AIP AH¡A IP ESP¡A SPIµ¥ªº¾Þ§@±¡§Î¡C

²Ä¤@¥NªºIPSecª©¥»©ó1995¦~´£¥X(rfc 1825, rfc 1826, rfc 1827)¡A¥¦¹ïª÷Æ_ªº¥æ´«©MºÞ²z¨Ã¥¼©w¸q¡A©Ò±j½Õªº¤º®e¬O«Ê¥]Âà´«ªº®æ¦¡¡C¦ýºô¸ô¦w¥þ³W®æªñ¦~¨Ó§ï­²ÀWÁc¡A¥Ø«e³Ì·sªºIPSecª©¥»¤w©ó1998¦~´£¥X(rfc 2401, rfc 2402, rfc 2406)¡A¼W¥[¦Û°Êª÷Æ_¥æ´«¥B§ó·s¤F«Ê¥]Âà´«ªº®æ¦¡¡A¨Ï±oIPSec¬[ºc·UÁͧ¹¾ã¡C

 

¥|¡B¦w¥þ¸s²ÕSA

¦bIPSec¼Ð·Ç¤¤³Ì­«­nªº¶µ¥Ø´N¬OSA¡A¥¦©w¸q¤F¤@­Ó¦w¥þªº¡¨Àô¹Ò¡¨¡A³o­ÓÀô¹Òªº¤º®e¥]§t¤FIP«Ê¥]¥[±K¡A¸Ñ±K¡A©M»{ÃÒªº¬ÛÃö°T®§¡A±Ô­z¦p¤U:

l       ±K½X¥\¯à:´£¨Ñ¥[±K©Î»{ÃҩΨâªÌ¦P®É¡C

l       ±K½Xºtºâªk:¨Ò¦p¥[/¸Ñ±K¨Ï¥ÎDES(©Î Triple-DES)»{ÃҨϥÎMD5 (©ÎSHA-1)¡C

l       ±K½Xºtºâªk¤¤©Ò¨Ï¥Îªºª÷Æ_¡Aª÷Æ_ªº¥Í©R¶g´Áµ¥¡C

l       ¬O§_¦³±Ò©l¤Æ¦V¶q¡C

l       SAªº¥Í©R¶g´Á

SA¥i¥H¨Ï¥Î¦w¥þ°Ñ¼Æ¯Á¤ÞSPI(32¦ì¤¸)¨Ó´y­z¡A¤]´N¬O¤@­ÓSPI­È¨M©w¤@­Ó¯S©wªºSA¡A¦Ó¥D¾÷ªºIP¦ì§}»PSPI«h©w¸q¤F°ß¤@ªºSA¡C¨Ò¦p¥D¾÷A¥i¥H³qª¾¥D¾÷B SPI­È¬°1000¡A¥¦©Ò¬Û¹ïªºSAÀô¹Ò¡A±K½X¥\¯à¬°¦³¥u¥[±K¡A¥ÎDES¡Aª÷Æ_¬°0x1234567890abcdef(ªø«×64¦ì¤¸¡A¨ä¤¤8­Ó¦ì¤¸¬°¦P¦ì¤¸)¡C©Ò¥H¥D¾÷A´N¥i¥HÂÇ¥ÑSPI 1000ªº­È¨Ó¥[±K¥¦ªº¸ê®Æ¡AµM«á¶Ç°e¨ì¥D¾÷B¡C·íB¦¬¨ì«Ê¥]«á§Q¥Î¥D¾÷A©MSPIªº­È´N¥i¥H¨M©w¥XSA¦Ó¸Ñ±K¨ú¦^­ì©l¸ê®Æ¡C

±q¤W­±ªº±Ô­z¥i¥Hµo²{SA¬O³æ¦Vªº(A®B)¡A¦ý¬O¹ï¥D¾÷A»P¥D¾÷B³o¨â­Ó­n«Ø¥ß¦w¥þ³q°Tªº¥D¾÷¦Ó¨¥«h»Ý­n¨â­ÓSA¡A¨C¤@¤è¦V¤@­Ó¡A(A®B)©M(B®A)¡C

