IPv6 IPsec on Linux (Ubuntu)?
Shadow Hawkins on Sunday, 24 July 2011 18:26:07
I know that one of the features of IPv6 is that you should be able to encypt at the IP level. I would like to set this up on Ubuntu. I know that there are two kinds, ESP and AH. I think I need racoon and ipsec-tools.
The other half of the question is this:I have heard that IPsec is part of the IPv6 standard. Does that mean that once I set it up, I will be able to encrypt my connections to any of the IPv6 services I connect to? If that is the way it is, why do I need to set anything up to use it? (I'm a little confused...)
Also, I (think) I know that ESP encypts the data along the way, and AH makes it so you know that the traffic is coming from who you think it is. Is it possible to use both, so that no one can read the connection AND you can be sure you are talking to the right server?
I have tried to set up racoon on two computers at home, 2001:db8:e89d::1 and 2001:db8:e89d:0:21a:73ff:fe62:8329. Here's the config files:
2001:db8:e89d::1:
/etc/racoon/racoon.conf:
#
# NOTE: This file will not be used if you use racoon-tool(8) to manage your
# IPsec connections. racoon-tool will process racoon-tool.conf(5) and
# generate a configuration (/var/lib/racoon/racoon.conf) and use it, instead
# of this file.
#
# Simple racoon.conf
#
#
# Please look in /usr/share/doc/racoon/examples for
# examples that come with the source.
#
# Please read racoon.conf(5) for details, and alsoread setkey(8).
#
#
# Also read the Linux IPSEC Howto up at
# http://www.ipsec-howto.org/t1.html
#
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
#remote 172.31.1.1 {
# exchange_mode main,aggressive;
# proposal {
# encryption_algorithm 3des;
# hash_algorithm sha1;
# authentication_method pre_shared_key;
# dh_group modp1024;
# }
# generate_policy off;
#}
#
#sainfo address 192.168.203.10[any] any address 192.168.22.0/24[any] any {
# pfs_group modp768;
# encryption_algorithm 3des;
# authentication_algorithm hmac_md5;
# compression_algorithm deflate;
#}
remote 2001:db8:e89d:0:21a:73ff:fe62:8329 {
exchange_mode main;
certificate_type x509 "host-cert.pem" "host-key.pem";
my_identifier fqdn "erikbandersen.com";
verify_identifier on;
peers_identifier fqdn "laptop.erikbandersen.com";
proposal {
encryption_algorithm aes;
hash_algorithm sha512;
authentication_method rsasig;
dh_group modp1024;
}
}
sainfo address 2001:db8:e89d::1 any address 2001:db8:e89d:0:21a:73ff:fe62:8329 any {
pfs_group modp1024;
encryption_algorithm aes,3des;
authentication_algorithm hmac_sha512,hmac_sha1;
compression_algorithm deflate;
}
# Extra sainfo for port 500 needed, taken from
# <http://bugs.debian.org/341398#msg69>
sainfo address 2001:db8:e89d::1[500] any address 2001:db8:e89d:0:21a:73ff:fe62:8329[500] any {
pfs_group modp1024;
encryption_algorithm aes,3des;
authentication_algorithm hmac_sha512,hmac_sha1;
compression_algorithm deflate;
