2013.10.24

[uclinux-h8/uClinux-dist.git] / freeswan / doc / ipsec.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
<TITLE> Introduction to FreeS/WAN</TITLE>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
</HEAD>
<BODY>
<A HREF="toc.html">Contents</a>
<A HREF="politics.html">Previous</a>
<A HREF="mail.html">Next</a>
<HR>
<H1><A name="ipsec.detail">The IPSEC protocols</A></H1>
<P>This section provides details of the IPSEC protocols which FreeS/WAN 
 implements</P>
<P>The basic idea of IPSEC is to provide security functions, <A href="glossary.html#authentication">
authentication</A> and <A href="glossary.html#encryption">encryption</A>
, at the IP (Internet Protocol) level. This  requires a higher-level 
protocol (IKE) to set things up for the IP-level  services (ESP and AH).</P>
<P>Three protocols are used in an IPSEC implementation:</P>
<DL>
<DT>ESP, Encapsulating Security Payload</DT>
<DD>Encrypts and/or authenticates data</DD>
<DT>AH, Authentication Header</DT>
<DD>Provides a packet authentication service</DD>
<DT>IKE, Internet Key Exchange</DT>
<DD>Negotiates connection parameters, including keys, for the other  two</DD>
</DL>
<P> The term &quot;IPSEC&quot; is slightly ambiguous. In some contexts, it 
includes all  three of the above but in other contexts it refers only 
to AH and ESP. </P>
<H2><A name="others">Applying IPSEC</A></H2>
<P>Authentication and encryption functions for network data can, of 
course,  be provided at other levels. Many security protocols work at 
levels above  IP.</P>
<UL>
<LI><A href="glossary.html#PGP">PGP</A> encrypts and authenticates mail 
messages</LI>
<LI><A href="glossary.html#SSH">SSH</A> authenticates remote logins and 
then encrypts  the session</LI>
<LI><A href="glossary.html#SSL">SSL</A> or <A href="glossary.html#TLS">
TLS</A> provides security at  the sockets layer, e.g. for secure web 
browsing</LI>
</UL>
<P> and so on. Other techniques work at levels below IP. For example, 
data on a  communications circuit or an entire network can be encrypted 
by specialised  hardware. This is common practice in high-security 
applications. </P>
<H3><A name="advantages">Advantages of IPSEC</A></H3>
<P>There are, however, advantages to doing it at the IP level instead 
of, or  as well as, at other levels.</P>
<P>IPSEC is the <STRONG>most general way to provide these services for 
the  Internet</STRONG>.</P>
<UL>
<LI>Higher-level services protect a <EM>single protocol</EM>; for 
example  PGP protects mail.</LI>
<LI>Lower level services protect a <EM>single medium</EM>; for example 
a  pair of encryption boxes on the ends of a line make wiretaps on that 
 line useless unless the attacker is capable of breaking the 
 encryption.</LI>
</UL>
<P> IPSEC, however, can protect <EM>any protocol</EM> running above IP 
and <EM> any medium</EM> which IP runs over. More to the point, it can 
protect a  mixture of application protocols running over a complex 
combination of  media. This is the normal situation for Internet 
communication; IPSEC is the  only general solution. </P>
<P>IPSEC can also provide some security services &quot;in the background&quot;, 
with <STRONG> no visible impact on users</STRONG>. To use <A href="glossary.html#PGP">
PGP</A> encryption and signatures on mail, for example, the user must 
at least:</P>
<UL>
<LI>remember his or her passphrase,</LI>
<LI>keep it secure</LI>
<LI>follow procedures to validate correspondents' keys</LI>
</UL>
<P> These systems can be designed so that the burden on users is not 
 onerous, but any system will place some requirements on users. No such 
 system can hope to be secure if users are sloppy about meeting those 
 requirements. The author has seen username and password stuck on 
terminals  with post-it notes in an allegedly secure environment, for 
example. </P>
<H3><A name="limitations">Limitations of IPSEC</A></H3>
<P>IPSEC is designed to secure IP links between machines. It does that 
well,  but it is important to remember that there are many things it 
does not do.  Some of the important limitations are:</P>
<DL>
<DT><A name="depends">IPSEC cannot be secure if your system isn't</A></DT>
<DD>System security on IPSEC gateway machines is an essential 
 requirement if IPSEC is to function as designed. No system can be 
 trusted if the underlying machine has been subverted. See books on 
 Unix security such as <A href="biblio.html#practical">Garfinkel and 
Spafford</A> or our web references for <A href="web.html#linsec">Linux 
security</A> or more  general <A href="web.html#compsec">computer 
security</A>. </DD>
<P>Of course, there is another side to this. IPSEC can be a powerful 
 tool for improving system and network security. For example, requiring 
 packet authentication makes various spoofing attacks harder and IPSEC 
 tunnels can be extremely useful for secure remote administration of 
 various things.</P>
<DT><A name="not-end-to-end">IPSEC is not end-to-end</A></DT>
<DD>IPSEC cannot provide the same end-to-end security as systems 
working  at higher levels. IPSEC encrypts an IP connection between two 
 machines, which is quite a different thing than encrypting messages 
 between users or between applications. </DD>
<P>For example, if you need mail encrypted from the sender's desktop 
 to the recipient's desktop and decryptable only by the recipient, use <A
href="glossary.html#PGP"> PGP</A> or another such system. IPSEC can 
encrypt any  or all of the links involved -- between the two mail 
servers, or  between either server and its clients. It could even be 
used to secure  a direct IP link from the sender's desktop machine to 
the recipient's,  cutting out any sort of network snoop. What it cannot 
ensure is  end-to-end user-to-user security. If only IPSEC is used to 
secure  mail, then anyone with appropriate privileges on any machine 
where  that mail is stored (at either end or on any store-and-forward 
servers  in the path) can read it.</P>
<P>In another common setup, IPSEC encrypts packets at a security 
 gateway machine as they leave the sender's site and decrypts them on 
 arrival at the gateway to the recipient's site. This does not even 
 come close to providing an end-to-end service. In particular, anyone 
 with appropriate privileges on either site's LAN can intercept the 
 message in unencrypted form.</P>
<DT><A name="notpanacea">IPSEC cannot do everything</A></DT>
<DD>IPSEC also cannot provide all the functions of systems working at 
 higher levels of the protocol stack. If you need a document 
 electronically signed by a particular person, then you need his or her <A
href="glossary.html#signature"> digital signature</A> and a <A href="glossary.html#public">
public key cryptosystem</A> to verify it with. </DD>
<P>Note, however, that IPSEC authentication of the underlying 
 communication can make various attacks on higher-level protocols more 
 difficult. In particular, authentication prevents <A href="glossary.html#middle">
man-in-the-middle attacks</A>.</P>
<DT><A name="no_user">IPSEC authenticates machines, not users</A></DT>
<DD>IPSEC uses strong authentication mechanisms to control which 
 messages go to which machines, but it does not have the concept of 
 user ID, which is vital to many other security mechansims and 
 policies. This means some care must be taken in fitting the various 
 security mechansims on a network together. For example, if you need to 
 control which users access your database server, you need some 