¦¹¥~SAªº¨Ï¥Î¦³¨âºØÁä¤J¤è¦¡¡A¥D¾÷¾É¦VÁä¤J¤è¦¡(Host-Oriented Keying)»P¨Ï¥ÎªÌ¾É¦VÁä¤J¤è©Î(User-Oriented Keying)¡C«eªÌ¬O¤£¦Ò¼{¨Ï¥ÎªÌ¡A±q¦P¤@­Ó¨t²Î©Òµo¥Xªº«Ê¥]¡A§¡¨Ï¥Î¬Û¦Pªºª÷Æ_¡A¦Ó«áªÌ«h¬O¥H¨Ï¥ÎªÌ¬°¦Ò¶q¡A¤¹³\¨Ï¥ÎªÌ¦³¤£¦Pªºª÷Æ_¡C¨Ò¦p:¦P¤@¨Ï¥ÎªÌ¦³¦h§âª÷Æ_¥Î©ó¤£¦PªºªA°È¡A¦pFTP»PTelnet¨Ï¥Î¤£¦Pªºª÷Æ_¡C

 

¤­¡B¤@­ÓIPSecªº¹ê»Ú¨Ò¤l

¤G~¥|¸`¤w¤¶²Ð¤FIPSecªº°ò¥»¬[ºc¡AIP AH¡A IP ESP¡A SA¡A SPIµ¥¡C²{¦b§Ú­Ì±N³o¨Ç¥þ³¡©ñ¦b¤@°_¥H¹ê»Úªº¨Ò¤l¨Ó¥[¥H»¡©ú¡C

EXAMPLE:°²³]¦³¤@­Ó¥D¾÷yang.chtti.com.tw±ýÂÇ¥ÑIPSec¦w¥þ¾÷¨î±N¨ã¦³¥[±K¤Î»{ÃÒªºTCP«Ê¥]°e¨ì¥t¤@³¡¥D¾÷yang.csie.ndhu.edu.tw¡C¥¦§Æ±æ¥¦ªºgateway gatekeeper.chtti.com.tw¯à°µ¥[±K¡A»{µýªº¤u§@¡A¦Ó¹ï¤èªºgateway  gw.csie.ndhu.edu.tw¯à¸Ñ±K³o¨Ç«Ê¥]¨Ã»{µý¡A¨Ï¥ÎªºSPI°Ñ¼Æ­È°²³]¬O0x1234¬O«ü¦V¤j®a¨Æ¥ý¦P·Nªº¦w¥þ¸s²ÕSA¡C

¹Ï(¤E)¬O³o­ÓIPSec¨Ò¤lªº»¡©ú¥Ü·N¹Ï¡A·í¥D¾÷yang.chtti.com.tw©Ò°eªº«Ê¥]¨ì¥¦ªºgateway®É¡A gateway¥[±K«Ê¥]¨Ã¥[¤JESP Header¡AµM«á¥[¤JAH©M·sªºIP¼ÐÀY¡A¨ä¤¤¥Hgatewayªº¦ì§}gatekeeper.chtti.com.tw·í§@·sªº¨Ó·½¦ì§}¡A¨Ã¥Hgw.csie.ndhu.edu.tw·í§@·sªº¥ØªººÝ¦ì§}¡A³Ì«á­pºâÂø´ê¨ç¼Æ­È¨Ã¥[¦bAH¤¤¡C

¹Ï(¤Q)¬OCHECK POINT Firewall-1(CHEK POINT¦bFirewall¥«³õ¦û¦³²v¬ù44%)ªº¨Ò¤l¡AFirewall-1¦³«Ü¦nªº¤H¾÷¬É­±(GUI)¡A±q¹Ï¤¤¥i¥H²M·¡¬Ý¥X¨Ï¥Î¤FAH©MESP¡A»{ÃҥΪº³æ¦VÂø´ê¨ç¼Æ¬°SHA-1¡A¥[±Kºtºâªk¬°DES¡A¦P®É¤]¥i¬Ý¨ì¥[±K¤Î»{ÃÒªºª÷Æ_¡ASPIªº¼Æ­È¬°0x1234¡C

