¤@¡B«e¨¥
ºô»Úºô¸ô§Þ³Nªº¿³°_¡A¤¬³s§Þ³Nªº¦¨ªø¡A¨Ï±o¤j®a·U¨Ó·U¥õ¿àInternet³oÓÀ³¥Î¼sªxªº¤½²³ºô¸ô¡C¦]¦¹¦p¦óÅý¨Ï¥ÎªÌ³z¹Lºô»Úºô¸ô³q°T¡A¦Ó¤£¥Î¾á¤ß¶Ç°eªº«H®§«Ê¥]³QºI¨ú¡B°²«_¡A´NÅã±o¬Û·í«n¡C¦]¬°³o¨Ç«Ê¥]¤º®e¥i¯à¦³§AªºID¡A«H¥Î¥d¸¹½Xµ¥«nªºÓ¤H¸ê®Æ¡C
¨Æ¹ê¤W¡A³o´X¦~¨Óºô»Úºô¸ô¤Wªº¦w¥þ¼Ð·Ç¦³«Ü¦h¡C¨Ò¦p:RFC1508©M1509©Ò³W©wªºGSSAPI(Generic Security Service Application Program
Interface)¡ATelnet¡AFTP©MHTTP³£¥i¥H¨Ï¥Î;ºô»Úºô¸ô¤uµ{¤p²Õ(Internet
Engineering Task Force; IETF)ªºPSRG¤p²Õ©Òq©wªºPEM¼Ð·Ç¥i¥H¹F¨ìE-mailªº¦w¥þ©Ê¡A¦Óºô¸ô³ÌµÛ¦WªºE-mail¦w¥þ³nÅé«h¬OP. ZimmermannªºPGP(Pretty Good Privacy);¨ä¥L¦pEITªºS-HTTP(Secure HTTP)¡ANetscapeªºSSL(Secure
Sockets Layer)¡AMicrosoftªºPCT¥H¤Î¤W±´£¤ÎªºGSSAPI§¡¥i«Ø¥ßHTTPªº¦w¥þ¾÷¨î¡AVisaªºSET(Secure Electronic Transfer)«h¯à¹F¨ì¦w¥þªº¹q¤l°Ó°È(Electric Commerce)¡C³o¨Ç¤£½×¬O¹ï¸Ü¼h(Session
Layer)©ÎÀ³¥Î¼h(Application Layer)¤Wªº¦w¥þ¾÷¨î¡A¨Ï¥ÎªÌ¥²¶·¨Ï¥Î±MÄݪº³q°T¨ó©w¡A©Î¯S©w¼t°Óªº²£«~¡C
©Ò¥H·|¦³³o¼Ëªº°ÝÃD¡A¥i¥H»¡³£¬OTCP/IP·Sªºº×¡AIP¼ÐÀY¤¤¦³¨Ó·½(Source)¡A¥Øªº(Destination)¦ì§}¡A¸Ë¸ü¸ê®Æ(Payload)¡A¦ÓTCP¥ut³d±N«H®§¤Á³Î¦¨«Ê¥]¡AY¿ò¥¢«Ê¥]TCP¦A«°e¡A©Ò¥HTCP/IP®Ú¥»¨S¦³¦w¥þ©Ê¥i¨¥¡A¨Ï¥Î¤@¯ëSniffing³nÅé¤u¨ã¡A§Y¥i¤@¥ØÁAµM¦a¬Ý¨ì³o¨Ç«H®§¡C
¬°¤F½T«O¦b¥ô¦óIPºô¸ô¤W¾Ö¦³¦w¥þªº¨p±K³q«H¡A¤]¬°¤F¾ã¦X¤£¦P¼Ð·Ç¤Î¤£¦P¼t°Ó²£«~¡A IETFµÛ¤âq©w¤F¤@®M¶}©ñ¼Ð·Çºô¸ô¦w¥þ¨ó©wIPSec (IP Security)¡C±N±K½X§Þ³NÀ³¥Î¦bºô¸ô¼h¡A¥H´£¨Ñ¶Ç°e¡B±µ¦¬ºÝ°µ¸ê®ÆªºµýÃÒ(Authentication)¡B§¹¾ã©Ê(Integrity)¡B¦s¨ú±±¨î(Access