 non-IPSEC mechansim for that. IPSEC can control which machines connect 
 to the server, and can ensure that data transfer to those machines is 
 done securely, but that is all. Either the machines themselves must 
 control user access or there must be some form of user authentication 
 to the database, independent of IPSEC.</DD>
<DT><A name="DoS">IPSEC does not stop denial of service attacks</A></DT>
<DD><A href="glossary.html#DOS">Denial of service</A> attacks aim at 
causing a system  to crash, overload, or become confused so that 
legitimate users cannot  get whatever services the system is supposed 
to provide. These are  quite different from attacks in which the 
attacker seeks either to use  the service himself or to subvert the 
service into delivering  incorrect results. </DD>
<P>IPSEC shifts the ground for DoS attacks; the attacks possible 
 against systems using IPSEC are different than those that might be 
 used against other systems. It does not, however, eliminate the 
 possibility of such attacks.</P>
<DT><A name="traffic">IPSEC does not stop traffic analysis</A></DT>
<DD><A href="glossary.html#traffic">Traffic analysis</A> is the attempt 
to derive  intelligence from messages without regard for their 
contents. In the  case of IPSEC, it would mean analysis based on things 
visible in the  unencrypted headers of encrypted packets -- source and 
destination  gateway addresses, packet size, et cetera. Given the 
resources to  acquire such data and some skill in analysing it (both of 
which any  national intelligence agency should have), this can be a 
very powerful  technique. </DD>
<P>IPSEC is not designed to defend against this. Partial defenses are 
 certainly possible, and some are <A href="#traffic.resist">described 
below</A>,  but it is not clear that any complete defense can be 
provided.</P>
</DL>
<H3><A name="uses">IPSEC is a general mechanism for securing IP</A></H3>
<P>While IPSEC does not provide all functions of a mail encryption 
package,  it can encrypt your mail. In particular, it can ensure that 
all mail passing  between a pair or a group of sites is encrypted. An 
attacker looking only at  external traffic, without access to anything 
on or behind the IPSEC gateway,  cannot read your mail. He or she is 
stymied by IPSEC just as he or she would  be by <A href="glossary.html#PGP">
PGP</A>.</P>
<P>The advantage is that IPSEC can provide the same protection for <STRONG>
 anything transmitted over IP</STRONG>. In a corporate network example, 
PGP  lets the branch offices exchange secure mail with head office. SSL 
and SSH  allow them to securely view web pages, connect as terminals to 
machines, and  so on. IPSEC can support all those applications, plus 
database queries, file  sharing (NFS or Windows), other protocols 
encapsulated in IP (Netware,  Appletalk, ...), phone-over-IP, 
video-over-IP, ... anything-over-IP. The  only limitation is that IP 
Multicast is not yet supported, though there are  Internet Draft 
documents for that.</P>
<P>IPSEC creates <STRONG>secure tunnels through untrusted networks</STRONG>
.  Sites connected by these tunnels form VPNs, <A href="glossary.html#VPN">
Virtual Private  Networks</A>.</P>
<P>IPSEC gateways can be installed wherever they are required.</P>
<UL>
<LI>One organisation might choose to install IPSEC only on firewalls 
 between their LANs and the Internet. This would allow them to create a 
 VPN linking several offices. It would provide protection against 
anyone  outside their sites.</LI>
<LI>Another might install IPSEC on departmental servers so everything 
on  the corporate backbone net was encrypted. This would protect 
messages on  that net from everyone except the sending and receiving 
department.</LI>
<LI>Another might be less concerned with information secrecy and more 
with  controlling access to certain resources. They might use IPSEC 
packet  authentication as part of an access control mechanism, with or 
without  also using the IPSEC encryption service.</LI>
<LI>It is even possible (assuming adequate processing power and an 
IPSEC  implementation in each node) to make every machine its own IPSEC 
gateway  so that everything on a LAN is encrypted. This protects 
information from  everyone outside the sending and receiving machine.</LI>
<LI>These techniques can be combined in various ways. One might, for 
 example, require authentication everywhere on a network while using 
 encryption only for a few links.</LI>
</UL>
<P> Which of these, or of the many other possible variants, to use is 
up to you. <STRONG> IPSEC provides mechanisms; you provide the policy</STRONG>
. </P>
<P><STRONG>No end user action is required</STRONG> for IPSEC security 
to be  used; they don't even have to know about it. The site 
administrators, of  course, do have to know about it and to put some 
effort into making it work.  Poor administration can compromise IPSEC 
as badly as the post-it notes  mentioned above. It seems reasonable, 
though, for organisations to hope  their system administrators are 
generally both more security-conscious than  end users and more able to 
follow computer security procedures. If not, at  least there are fewer 
of them to educate or replace.</P>
<P>IPSEC can be, and often should be, used with along with security 
 protocols at other levels. If two sites communicate with each other 
via the  Internet, then IPSEC is the obvious way to protect that 
communication. If  two others have a direct link between them, either 
link encryption or IPSEC  would make sense. Choose one or use both. 
Whatever you use at and below the  IP level, use other things as 
required above that level. Whatever you use  above the IP level, 
consider what can be done with IPSEC to make attacks on  the higher 
levels harder. For example, <A href="glossary.html#middle">
man-in-the-middle  attacks</A> on various protocols become difficult if 
authentication at  packet level is in use on the potential victims' 
communication channel.</P>
<H3><A name="authonly">Using authentication without encryption</A></H3>
<P> Where appropriate, IPSEC can provide authentication without 
encryption.  One might do this, for example:</P>
<UL>
<LI>where the data is public but one wants to be sure of getting the 
right  data, for example on some web sites</LI>
<LI>where encryption is judged unnecessary, for example on some company 
or  department LANs</LI>
<LI>where strong encryption is provided at link level, below IP</LI>
<LI>where strong encryption is provided in other protocols, above IP
<BR> Note that IPSEC authentication may make some attacks on those 
protocols  harder.</LI>
</UL>
<P> Authentication has lower overheads than encryption. </P>
<P> The protocols provide four ways to build such connections, using 
either an AH-only connection or ESP using null encryption, and in 
either manually or automatically keyed mode. FreeS/WAN supports only 
one of these, manually keyed AH-only connections, and <STRONG>we do not 
recommend using that</STRONG>. Our reasons are discussed under <A href="#traffic.resist">
Resisting traffic analysis</A> a few sections further along. </P>
<H3><A name="encnoauth">Encryption without authentication is dangerous</A>
</H3>
<P>Originally, the IPSEC encryption protocol <A href="glossary.html#ESP">
ESP</A> didn't  do integrity checking. It only did encryption. Steve 
Bellovin found many  ways to attack ESP used without authentication. 