¥Ñ©ó¦w¥þ¸s²ÕSA¥i¥H¬O¤£¦Pªº¡A©Ò¥H§Ú­Ì¤]¥i¥H¦bCHECK POINT Firewall-1¤¤ªºSecurity Policy¥[¤J¤U­±¨â±ø³W«h(rule)¡A¦p¹Ï(¤Q¤@)©Ò¥Ü¡C¦]¬°¨Ï¥ÎªºSPI­È¤£¤@¼Ë¡A±qyang.chtti.com.tw¨ìyang.csie.ndhu.edu.twªº¤è¦V¬O¨Ï¥ÎSPI 0x1000¡A¤Ï¤è¦V«h¬O¨Ï¥ÎSPI 0x2000¡A³o¨â¥x¥D¾÷©¼¦¹°µFTP®É¨Ï¥Îªººtºâªk¸òª÷Æ_¥i¥H¬O¤£¦Pªº¡C

 

¤»¡BIPSceªºª÷Æ_ºÞ²z¤èªk

¦bIP AH©MIP ESP¤¤©Ò¥Î¨ìªº»{ÃÒ»P¥[±Kª÷Æ_¡A¦p¦ó¥æ´«»PºÞ²z©O!¤@§âª÷Æ_¬O§_¤@ª½¨Ï¥Î©O!³o¨Ç°ÝÃD³£©|¥½´£¤Î¡A³o¨Ç°ÝÃD¹ïIPSec¦Ó¨¥¬O«D±`­«­nªº½ÒÃD¡C

¦pªG¬O´X¥x¥D¾÷¡A¥i¥H¥Î¤H¤uªº¤è¦¡¨Ó¥æ´«ª÷Æ_¡A¨Ò¦p¥´¹q¸Ü©ÎE-mail¡A¦ý¬O¥D¾÷¼Æ¥Ø¤@¦h¡A©ÎªÌ¬O¥D¾÷¸ê®Æ±`§ó§ï¡A³o®É«J´N»Ý­n¤@®M¦w¥þ¥B¥¿¦¡ªº¨ó©w¨Ó°µ³o¥ó¨Æ±¡¤F¡C

¥Ø«e¥D­nªºª÷Æ_ºÞ²z¨ó©wªº°Ñ¦Ò³W½d¦³:(1)SKIP(Simple Key-management for IP)(2)ISAKMP/Oakley(Internet Security Association Key Management Protocol /Oakley )¡C¤W­z¨âºØ¤èªk³£¥iÀ³¥Î¦bIPv4»PIPv6¤¤¡ASKIP¸û¬°Â²³æ¡A¦ÓISAKMP/Oakley«h¥i¥HÀ³¥Î©ó¸û¦hªº¨ó©w¡C¨Æ¹ê¤W¡AIP¼hªºª÷Æ_¥æ´«¨ó©w©|¦³Photuris©MSKEMEµ¥¡C

1.SKIP:

SKIP¬O¥ÑSun Microsystem©Òµo®i¡A¥Ø¦³¤TºØª©¥»:Sun¡A TIK¡A©MELVIS+SKIP¡CSKIPª÷Æ_ºÞ²zªºÆ[©À¬O¶¥¼h¦¡ªºª÷Æ_ºÞ²z¡A¦p¹Ï(¤Q¤G)©Ò¥Ü¡C³q°TªºÂù¤è¯u¥¿¦@¨Éªº±KÆ_¬OKij(³o¬O§Q¥ÎDiffie Hellmanªº¤½¶}ª÷Æ_¹ï¦Ó¹F¨ì¦@¨Éªº)¡C¬°¤F¦w¥þªº¦Ò¶q¡A¤½¶}ª÷Æ_À³¦Ü¾ÌÃÒºÞ²z¤¤¤ß(Certificate Authority;CA)¥Ó½Ð¾ÌÃÒ¡C¦]¦¹IPSecªº¨Ï¥Î¤]»Ý­n¨C¤@°ê®aªº¤½¶}ª÷Æ_°ò¦«Ø³](Public Key Infrastructure;PKI)¨Ó°t¦X¡C