}
# See also:
#<http://lists.freebsd.org/pipermail/freebsd-net/2004-March/003514.html>
##
And /etc/ipsec-tools.conf#!/usr/sbin/setkey -f
# NOTE: Do not use this file if you use racoon with racoon-tool
# utility. racoon-tool will setup SAs and SPDs automatically using
# /etc/racoon/racoon-tool.conf configuration.
#
## Flush the SAD and SPD
#
# flush;
# spdflush;
## Some sample SPDs for use racoon
#
# spdadd 10.10.100.1 10.10.100.2 any -P out ipsec
# esp/transport//require;
#
# spdadd 10.10.100.2 10.10.100.1 any -P in ipsec
# esp/transport//require;
#
spdadd ::/0 ::/0 icmp6 135,0 -P out none;
spdadd ::/0 ::/0 icmp6 135,0 -P in none;
spdadd ::/0 ::/0 icmp6 136,0 -P out none;
spdadd ::/0 ::/0 icmp6 136,0 -P in none;
##
# laptop.erikbandersen.com
spdadd 2001:db8:e89d:0:21a:73ff:fe62:8329 2001:db8:e89d::1 any -P out ipsec esp/transport//require;
spdadd 2001:db8:e89d::1 2001:db8:e89d:0:21a:73ff:fe62:8329 any -P in ipsec esp/transport//require;
##
And 'tree /etc/racoon/certs'
tree /etc/racoon/certs
/etc/racoon/certs
ca-cert.pem -> /home/bjorn/erikca/CA/erikca.crt
host-cert.pem -> /home/bjorn/erikca/erikbandersen.com_ipsec_16k/erikbandersen.com_ipsec_16k.crt
host-key.pem -> /home/bjorn/erikca/erikbandersen.com_ipsec_16k/erikbandersen.com_ipsec_16k.key
0 directories, 3 files
2001:db8:e89d:0:21a:73ff:fe62:8329:
/etc/racoon/racoon.conf:
#
# NOTE: This file will not be used if you use racoon-tool(8) to manage your
# IPsec connections. racoon-tool will process racoon-tool.conf(5) and
# generate a configuration (/var/lib/racoon/racoon.conf) and use it, instead
# of this file.
#
# Simple racoon.conf
#
#
# Please look in /usr/share/doc/racoon/examples for
# examples that come with the source.
#
# Please read racoon.conf(5) for details, and alsoread setkey(8).
#
#
# Also read the Linux IPSEC Howto up at
# http://www.ipsec-howto.org/t1.html
#
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
#remote 172.31.1.1 {
# exchange_mode main,aggressive;
# proposal {
# encryption_algorithm 3des;
# hash_algorithm sha1;
# authentication_method pre_shared_key;
# dh_group modp1024;
# }
# generate_policy off;
#}
#
#sainfo address 192.168.203.10[any] any address 192.168.22.0/24[any] any {
# pfs_group modp768;
# encryption_algorithm 3des;
# authentication_algorithm hmac_md5;
# compression_algorithm deflate;
#}
remote 2001:db8:e89d::1 {
exchange_mode main;
certificate_type x509 "laptop.erikbandersen.com_ipsec_16k.crt" "laptop.erikbandersen.com_ipsec_16k.key";
my_identifier fqdn "laptop.erikbandersen.com";
verify_identifier on;
peers_identifier fqdn "laptop.erikbandersen.com";
proposal {
encryption_algorithm aes;
hash_algorithm sha512;
authentication_method rsasig;
dh_group modp1024;
}
}
sainfo address 2001:db8:e89d:0:21a:73ff:fe62:8329 any address 2001:db8:e89d::1 any {
pfs_group modp1024;
encryption_algorithm aes,3des;
authentication_algorithm hmac_sha512,hmac_sha1;
compression_algorithm deflate;
}
# Extra sainfo for port 500 needed, taken from
# <http://bugs.debian.org/341398#msg69>
sainfo address 2001:db8:e89d:0:21a:73ff:fe62:8329[500] any address 2001:db8:e89d::1[500] any {
pfs_group modp1024;
encryption_algorithm aes,3des;
authentication_algorithm hmac_sha512,hmac_sha1;
compression_algorithm deflate;
}
# See also:
#<http://lists.freebsd.org/pipermail/freebsd-net/2004-March/003514.html>
##
And /etc/ipsec-tools.conf:
#!/usr/sbin/setkey -f
# NOTE: Do not use this file if you use racoon with racoon-tool
# utility. racoon-tool will setup SAs and SPDs automatically using
# /etc/racoon/racoon-tool.conf configuration.
#
## Flush the SAD and SPD
#
# flush;
# spdflush;
## Some sample SPDs for use racoon
#
# spdadd 10.10.100.1 10.10.100.2 any -P out ipsec
# esp/transport//require;
#
# spdadd 10.10.100.2 10.10.100.1 any -P in ipsec
# esp/transport//require;
#
spdadd ::/0 ::/0 icmp6 135,0 -P out none;
spdadd ::/0 ::/0 icmp6 135,0 -P in none;
spdadd ::/0 ::/0 icmp6 136,0 -P out none;
spdadd ::/0 ::/0 icmp6 136,0 -P in none;
##
# erikbandersen.com
spdadd 2001:db8:e89d:0:21a:73ff:fe62:8329 2001:db8:e89d::1 any -P in ipsec esp/transport//require;
spdadd 2001:db8:e89d::1 2001:db8:e89d:0:21a:73ff:fe62:8329 any -P out ipsec esp/transport//require;
##
And 'tree /etc/racoon/certs'
/etc/racoon/certs
ca-cert.pem
laptop.erikbandersen.com_ipsec_16k.crt
laptop.erikbandersen.com_ipsec_16k.csr
laptop.erikbandersen.com_ipsec_16k.key
0 directories, 4 files
IPv6 IPsec on Linux (Ubuntu)?