See his paper <A href="http://www.research.att.com/~smb/papers/badesp.ps">
Problem areas for  the IP Security Protocols</A>. To make a secure 
connection, you had to add  an <A href="glossary.html#AH">AH</A>
 Authentication Header as well as ESP.  Rather than  incur the overhead 
of several layers (and rather than provide an ESP layer  that didn't 
actually protect the traffic), the IPSEC working group built  integrity 
and replay checking directly into ESP.</P>
<P>Today, typical usage is one of:</P>
<UL>
<LI>ESP for encryption and authentication</LI>
<LI>AH for authentication alone</LI>
</UL>
<P> Other variants are allowed by the standard, but not much used:</P>
<DL>
<DT>ESP encryption without authentication</DT>
<DD><STRONG>Bellovin has demonstrated fatal flaws in this. Do not  use.</STRONG>
</DD>
<DT>ESP encryption with AH authentication</DT>
<DD>This has higher overheads than using the authentication in ESP, and 
 no obvious benefit in most cases. The exception might be a network 
 where AH authentication was widely or universally used. If you're 
 going to do AH to conform with network policy, why authenticate again 
 in the ESP layer?</DD>
<DT>Authenticate twice, with AH and with ESP</DT>
<DD>Why? Of course, some folk consider &quot;belt and suspenders&quot; the 
 sensible approach to security. If you're among them, you might use 
 both protocols here. You might also use both to satisfy different 
 parts of a security policy. For example, an organisation might require 
 AH authentication everywhere but two users within the organisation 
 might use ESP as well.</DD>
<DT>ESP authentication without encryption</DT>
<DD>The standard allows this, calling it &quot;null encryption&quot;. FreeS/WAN 
 does not support it. We recommend that you use AH instead if 
 authentication is all you require. AH authenticates parts of the IP 
 header, which ESP-null does not do.</DD>
</DL>
 Some of these variants cannot be used with FreeS/WAN because we do not 
support ESP-null and do not support automatic keying of AH-only 
connections. 
<P> There are fairly frequent suggestions that AH be dropped entirely 
from  the IPSEC specifications since ESP and null encryption can handle 
that  situation. It is not clear whether this will occur. My guess is 
that it is  unlikely.</P>
<H3><A name="multilayer">Multiple layers of IPSEC processing are 
possible</A></H3>
<P>The above describes combinations possible on a single IPSEC 
connection.  In a complex network you may have several layers of IPSEC 
in play, with any  of the above combinations at each layer.</P>
<P>For example, a connection from a desktop machine to a database 
server  might require AH authentication. Working with other host, 
network and  database security measures, AH might be just the thing for 
access control.  You might decide not to use ESP encryption on such 
packets, since it uses  resources and might complicate network 
debugging. Within the site where the  server is, then, only AH would be 
used on those packets.</P>
<P>Users at another office, however, might have their whole connection 
(AH  headers and all) passing over an IPSEC tunnel connecting their 
office to the  one with the database server. Such a tunnel should use 
ESP encryption and  authentication. You need authentication in this 
layer because without  authentication the encryption is vulnerable and 
the gateway cannot verify  the AH authentication. The AH is between 
client and database server; the  gateways aren't party to it.</P>
<P>In this situation, some packets would get multiple layers of IPSEC 
 applied to them, AH on an end-to-end client-to-server basis and ESP 
from one  office's security gateway to the other.</P>
<H3><A name="traffic.resist">Resisting traffic analysis</A></H3>
<P><A href="glossary.html#traffic"> Traffic analysis</A> is the attempt 
to derive useful intelligence from encrypted traffic without breaking 
the encryption. </P>
<P> Is your CEO exchanging email with a venture capital firm? With 
bankruptcy trustees? With an executive recruiting agency? With the 
holder of some important patents? If an eavesdropper learns that, he 
has interesting intelligence on your company, whether or not he can 
read the messages themselves. </P>
<P> Except in the simplest cases, traffic analysis is hard to do well. 
It requires both considerable resources and considerable analytic 
skill. However, intelligence agencies of various nations have been 
doing it for centuries and many of them are likely quite good at it by 
now. Various commercial organisations, especially those working on 
&quot;targeted marketing&quot; may also be quite good at analysing certain types 
of traffic. </P>
<P> In general, defending against traffic analysis is also difficult. 
Inventing a really good defense could get you a PhD and some 
interesting job offers. </P>
<P> IPSEC is not designed to stop traffic analysis and we know of no 
plausible method of extending it to do so. That said, there are ways to 
make traffic analysis harder. This section describes them. </P>
<H4><A name="extra">Using &quot;unnecessary&quot; encryption</A></H4>
<P> One might choose to use encryption even where it appears 
unnecessary in order to make analysis more difficult. Consider two 
offices which pass a small volume of business data between them using 
IPSEC and also transfer large volumes of Usenet news. At first glance, 
it would seem silly to encrypt the newsfeed, except possibly for any 
newsgroups that are internal to the company. Why encrypt data that is 
all publicly available from many sites?</P>
<P> However, if we encrypt a lot of news and send it down the same 
connection as our business data, we make <A href="glossary.html#traffic">
traffic analysis</A> much harder. A snoop cannot now make inferences 
based on patterns in the volume, direction, sizes, sender, destination, 
or timing of our business messages. Those messages are hidden in a mass 
of news messages encapsulated in the same way.</P>
<P> If we're going to do this we need to ensure that keys change often 
enough to remain secure even with high volumes and with the adversary 
able to get plaintext of much of the data. We also need to look at 
other attacks this might open up. For example, can the adversary use a 
chosen plaintext attack, deliberately posting news articles which, when 
we receive and encrypt them, will help break our encryption? Or can he 
block our business data transmission by flooding us with silly news 
articles? Or ...</P>
<P> Also, note that this does not provide complete protection against 
traffic analysis. A clever adversary might still deduce useful 
intelligence from statistical analysis (perhaps comparing the input 
newsfeed to encrypted output, or comparing the streams we send to 
different branch offices), or by looking for small packets which might 
indicate establishment of TCP connections, or ...</P>
<P> As a general rule, though, one can improve resistance to traffic 
analysis by encrypting <EM>as much traffic as possible</EM> rather than 
only as much as seems necessary.</P>
<P> This also applies to using multiple layers of encryption. If you 
have an IPSEC tunnel between two branch offices, it might appear silly 
to send  PGP-encrypted email through that tunnel. However, if you 
suspect someone is snooping your traffic, then it does make sense: </P>
<UL>
<LI>it protects the mail headers; they cannot even see who is mailing 
who </LI>
<LI>it protects against user bungles or software malfunctions that 
accidentally send messages in the clear </LI>
<LI>it makes any attack on the mail encryption much harder; first they 
have to find the mail </LI>
</UL>
 Similar arguments apply for SSL-encrypted web traffic or SSH-encrypted 
remote login sessions, even for end-to-end IPSEC tunnels between 
systems in the two offices. 