¨Ï¥ÎKij±À¾É¦Ó±oKijn=MD5(Kij/n)¡A¨ä¤¤n¬O²{¦b®É¶¡¶ZÂ÷1995¦~1¤ë1¤é¹sÂIªº®É¼Æ¡AKijn¬O¤@­Óªø´Áª÷Æ_(¨C¹j1¤p®É§ó´«¤@¦¸)¡A§Q¥ÎKijn³o§âª÷Æ_±Nµu´Áª÷Æ_Kp(¨C¹j2¤ÀÄÁ§ó´«¤@¦¸)¥[±K«á´¡¤JSKIP Header°e¨ì¹ï¤è¡C±µ¦¬ºÝ¦¬¨ì«á§Q¥ÎKijn¸Ñ¦^Kp¡C±µ¤U¨ÓÂù¤è¨Ï¥ÎE_Kp=MD5(Kp/0)¤ÎA_Kp=MD5(Kp/2)¾É¥X¥[±Kª÷Æ_E_Kp©M»{ÃÒª÷Æ_A_Kp¡C¥Ñ©óª÷Æ_±À¾É¹Lµ{¬O¤@¼h¤@¼hªº¡A¦]SKIPºÙ¤§¬°¶¥¼h¦¡ªºª÷Æ_ºÞ²z¬[ºc¡C

§Ú­Ì¤@¼Ë¨Ï¥Î²Ä¤­¸`ªº¨Ò¤l:¡¨·í¥D¾÷yang.chtti.com.tw±ý»P¥D¾÷yang.csie.ndhu.edu.tw±Ò°Ê³q°T¡¨¡A¨Ó°Q½×SKIP¨ó©w¡A¹Ï(¤Q¤T)¬OSKIP«Ê¥]¤º®eªº´y­z¡C

SKIP­ì±ý»PISAKMP¾ã¦X¦Ò¶q¡A¦ý¥¢±Ñ¤F¡C¦]¬°IPv6¤w¨M©w¨Ï¥ÎISAKMP»POakleyª÷Æ_¥æ´«ªº¦X¨Ö¨ó©w¡A¤]´N¬OISAKMP/Oakley(²{¤wºÙ§@IKE;Internet Key Exchange)¡C©Ò¥HSKIP¨Ã«DIPSec±j¨î³W©wªºª÷Æ_ºÞ²z¤èªk¡C

2.ISAKMP/Qakley(IKE):

Oakleyª÷Æ_¥æ´«¨ó©w¬O¥Ñ¨È§Q®á¨º¤j¾Ç©Ò´£¥X¡A¥¦»PSEKME¦³¬Û·í¦hªº¦@¦P³¡¥÷(µù:SEKME«h¬OPhoturisªº©µ¦ù)¡C

ISAKMP¦³¨â­Ó¾Þ§@¶¥¬q¡C²Ä¤@¶¥¬q¤¤¡A¬ÛÃöªº¤@¨Ç¦w¥þÄݩʸg¹L¨ó°Ó¡A¨Ã²£¥Í¤@¨Çª÷Æ_¡A¡Kµ¥¡C³o¨Ç¤º®eºc¦¨²Ä¤@­ÓSA¡A¤@¯ëºÙ§@ISAKMP SA¡A»PIPSec SA¤£¤@¼Ëªº¬O¥¦¬OÂù¦Vªº¡C²Ä¤G¶¥¬q«h¬O¥HISAKMP SAªº¦w¥þÀô¹Ò¨Ó«Ø¥ßAH©ÎESPªºSA¡C