Control)¡B¥H¤Î¾÷±K©Ê(Confidentiality)µ¥¦w¥þªA°È¡C°ª¼hªºÀ³¥Î¨ó¤]¥i¥Hª½±µ©Î¶¡±µ¦a¨Ï¥Î³o¨Ç¦w¥þªA°È¡C
IPSec¬O³]p¨Ó¹F¨ìºô¸ô¼h¤¤ºÝ¹ïºÝ¦w¥þ³q°Tªº²Ä¤T¼h¨ó©w¡A¥¦¥Dnªº¬[ºc¬OIP»{µý¼ÐÀY(Authentication
Header; AH)¥H¤ÎIP«Ê¸Ë¦w¥þ¸Ë¸ü(Encapsulating
Security Payload; ESP)¡CIP AH´£¨Ñ¸ê®Æªº§¹¾ã©Ê©M»{ÃÒ¡A¦ý¤£¥]¬A¾÷±K©Ê¡A¦ÓIP ESPì«h¤W¥u´£¨Ñ¾÷±K©Ê¡A¦ý¤]¥i¦bESP Header¤¤q©w¾A·íªººtºâªk¤Î¼Ò¦¡¨Ó½T«O¸ê®Æªº§¹¾ã©Ê¨Ã»{ÃÒ¡AIP AH©MIP ESP¥i¥H¤À¶}¨Ï¥Î©Î¤@°_¨Ï¥Î¡C§¹¾ãªºIPSecÁÙÀ³¥]¬AIP AH©MESP¤¤©Ò¨Ï¥Îª÷Æ_ªº¥æ´«©MºÞ²z¡A¤]´N¬O¦w¥þ¸s²Õ(Security Assocication; SA)©Mª÷Æ_ºÞ²zIKE(Internet Key Exchange)¡A¹Ï(¤@)¬OIPSec¬[ºc¹Ï¡A¨ä¤¤DOI(Domain of interpretation)¬O¬°¤FÅý¨ä¥L¨ó©w¥i¥H¨Ï¥ÎISAKMP¦Óq©wªºFramework¡A¹Ï(¤@)Åý§Ú̫ܲM·¡ª¾¹DIPSec©MIKE©Ò§êºtªº¨¤¦â¡C
¥»¤åªº²Ä¤G³¡¥÷±N¤¶²ÐIP AH¡A²Ä¤T³¡¥÷ªº¤º®e¬OIP
ESP¡A²Ä¥|³¡¥÷±Ôz¦w¥þ¸s²ÕSAªºÆ[©À¡A²Ä¤³¡¥÷«h¬O¥H¤@Ó¹ê»Úªº¨Ò¤l¨Ó»¡©úIP AH©MIP ESP¹ê»Ú¹B§@ªº±¡§Î¡A²Ä¤»³¡¥÷¤¶²ÐSKIP¤ÎISAKMP/Qakley¨âÓIETF©Ò°Ñ¦Òªºª÷Æ_ºÞ²z¨ó©w¡CISAKMP/Oakley¸û¦³¼u©Ê¥B¯à¤ä´©¸û¦hªº¨ó©w¡A¤w³Q¿ï¬°IPv6ªºIPSecª÷Æ_ºÞ²z¨ó©w¡C³Ì«á¤@³¡¥÷«h¬O¥HISPecªº¨¤«×¨Ó¬Ý¥¦¦bVPN¤WªºÀ³¥Î¡A¨Ã¾ã²z¦C¥X¥Ø«eVPN²Å¦XIPSec¼Ð·Çªº°Ó¥Î²£«~¡C
ÁöµM°w¹ïIP¼hªº¦w¥þ¾÷¨î©|¦³¨ä¥LªºIP
Tunneling§Þ³N¡A¨Ò¦p°ò´Ó©óPPP¦Óµo®iªºPPIP(Point-to-Point
Tunneling Protocol)¡A³o¬O¥ÑMicrosoft©MAscend©Ò¦@¦P´£¥X¡A¥i¤ä´©IP/IPX/NetBEUI¡A¤ä´©ªº¼t°Ó«h¦³Nortel¡A3COM¡C¥t¥~L2TP(Layer 2 Tunneling Protocol)«h¬O¿Ä¦X¤FPPTP©MCiscoªºL2F(Layer