<H4><A name="fewer">Using fewer tunnels</A></H4>
<P> It may also help to use fewer tunnels. For example, if all you 
actually need encrypted is connections between: </P>
<UL>
<LI>mail servers at branch and head offices </LI>
<LI>a few branch office users and the head office database server </LI>
</UL>
<P> You might build one tunnel per mail server and one per remote 
database user, restricting traffic to those applications. This gives 
the traffic analyst some information, however. He or she can 
distinguish the tunnels by looking at information in the ESP header 
and, given that distinction and the patterns of tunnel usage, might be 
able to figure out something useful. Perhaps not, but why take the 
risk? </P>
<P> We suggest instead that you build one tunnel per branch office, 
encrypting everything passing from head office to branches. This has a 
number of advantages: </P>
<UL>
<LI>it is easier to build and administer </LI>
<LI>it resists traffic analysis somewhat better </LI>
<LI>it provides security for whatever you forgot. For example, if some 
user at a remote office browses proprietary company data on some head 
office web page (that the security people may not even know about!), 
then that data is encrypted before it reaches the Internet. </LI>
</UL>
<P> Of course you might also want to add additional tunnels. For 
example, if some of the database data is confidential and should not be 
exposed even within the company, then you need protection from the 
user's desktop to the database server. We suggest you do that in 
whatever way seems appropriate -- IPSEC, SSH or SSL might fit -- but, 
whatever you choose, pass it between locations via a gateway-to-gateway 
IPSEC tunnel to provide some resistance to traffic analysis. </P>
<H2><A name="primitives">Cryptographic components</A></H2>
<P> IPSEC combines a number of cryptographic techniques, all of them 
well-known and well-analyzed. The overall design approach was 
conservative; no new or poorly-understood components were included.</P>
<P>This section gives a brief overview of each technique. It is 
intended only as an introduction. There is more information, and links 
to related topics, in our <A href="glossary.html">glossary</A>. See 
also our <A href="biblio.html">bibliography</A> and cryptography <A href="web.html#crypto.link">
web links</A>.</P>
<H3><A name="block.cipher">Block ciphers</A></H3>
<P> The <A href="glossary.html#encryption">encryption</A> in the <A href="glossary.html#ESP">
ESP</A> encapsulation protocol is done with a <A href="glossary.html#block">
block cipher</A>.</P>
<P> We do not implement <A href="glossary.html#DES">single DES</A>. It 
is <A href="politics.html#desnotsecure">insecure</A>. Our default, and 
currently only, block cipher is <A href="glossary.html#3DES"> triple DES</A>
.</P>
<P> The Rijndael block cipher has just won the <A href="glossary.html#AES">
AES</A> competition to choose a relacement for DES. It will almost 
certainly be added to FreeS/WAN and to other IPSEC implementations.</P>
<H3><A name="hash.ipsec">Hash functions</A></H3>
<H4><A name="hmac.ipsec">The HMAC construct</A></H4>
<P> IPSEC packet authentication is done with the HMAC construct. This 
is not just  a hash of the packet data, but a more complex operation 
which uses both a hashing algorithm (MD5 or SHA) and a key. It 
therefore does more than a simple hash would. A simple hash would only 
tell you that the packet data was not changed in transit, or that 
whoever changed it also regenerated the hash. An HMAC also tells you 
that the sender knew the HMAC key.</P>
<P> For IPSEC HMAC, the output of the hash algorithm is truncated to 96 
bits. This saves some space in the packets. More important, it prevents 
an attacker from seeing all the hash output bits and perhaps creating 
some sort of attack based on that knowledge.</P>
<H3><A name="DH.keying">Diffie-Hellman key agreement</A></H3>
<P> The <A href="glossary.html#DH">Diffie-Hellman</A> key agreement 
protocol allows two parties (A and B or <A href="glossary.html#alicebob">
Alice and Bob</A>) to agree on a key in such a way that an eavesdropper 
who intercepts the entire conversation cannot learn the key.</P>
<P> The protocol is based on the <A href="glossary.html#dlog">discrete 
logarithm</A> problem and is therefore thought to be secure. 
