%     
% $RCSfile: ipsec.tex,v $
%
% x-kernel v3.2
%
% Copyright (c) 1993 Arizona Board of Regents
%
%

\protspec{IPSEC}{IPSEC (A Simple IP Security Layer)}
\index{ipsec}
\index{security, network}
\label{IPSEC}

\topic{SPECIFICATION}

\noindent IPSEC is a simple version of the emerging Internet IP security
protocol.  It uses a one-byte SAID which is an algorithm identifier.
The algorithm-SAID correspondence is determined by the protocol graph,
as described below.  In conjunction with a full suite of supprting
cryptographic protocols and key management, it can provides host-host
security services such as privacy, authentication, and message integrity.

\noindent

\topic{REALM}

\noindent IPSEC is in the ASYNC realm.

\topic{PARTICIPANTS}

\noindent
IPSEC passes participants to the lower protocols without manipulating them.

\topic{CONTROL OPERATIONS}


\topic{CONFIGURATION}

\noindent
IPSEC must be configured over a datagram protocol that preserves
packet boundaries.  However, the complete environment for constructing
a sensible security service based on IPSEC is considerably more complicated.
The cryptographic services for the system should be configured over
IPSEC, and they should use active key management.

IPSEC can manage several cryptographic handling stacks, as long as
they adhere to a special naming convention.  The numeric characters of
the security service instance name is used as an algorithm identifier.
Machines usig IPSEC for communication must have the same naming
conventions to assure proper decryption or message validation.  The
graph.comp shown belown uses "1" to mean the DES algorithm, "2" to
mean the md5 algorithm.  Also, the scheme should below negotiates only
one key for each host pair.  A later version of IPSEC will support an
arbitrary number.

Example of a graph.comp file:
\begin{bigverb}
---------------------------------
@;
name=simeth;
name=eth protocols=simeth;
name=arp protocols=eth;
name=vnet protocols=eth,arp;
name=ip protocols=vnet dir=ip files=ip,ip_frag,ip_input,ip_gc,
     ip_util,ip_rom,ip_control,ip_hdr,iproute;
name=ipsec       protocols=ip dir=ipsec files=ipsec_simple;
name=km/sig     dir=km files=km;
name=km/dh;
name=dhkx       dir=dhkx files=dhkx protocols=dss,km/dh;
name=sha        dir=sha  files=sha;
name=dss        dir=dss  files=dss,dssaux protocols=ip,sha,km/sig
     trace=TR_FULL_TRACE;
name=km/said;
#
name=km/md5 protocols=dhkx,km/dh trace=TR_FULL_TRACE;
name=md5/m2 protocols=ipsec,km/md5 dir=md5 files=md5 trace=TR_FULL_TRACE;
name=crypt/c1 protocols=ipsec,km/cr dir=crypt files=crypt trace=TR_FULL_TRACE;
name=udp protocols=md5/m2 trace=TR_DETAILED;
#
name=udptest protocols=udp;
name=confounder dir=confounder trace=TR_DETAILED;
@;
prottbl=/cs/xkernel.v3.2/etc/prottbl.std;
romopt crypt/c1 numparts 2;
romopt md5/m2 numparts 2;
romopt dhkx numparts 2;
romopt dhkx delay 30;
romopt confounder zerofill 4;
@;
prottbl = ../../../etc/prottbl.nonstd;
---------------------------------
\end{bigverb}

\topic{AUTHOR}

\noindent Hilarie Orman