IKE«h¬OISAKMP¨Ï¥ÎOakleyªº¤@¨Ç¼Ò¦¡©MSKEME§Ö³trekeyªºÆ[©À¦X¨Ö¦Ó¦¨¡A¥¦¦³(1)Main Mode (2)Aggressive Mode (3)Quick Mode(4)New group modeµ¥¥|ºØ¼Ò¦¡¡C

 

¤C¡BIPSec¦bVPN¤WªºÀ³¥Î(¥Nµ²½×)

¦b¤F¸ÑIPSec¨ó©wªº¤u§@­ì²z«á¡A§Ú­Ì¨Ó¬Ý¥¦¤£¦Pªº¥Î³õ¦X¡A­È±oª`·Nªº¬O¦bºô¸ô¼h´£¨Ñ¦w¥þ¾÷¨î¡A¹ïÀ³¥Î¼h¦Ó¨¥¬O§¹¥þ³z³qªº(trarsparent)¡CIPSec¥i¥H¸Ë³]¦bgateway©Î¥D¾÷¤W¡A©Î¬O¨âªÌ¦P®É¡A­YIPSec¸Ë¦bgateway¤W¡A«h¥i¦b¤£¦w¥þªºInternet¤W´£¨Ñ¤@­Ó¦w¥þªº³q¹D¡A­Y¬O¸Ë¦b¥D¾÷¡A«h¯à´£¨Ñ¥D¾÷ºÝ¹ïºÝªº¦w¥þ©Ê¡C¹Ï(¤Q¥|).a~c¤À§O¬Ogateway¹ïgateway¡A¥D¾÷¹ïgateway¡A¥D¾÷¹ï¥D¾÷¤TºØ¥i¯àªºÀ³¥Îª¬ªp¡C

ªí(¤@)¥Z¥X²Å¦XIPSecªº°Ó¥ÎVPN²£«~¡A§@¬°¥»¤åªºµ²§ô¡C

 

 

°Ñ¦Ò¸ê®Æ:

1.V. Ahuja¡A¡¨Secure Commerce on the Internet¡¨¡AAP Proffesional¡A1998.

2.L.J. Hughes­ìµÛ¡A³s¨qÔíĶ¡A¡¨Internet¦w¥þ§Þ³N¹ê°È¡¨³ÕºÓ1996.

3.1998¡¨VPN§Þ³N»PÀ³¥ÎÁͶլã°Q·|¡¨¡A1998.

4.Internet Rosurces:

http://www.ietf.org/thml.charters/ipsec-charter.html

http://firewall.sysware.com.tw/faq/vpn/ipsec.html

http://firewall.sysware.com.tw/faq/vpn/SKIP.html

http://conway.cba.ufl.edu/ism6222/Ipsec.html

http://www.hsc.fr/veille/papier/papier.html.en

 

 

 


 


 


 

 

 

 

 

 

 

 

 

 

 

 


 

 

 

 

 


 

 

 

 

 

 

 



 

 

 

 

 

 


 


 

 


 

 


 

 

 


 

ªí(¤@):²Å¦XIPSecªºVPN²£«~

¶µ¦¸

²£«~¾P°âªÌ

ª÷Æ_ºÞ²z

¶µ¦¸

²£«~¾P°âªÌ

ª÷Æ_ºÞ²z

1

Checkpoint

SKIP

8

Raptor system Inc.

ISAKMP/Oakley

2

Cisco systems Inc.

ISAKMP/Oakley

9

Secure Computing

¤â°Ê

3

Cycon technologies

¤â°Ê

10

Securicor 3Net Ltd.

¤â°Ê

4

IBM

¤â°Ê

11

Sun Microsystems I

SKIP

5

IRE Inc.

ISAKMP/Oakley

12

Timestep corp.

ISAKMP/Oakley

6

NSC(Net. Sys. Corp.)

Proprietary dynamic

13

TIS(Trusted Info. Sys. )

ISAKMP/Oakley

7

Radguard Ltd.

ISAKMP/Oakley

14

VPNet

SKIP