Mathematicians have been working on that problem for years and seem no 
closer to a solution, though there is no proof that an efficient 
solution is impossible.</P>
<H3><A name="RSA.auth">RSA authentication</A></H3>
<P> The <A href="glossary.html#RSA">RSA</A> algorithm (named for its 
inventors -- Rivest, Shamir and Adleman) is a very widely used <A href="glossary.html#">
public key</A> cryptographic technique. It is used in IPSEC as one 
method of authenticating gateways for Diffie-Hellman key negotiation.</P>
<H2><A name="structure">Structure of IPSEC</A></H2>
<P>There are three protocols used in an IPSEC implementation:</P>
<DL>
<DT>ESP, Encapsulating Security Payload</DT>
<DD>Encrypts and/or authenticates data</DD>
<DT>AH, Authentication Header</DT>
<DD>Provides a packet authentication service</DD>
<DT>IKE, Internet Key Exchange</DT>
<DD>Negotiates connection parameters, including keys, for the other  two</DD>
</DL>
<P> The term &quot;IPSEC&quot; is slightly ambiguous. In some contexts, it 
includes all three of the above but in other contexts it refers only to 
AH and ESP.</P>
<H3><A name="IKE.ipsec">IKE (Internet Key Exchange)</A></H3>
<P>The IKE protocol sets up IPSEC (ESP or AH) connections after 
negotiating  appropriate parameters (algorithms to be used, keys, 
connection lifetimes)  for them. This is done by exchanging packets on 
UDP port 500 between the two  gateways.</P>
<P>IKE (RFC 2409) was the outcome of a long, complex process in which 
quite  a number of protocols were proposed and debated. Oversimplifying 
mildly, IKE  combines:</P>
<DL>
<DT>ISAKMP (RFC 2408)</DT>
<DD>The <STRONG>I</STRONG>nternet <STRONG>S</STRONG>ecurity <STRONG> A</STRONG>
ssociation and <STRONG>K</STRONG>ey <STRONG> M</STRONG>anagement <STRONG>
P</STRONG>rotocol manages  negotiation of connections and defines <A href="glossary.html#SA">
SA</A>s (Security  Associations) as a means of describing connection 
properties.</DD>
<DT>IPSEC DOI for ISAKMP (RFC 2407)</DT>
<DD>A <STRONG>D</STRONG>omain <STRONG>O</STRONG>f <STRONG> I</STRONG>
nterpretation fills in the details necessary to turn  the rather 
abstract ISAKMP protocol into a more tightly specified protocol,  so it 
becomes applicable in a particular domain.</DD>
<DT>Oakley key determination protocol (RFC 2412)</DT>
<DD>Oakley creates keys using the <A href="glossary.html#DH">
Diffie-Hellman</A> key  agreement protocol.</DD>
</DL>
<P> For all the details, you would need to read the four <A href="rfc.html">
RFCs</A> just mentioned (over 200 pages) and a number of others.  We 
give a summary below, but it is far from complete.</P>
<H4><A name="phases">Phases of IKE</A></H4>
<P>IKE negotiations have two phases.</P>
<DL>
<DT>Phase one</DT>
<DD>The two gateways negotiate and set up a two-way ISAKMP SA which 
they  can then use to handle phase two negotiations. One such SA 
between a  pair of gateways can handle negotiations for multiple 
tunnels.</DD>
<DT>Phase two</DT>
<DD>Using the ISAKMP SA, the gateways negotiate IPSEC (ESP and/or AH) 
 SAs as required. IPSEC SAs are unidirectional (a different key is used 
 in each direction) and are always negotiated in pairs to handle 
 two-way traffic. There may be more than one pair defined between two 
 gateways.</DD>
</DL>
 Both of these phases use the UDP protocol and port 500 for their 
 negotiations. 
<P> After both IKE phases are complete, you have IPSEC SAs to carry 
your encrypted data. These use the ESP or AH protocols. These 
 protocols do not have ports; ports apply only to UDP or TCP. </P>
<P> The IKE protocol is designed to be extremely flexible. Among the 
things that can be negotiated (separately for each SA) are:</P>
<UL>
<LI>SA lifetime before rekeying</LI>
<LI>encryption algorithm used. We currently support only <A href="glossary.html#3DES">
 triple DES</A>. Single DES is <A href="politics.html#desnotsecure">
 insecure</A>. The RFCs say you MUST do DES, SHOULD  do 3DES and MAY do 
various others. We do not do any of the others.</LI>
<LI>authentication algorithms. We support <A href="glossary.html#MD5">
MD5</A> and <A href="glossary.html#SHA">SHA</A>. These are the two the 
RFCs require.</LI>
<LI>choice of group for <A href="glossary.html#DH">Diffie-Hellman</A>
 key agreement. We  currently support Groups 2 and 5 (which are defined 
modulo primes of  various lengths) and do not support Group 1 (defined 
modulo a shorter prime,  and therefore cryptographically weak)  or 
groups 3 and 4 (defined using  elliptic curves). The RFCs require only 
Group 1.</LI>
</UL>
<P> The protocol also allows implementations to add their own 
encryption algorithms, authentication algorithms or Diffie-Hellman 
groups. We do not support any such extensions.</P>
<P>There are a number of complications:</P>
<UL>
<LI>The gateways must be able to authenticate each other's identities 
 before they can create a secure connection. This host authentication 
is  part of phase one negotiations, and is a required prerequisite for 
 packet authentication used later. Host authentication can be  done in 
a variety of ways. Those supported by FreeS/WAN are discussed in  our <A href="config.html#choose">
configuration</A> document.</LI>
<LI>Phase one can be done in two ways. 
<UL>
<LI>Main Mode is required by the RFCs and supported in FreeS/WAN.</LI>
<LI>Aggressive Mode is somewhat faster but reveals more to an 
 eavesdropper. This is optional in the RFCs, not currently supported 
 by FreeS/WAN, and not likely to be.</LI>
</UL>
</LI>
<LI>Phase two always uses Quick Mode, but there are two variants of 
that: 
<UL>
<LI>One variant provides <A href="glossary.html#PFS">Perfect Forward 
Secrecy  (PFS)</A>. An attacker that obtains your long-term host 
 authentication key does not immediately get any of your short-term 
 packet encryption of packet authentication keys. He must conduct 
 another successful attack each time you rekey to get the short-term 
 keys. Having some short-term keys does not help him learn others. In 
 particular, breaking your system today does not let him read  messages 
he archived yestarday, assuming you've changed short-term  keys in the 
meanwhile. We enable PFS as the default.</LI>
<LI>The other variant disables PFS and is therefore slightly faster. 
 We do not recommend this since it is less secure, but FreeS/WAN does 
 support it. You can enable it with a <VAR>pfs=no</VAR> statement in <A href="manpage.d/ipsec.conf.5.html">
 ipsec.conf(5)</A>.</LI>
</UL>
</LI>
<LI>Several types of notification message may be sent by either side 
 during either phase, or later. FreeS/WAN does not currently support 
these, but  they are a likely addition in future releases.</LI>
<LI>A new group exchange may take place after phase one but before 
phase  two, defining up an additional group for use in the <A href="glossary.html#DH">
Diffie-Hellman</A> key agreement part of phase two.  FreeS/WAN does not 
currently support this.</LI>
<LI>There is a commit flag which may optionally be set on some 
messages.  The <A href="http://www.lounge.org/ike_doi_errata.html">
errata</A> page  for the RFCs includes two changes related to this, one 
to clarify the  description of its use and one to block a <A href="glossary.html#DOS">
denial of  service</A> attack which uses it. We currently do not 
implement this  feature.</LI>
</UL>
<P> These complications can of course lead to problems, particularly 
when two different implementations attempt to interoperate. For 
example, we have seen problems such as: </P>
<UL>
<LI>Some implememtations (often products crippled by <A href="politics.html#exlaw">
export laws</A>) have the insecure DES algorithm as their  only 
supported encryption method. See our <A href="politics.html#desnotsecure">
DES  insecurity</A> comments for the reasons we do not implement single 
DES,  and our <A href="FAQ.html#noDES">FAQ</A> for a discussion of how 
to cope  with crippled products.</LI>
<LI>Windows 2000 IPSEC tries to negotiate with FreeS/WAN using 
Aggressive  Mode, which we don't support. Later on, it uses the commit 
bit, which we  also don't support.</LI>
<LI>FreeS/WAN's interaction with PGPnet is complicated by their use of 
 notification messages we do not yet support.</LI>
</UL>
<P> Despite this, we do interoperate successfully with many 
implementations, including both Windows 2000 and PGPnet. Details are in 
our <A href="interop.html">interoperability</A> document. </P>
<H4><A name="struct.exchange">Structure of IKE messages</A></H4>
<P>Here is our Pluto developer explaining some of this on the mailing 
 list:</P>
<PRE>
When one IKE system (for example, Pluto) is negotiating with another
to create an SA, the Initiator proposes a bunch of choices and the
Responder replies with one that it has selected.