Jeroen Massar on Monday, 14 February 2011 09:55:56
IPv6 was intended to require IPSEC support. Unfortunately most IPv6 stacks come without IPSEC support and because of that the requirement for having IPv6 IPSEC actually where made optional later on. It is one of those "IPv6 myths". Note that IPv4 is in the same situation, you need a working IPSEC stack for it and those are not always available, let alone proper tools to set it up. The only 'advantage' for IPv6 over IPv4 here is that in a lot of scenarios IPv4 is NATted while IPv6 most likely is not, there are ways around that nowadays anyway thus that is not a real advantage anymore.
Magically one of the operating systems with the best IPSEC support (both IPv4 and IPv6) is Windows and Microsoft actively uses it for their Direct Access feature which works like a charm with little to no configuration as all key management (which is the most difficult part of IPSEC) is done by Active Directory.
For simplicity, you can remember that ESP = Encrypt and AH = Authenticate.
You can use those in combination, but IPv{46}->ESP->AH->(TCP|UDP|SCTP|..) and IPv{46}->AH->ESP->(TCP|UDP|SCTP|..) note the difference, the first you encrypt everything and then authenticate that you really send it, intermediate hosts can't say that you signed it as they can't read the crypto part, the latter every intermediate node can see that you signed it, but can't read the contents. For Direct Access the later is used, as the AH is used to allow packets through the firewall or not.
The other half of the question is this:I have heard that IPsec is part of the IPv6 standard.
It is part of the standard, but not a requirement anymore :(
Does that mean that once I set it up, I will be able to encrypt my connections to any of the IPv6 services I connect to? If that is the way it is, why do I need to set anything up to use it? (I'm a little confused...)
You would need Opportunistic Encryption (OE) for that which of course is not available on a lot of platforms.
In a lot of situations people have dropped even thinking of IPSEC and just deployed TLS for their applications. The advantage of IPSEC though is that you don't have to rely on-per-app settings/certificates or support for crypto. Then again, most important protocols have TLS support.
If you really want to endeavor into this, you might want to peek at projects like OpenSWAN who have been working on IPSEC for years...
IPv6 IPsec on Linux (Ubuntu)?
Shadow Hawkins on Tuesday, 15 February 2011 18:28:03
Do you know which operating systems have IPv6 stacks with IPSEC built in? At least from what I can tell anything based on the KAME stack has support, so that would mean MacOS X, FreeBSD and NetBSD for starters?
IPv6 IPsec on Linux (Ubuntu)?
Shadow Hawkins on Wednesday, 06 July 2011 04:55:46
You say 'the requirement for having IPv6 IPSEC actually where made optional later on.' This is not true - IPsec must be supported by any compliant implementation of IPv6. It is mandated by RFC4294, "IPv6 Node Requirements": http://tools.ietf.org/html/rfc4294#section-8
Of course not all implementations are compliant with all the relevant IPv6 standards, but that is a different matter.
Back to the original question, ipsec is well supported in Ubuntu - see the ipsec-tools and racoon packages.
But while ipsec must be supported, it doesn't have to be configured on a given host. From what I've seen, unfortunately, in many cases it remains pretty inconvenient to actually set up ipsec.
IPv6 IPsec on Linux (Ubuntu)?
Jeroen Massar on Sunday, 24 July 2011 18:35:54
You have to realize that RFC are quite a mess, with not a single thing in one overview.
To demonstrate that, RFC 4301, page 9, 1st paragraph of Section 3.2 :
[...] IPsec implementations MUST support ESP and MAY
support AH. (Support for AH has been downgraded to MAY because
experience has shown that there are very few contexts in which ESP
cannot provide the requisite security services. Note that ESP can be
used to provide only integrity, without confidentiality, making it
comparable to AH in most contexts.)
and as such, one big chunk of IPSEC is already out of the door, this while AH is quite useful for a lot of cases ;)
You might be interrested to know about the Errata Search feature of tools.ietf.org, eg: RFC4294 Errata
and in the hallways, ESP is also becoming a 'MAY' quite soon..... it is a shame but oh well.
TLS/SSL is the stuff that people make money with, selling certificates and all, there is no money to be made with IPSEC, and thus it will go the way of the dodo.
Posting is only allowed when you are logged in. |