The structure of the choices is fairly complicated.  An SA payload
contains a list of lists of &quot;Proposals&quot;.  The outer list is a set of
choices: the selection must be from one element of this list.

Each of these elements is a list of Proposals.  A selection must be
made from each of the elements of the inner list.  In other words,
*all* of them apply (that is how, for example, both AH and ESP can
apply at once).

Within each of these Proposals is a list of Transforms.  For each
Proposal selected, one Transform must be selected (in other words,
each Proposal provides a choice of Transforms).

Each Transform is made up of a list of Attributes describing, well,
attributes.  Such as lifetime of the SA.  Such as algorithm to be
used.  All the Attributes apply to a Transform.

You will have noticed a pattern here: layers alternate between being
disjunctions (&quot;or&quot;) and conjunctions (&quot;and&quot;).

For Phase 1 / Main Mode (negotiating an ISAKMP SA), this structure is
cut back.  There must be exactly one Proposal.  So this degenerates to
a list of Transforms, one of which must be chosen.
</PRE>
<H3><A name="services">IPSEC Services, AH and ESP</A></H3>
<P> IPSEC offers two services, <A href="glossary.html#authentication">
authentication</A> and <A href="glossary.html#encryption">encryption</A>
. These can be used separately but are often used together.</P>
<DL>
<DT>Authentication</DT>
<DD>Packet-level authentication allows you to be confident that a 
packet  came from a particular machine and that its contents were not 
altered  en route to you. No attempt is made to conceal or protect the 
 contents, only to assure their integrity. </DD>
<P>Packet authentication can be provided separately using an <A href="glossary.html#AH">
Authentication Header</A>, described just below, or it can  be included 
as part of the <A href="glossary.html#ESP">ESP</A> (Encapsulated 
 Security Payload) service, described in the following section. That 
 service offers encryption as well as authentication.</P>
<DT>Encryption</DT>
<DD>Encryption allows you to conceal the contents of a message from 
 eavesdroppers. </DD>
<P>In IPSEC this is done using a <A href="glossary.html#block">block 
cipher</A> (normally <A href="glossary.html#3DES">Triple DES</A> for 
Linux). In the most used setup, keys are automatically  negotiated, and 
periodically re-negotiated, using the <A href="glossary.html#IKE">IKE</A>
 (Internet Key Exchange) protocol. In Linux FreeS/WAN this is handled 
by the Pluto  Daemon.</P>
<P>The IPSEC protocol offering encryption is <A href="glossary.html#ESP">
ESP</A>,  Encapsulated Security Payload. It can also include a packet 
 authentication service.</P>
</DL>
<P> Note that <STRONG>encryption should always be used with some packet 
 authentication service</STRONG>. Unauthenticated encryption is 
vulnerable to <A href="glossary.html#middle"> man-in-the-middle attacks</A>
. Also note that encryption  does not necessarily prevent <A href="glossary.html#traffic">
traffic analysis</A>.</P>
<H3><A name="AH.ipsec">The Authentication Header (AH)</A></H3>
<P>Packet authentication can be provided separately from encryption by 
 adding an authentication header (AH) after the IP header but before 
the  other headers on the packet. This is the subject of this section. 
Details  are in RFC 2402.</P>
<P>Each of the several headers on a packet header contains a &quot;next 
protocol&quot;  field telling the system what header to look for next. IP 
headers generally  have either TCP or UDP in this field. When IPSEC 
authentication is used, the  packet IP header has AH in this field, 
saying that an Authentication Header  comes next. The AH header then 
has the next header type -- usually TCP, UDP  or encapsulated IP.</P>
<P>IPSEC packet authentication can be added in transport mode, as a 
 modification of standard IP transport. This is shown in this diagram 
from  the RFC:</P>
<PRE>                  BEFORE APPLYING AH
            ----------------------------
      IPv4  |orig IP hdr  |     |      |
            |(any options)| TCP | Data |
            ----------------------------

                  AFTER APPLYING AH
            ---------------------------------
      IPv4  |orig IP hdr  |    |     |      |
            |(any options)| AH | TCP | Data |
            ---------------------------------
            ||
                 except for mutable fields</PRE>
<P>Athentication can also be used in tunnel mode, encapsulating the 
 underlying IP packet beneath AH and an additional IP header.</P>
<PRE>                         ||
IPv4  | new IP hdr* |    | orig IP hdr*  |    |      |
      |(any options)| AH | (any options) |TCP | Data |
      ------------------------------------------------
      ||
      |           in the new IP hdr                  |</PRE>
<P>This would normally be used in a gateway-to-gateway tunnel. The 
receiving  gateway then strips the outer IP header and the AH header 
and forwards the  inner IP packet.</P>
<P>The mutable fields referred to are things like the time-to-live 
field in  the IP header. These cannot be included in authentication 
calculations  because they change as the packet travels.</P>
<H4><A name="keyed">Keyed MD5 and Keyed SHA</A></H4>
<P> The actual authentication data in the header is typically 96 bits 
and depends both on a secret shared between sender and receiver and on 
every byte of the data being authenticated.</P>
<P> The algorithms involved are the <A href="glossary.html#MD5">MD5</A>
 Message Digest  Algorithm or <A href="glossary.html#SHA">SHA</A>, the 
Secure Hash Algorithm. For details  on their use in this application, 
see RFCs 2403 and 2404 respectively.</P>
<P>For descriptions of the algorithms themselves, see RFC 1321 for MD5 
and <A href="glossary.html#FIPS"> FIPS</A> (Federal Information 
Processing Standard) number  186 from <A href="glossary.html#NIST">NIST</A>
, the US National Institute of Standards  and Technology for SHA. <A href="biblio.html#schneier">
<CITE>Applied  Cryptography</CITE></A> covers both in some detail, MD5 
starting on page 436  and SHA on 442.</P>
<P>These algorithms are intended to make it nearly impossible for 
anyone to  alter the authenticated data in transit. The sender 
calculates a digest or  hash value from that data and includes the 
result in the authentication  header. The recipient does the same 
calculation and compares results. For  unchanged data, the results will 
be identical. The hash algorithms are  designed to make it extremely 
difficult to change the data in any way and  still get the correct hash.</P>
<P>Since the shared secret key is also used in both calculations, an 
 interceptor cannot simply alter the authenticated data and change the 
hash  value to match. Without the key, he or she (or even the dreaded 
They) cannot  produce a usable hash.</P>
<H4><A name="sequence">Sequence numbers</A></H4>
<P>The authentication header includes a sequence number field which the 
 sender is required to increment for each packet. The receiver can 
ignore it  or use it to check that packets are indeed arriving in the 
expected  sequence.</P>
<P>This provides partial protection against <A href="glossary.html#replay">
replay  attacks</A> in which an attacker resends intercepted packets in 
an effort to  confuse or subvert the receiver. Complete protection is 
not possible since  it is necessary to handle legitmate packets which 
are lost, duplicated, or  delivered out of order, but use of sequence 
numbers makes the attack much  more difficult.</P>
<P>The RFCs require that sequence numbers never cycle, that a new key 
always  be negotiated before the sequence number reaches 2^32-1. This 
protects both  against replays attacks using packets from a previous 
cyclce and against <A href="glossary.html#birthday">birthday attacks</A>
 on the the packet authentication  algorithm.</P>
<P>In Linux FreeS/WAN, the sequence number is ignored for manually 
keyed  connections and checked for automatically keyed ones. In 
automatic mode, we  do that. In manual mode, there is no way to 
negotiate a new key, or to  recover from a sequence number problem, so 
we don't use sequence  numbers.</P>
<H3><A name="ESP.ipsec">Encapsulated Security Payload (ESP)</A></H3>
<P>The ESP protocol is defined in RFC 2406. It provides one or both of 
 encryption and packet authentication. It may be used with or without 
AH  packet authentication.</P>
<P>Note that <STRONG>some form of packet authentication should <EM>
 always</EM> be used whenever data is encrypted</STRONG>. Without 
 authentication, the encryption is vulnerable to active attacks which 
may  allow an enemy to break the encryption. ESP should <STRONG>always</STRONG>
 either include its own authentication or be used with AH 
authentication.</P>
<P>The RFCs require support for only two mandatory encryption 
algorithms -- <A href="glossary.html#DES"> DES</A>, and null encryption 
-- and for two authentication  methods -- keyed MD5 and keyed SHA. 
Implementers may choose to support  additional algorithms in either 
category.</P>
<P>The authentication algorithms are the same ones used in the IPSEC <A href="glossary.html#AH">
authentication header</A>.</P>
<P> We do not implement single DES since <A href="politics.html#desnotsecure">
DES is insecure</A>. Instead we provide <A href="glossary.html#3DES">
triple DES or 3DES</A>. This is currently the only encryption algorithm 
supported.</P>
<P> We do not implement null encryption since it is obviously insecure.</P>
<H2><A name="modes">IPSEC modes</A></H2>
<P>IPSEC can connect in two modes. Transport mode is a host-to-host 
 connection involving only two machines. In tunnel mode, the IPSEC 
machines  act as gateways and trafiic for any number of client machines 
may be  carried.</P>
<H3><A name="tunnel.ipsec">Tunnel mode</A></H3>
<P>Security gateways are required to support tunnel mode connections. 
In  this mode the gateways provide tunnels for use by client machines 
behind the  gateways. The client machines need not do any IPSEC 
processing; all they  have to do is route things to gateways.</P>
<H3><A name="transport.ipsec">Transport mode</A></H3>
<P>Host machines (as opposed to security gateways) with IPSEC 
 implementations must also support transport mode. In this mode, the 
host  does its own IPSEC processing and routes some packets via IPSEC.</P>
<H2><A name="parts">FreeS/WAN parts</A></H2>
<H3><A name="KLIPS.ipsec">KLIPS: Kernel IPSEC Support</A></H3>
<P>KLIPS is <STRONG>K</STRONG>erne<STRONG>L</STRONG><STRONG> IP</STRONG>
SEC <STRONG> S</STRONG>upport, the modifications necessary to support 
IPSEC  within the Linux kernel. KILPS does all the actual IPSEC 
packet-handling,  including</P>
<UL>
<LI>encryption</LI>
<LI>packet authentication calculations</LI>
<LI>creation of ESP and AH headers for outgoing packets</LI>
<LI>interpretation of those headers on incoming packets</LI>
</UL>
<P>KLIPS also checks all non-IPSEC packets to ensure they are not 
bypassing  IPSEC security policies.</P>
<H3><A name="Pluto.ipsec">The Pluto daemon</A></H3>
<P><A href="manpage.d/ipsec_pluto.8.html">Pluto(8)</A> is a daemon 
which  implements the IKE protocol. It</P>
<UL>
<LI>handles all the Phase one ISAKMP SAs</LI>
<LI>performs host authentication and negotiates with other gateways</LI>
<LI>creates IPSEC SAs and passes the data required to run them to  KLIPS</LI>
<LI>adjust routing and firewall setup to meet IPSEC requirements. See 
our <A href="firewall.html"> IPSEC and firewalling</A> document for 
details.</LI>
</UL>
 Pluto is controlled mainly by the <A href="manpage.d/ipsec.conf.5.html">
ipsec.conf(5)</A> configuration file. 
<H3><A name="command">The ipsec(8) command</A></H3>
<P>The ipsec(8) command is a front end that allows control over IPSEC 
 activity.</P>
<H3><A name="ipsec.conf">Linux FreeS/WAN configuration file</A></H3>
<P>The configuration file for Linux FreeS/WAN is</P>
<PRE>
        /etc/ipsec.conf
</PRE>
 For details see the <A href="manpage.d/ipsec.conf.5.html">ipsec.conf(5)</A>
 manual page and our <A href="config.html">Configuration</A> section. 
<H2><A name="key">Key management</A></H2>
<P>There are several ways IPSEC can manage keys. Not all are 
implemented in  Linux FreeS/WAN.</P>
<H3><A name="current">Currently Implemented Methods</A></H3>
<H4><A name="manual">Manual keying</A></H4>
<P>IPSEC allows keys to be manually set. In Linux FreeS/WAN, such keys 
are  stored with the connection definitions in /etc/ipsec.conf.</P>
<P><A href="glossary.html#manual">Manual keying</A> is useful for 
debugging since it  allows you to test the <A href="glossary.html#KLIPS">
KLIPS</A> kernel IPSEC code without  the <A href="glossary.html#Pluto">
Pluto</A> daemon doing key negotiation.</P>
<P>In general, however, automatic keying is preferred because it is 
more  secure.</P>
<H4><A name="auto">Automatic keying</A></H4>
<P>In automatic keying, the <A href="glossary.html#Pluto">Pluto</A>
 daemon negotiates  keys using the <A href="glossary.html#IKE">IKE</A>
 Internet Key Exchange protocol.  Connections are automatically 
re-keyed periodically.</P>
<P>This is considerably more secure than manual keying. In either case 
an  attacker who acquires a key can read every message encrypted with 
that key,  but automatic keys can be changed every few hours or even 
every few minutes  without breaking the connection or requiring 
intervention by the system  administrators. Manual keys can only be 
changed manually; you need to shut  down the connection and have the 
two admins make changes. Moreover, they  have to communicate the new 
keys securely, perhaps with <A href="glossary.html#PGP">PGP</A> or <A href="glossary.html#SSH">
SSH</A>.  This may be possible in some  cases, but as a general 
solution it is expensive, bothersome and unreliable.  Far better to let <A
href="glossary.html#Pluto">Pluto</A> handle these chores; no doubt  the 
administrators have enough to do.</P>
<P>Also, automatic keying is inherently more secure against an attacker 
who  manages to subvert your gateway system. If manual keying is in use 
and an  adversary acquires root privilege on your gateway, he reads 
your keys from  /etc/ipsec.conf and then reads all messages encrypted 
with those keys.</P>
<P>If automatic keying is used, an adversary with the same privileges 
can  read /etc/ipsec.secrets, but this does not contain any keys, only 
the  secrets used to authenticate key exchanges. Having an adversary 
able to  authenticate your key exchanges need not worry you overmuch. 
Just having the  secrets does not give him any keys. You are still 
secure against <A href="glossary.html#passive">passive</A> attacks. 
This property of automatic keying is  called <A href="glossary.html#PFS">
perfect forward secrecy</A>, abbreviated PFS.</P>
<P>Unfortunately, having the secrets does allow an <A href="glossary.html#active">
active  attack</A>, specifically a <A href="glossary.html#middle">
man-in-the-middle</A> attack.  Losing these secrets to an attacker may 
not be quite as disastrous as losing  the actual keys, but it is <EM>
still a serious security breach</EM>. These  secrets should be guarded 
as carefully as keys.</P>
<H3><A name="notyet">Methods not yet implemented</A></H3>
<H4><A name="noauth">Unauthenticated key exchange</A></H4>
<P>It would be possible to exchange keys without authenticating the 
players.  This would support <A href="glossary.html#carpediem">
 opportunistic encryption</A> -- allowing any two  systems to encrypt 
their communications without requiring a shared PKI or a  previously 
negotiated secret -- and would be secure against <A href="glossary.html#passive">
passive attacks</A>. It would, however, be highly vulnerable  to active <A
href="glossary.html#middle">man-in-the-middle</A> attacks. RFC 2408 
 therefore specifies that all <A href="glossary.html#ISAKMP">ISAKMP</A>
 key management  interactions <EM>must</EM> be authenticated. </P>
<P>There is room for debate here. Should we provide immediate security 
 against <A href="glossary.html#passive">passive attacks</A> and 
encourage widespread use  of encryption, at the expense of risking the 
more difficult <A href="glossary.html#active">active attacks</A>? Or 
should we wait until we can implement  a solution that can both be 
widespread and offer security against active  attacks?</P>
<P>So far, we have chosen the second course, complying with the RFCs 
and  waiting for secure DNS (see <A href="glossary.html#DNS">below</A>) 
so that we can do <A href="glossary.html#carpediem">opportunistic 
encryption</A> right.</P>
<H4><A name="DNS">Key exchange using DNS</A></H4>
<P>The IPSEC RFCs allow key exchange based on authentication services 
 provided by <A href="glossary.html#SDNS">Secure DNS</A>. Once Secure 
DNS service becomes  widely available, we expect to make this the <EM>
primary key management  method for Linux FreeS/WAN</EM>. It is the best 
way we know of to support <A href="glossary.html#carpediem">
opportunistic encryption</A>, allowing two systems without  a common 
PKI or previous negotiation to secure their communication.</P>
<P>As of FreeS/WAN 1.4, we have experimental code to acquire RSA keys 
from  DNS but do not yet have code to validate Secure DNS signatures.</P>
<H4><A name="PKI">Key exchange using a PKI</A></H4>
<P>The IPSEC RFCs allow key exchange based on authentication services 
 provided by a <A href="glossary.html#PKI">PKI</A> or Public Key 
Infrastructure. With many  vendors selling such products and many large 
organisations building these  infrastructures, this will clearly be an 
important application of IPSEC and  one Linux FreeS/WAN will eventually 
support.</P>
<P>On the other hand, this is not as high a priority for Linux 
FreeS/WAN as  solutions based on <A href="glossary.html#SDNS">secure DNS</A>
. We do not expect any PKI  to become as universal as DNS.</P>
<P>Some <A href="web.html#patch">patches</A> to handle  authentication 
with X.509 certificates, which most PKIs use, are available.</P>
<H4><A name="photuris">Photuris</A></H4>
<P><A href="glossary.html#photuris"> Photuris</A> is another key 
management protocol, an  alternative to IKE and ISAKMP, described in 
RFCs 2522 and 2523 which are  labelled &quot;experimental&quot;. Adding Photuris 
support to Linux FreeS/WAN might be  a good project for a volunteer. 
The likely starting point would be the  OpenBSD photurisd code.</P>
<H4><A name="skip">SKIP</A></H4>
<P><A href="glossary.html#SKIP">SKIP</A> is yet another key management 
protocol,  developed by Sun. At one point it was fairly widely used, 
but our current  impression is that it is moribund, displaced by IKE. 
Sun now (as of Solaris  8.0) ship an IPSEC implementation using IKE. We 
have no plans to implement  SKIP.</P>
<HR>
<A HREF="toc.html">Contents</a>
<A HREF="politics.html">Previous</a>
<A HREF="mail.html">Next</a>
</BODY>
</HTML>