2 Forwarding)¡A¥Dnªº¼t°Ó¦³Nortel©MIBM¡C
¥»¤å¥Dn¤¶²ÐIFTF©Ò¨î©wªº¶}©ñ¼Ð·ÇIPSec¡A¦]¬°¥¦¯à¾ã¦X¤£¦PªºVPN¨t²Î¦Ó¹F¨ì¦w¥þ¦aºô¸ô¤¬³s¥Øªº¡C
¤G¡BIP AH®æ¦¡
IP
AH´£¨Ñ»{µý¤Î¸Ë¸ü¸ê®Æªº§¹¾ã©Ê¡A¦ý¤£§t¾÷±K©Ê¡C¥Ñ©ó¥¦¤£´£¨Ñ¾÷±K©Ê¡A©Ò¥H¤£¨ü±K½X¤¸¥ó¦³¹ï¥~¿é¥Xªº©x¤è¨î¡A¬G¯à¾î¸ó¤£¦Pªº°ê®aªººô»Úºô¸ô¨Ï¥Î¡C
IP
AH¨Ï¥Î»Ýn128¦ì¤¸ª÷Æ_ªºMD5(Message
Digest 5)pºâ¥X¾ãÓ¸ê®ÆªºÂø´ê¨ç¼ÆÈ(µù:¦¹³æ¦VÂø´ê¼Æ¤]¥i¨Ï¥ÎSHA-1 (Secure Hash Algorithm 1))¡A¨Ï±o±µ¦¬ºÝ(ª¾¹Dª÷Æ_ªº¤H)¤]¥i¥HÅçµý¡Bpºâ¬O§_¨Ï¥Î¬Û¦Pªº±KÆ_¥HÀˬd¸ê®Æ¬O§_¥¿½T§¹¾ã¡AYÀˬd¤£²Å«h±N¦¹«Ê¥]¥á±ó¡C¨Ì¾ÚIPSec³W©w¡AIPv6¨C³¡¥D¾÷§¡À³¯à´£¨Ñ±KÆ_ªø«×128¦ì¤¸ªºMD5¡A¦Ó©Ò¦³IPv4¤]À³«Å§i¯à¤ä´©¦¹¶µAH¥\¯à¡C
IP
AHªº®æ¦¡¦p¹Ï(¤G).a©Ò¥Ü¡A¨ä¤¤¨C¶µÄæ¦ìªº·N¸q¤À§O±Ôz¦p¤U:Next Headerªø«×8Ӧ줸¡A³oÓ¼ÐÀY¬O©w¸qAH«á±¸ê®ÆªºÃþ«¬;¸ê®Æªø«×Äæ¦ì¤]¬O8Ӧ줸¡A¥¦¨M©w»{ÃÒ¸ê®ÆÄæ¦ìªºªø«×¡A¥t¥~ÁÙ¦³16Ó«O¯d¦ì¤¸°µ¥¼¨Ó¤§¥Î¡C¦w¥þ°Ñ¼Æ¯Á¤Þ(Security Parameter Index; SPI)¬Oªø«×32Ӧ줸ªºµêÀÀ¶Ã¼Æ¡A¨M©w¦w¥þ¸s²ÕSAªº¤º®e¡A¨Ò¦p¡¨0¡¨¬Oªí¥Ü¨S¦³SA¡A¦Ó1~255«h¬O«O¯dÈ¡C¦bSPI«á±ªº¬O¶¶§Ç¸¹½XÄæ¦ì(Sequence Number Field)¡A¥[¤J³oÓ¸¹½X¥i¨¾¤î«°e§ðÀ»(Replay
Attack)¡C³Ì«á¤@ÓÄæ¦ì¬O»{ÃÒ¸ê®Æªø«×¬O¥iÅܪº(32¦ì¤¸ªº¿¼Æ)¡C¹Ï(¤G).bÅã¥Ü¤F¨Ï¥Î«H®§ºKn¨ç¼ÆMD5¡A¥¦²£¥Í128¦ì¤¸ªºÂø´ê¨ç¼ÆÈ¡C±q¹Ï¤¤¤]¥i¬Ý¥X¹ïIPv4©ÎIPv6¦Ó¨¥¡CIP AH ¬O¦bIP¼ÐÀY©MTCP(©ÎUDP)¤§¶¡¡C
¦bIPSec¤¤¤£ºÞ¬OIP AH©ÎIP ESP¡A§¡¦³¨âºØ¤£¦Pªº¾Þ§@¼Ò¦¡¡AÀG¹D¼Ò¦¡(Tunneling Mode)¤Î¶Ç°e¼Ò¦¡(Transport Mode)¡CÁÙ¨S¤¶²ÐIP AH¨âºØ¼Ò¦¡«e¡A§ÚÌ¥ý¥Î¹Ï(¤T)¨Ó¸ÑÄÀ³Ì±`¨Ï¥Îªº§Þ³N
¡§ÀG¹D¼Ò¦¡¡¨ ªºÆ[©À¡A¾ãÓIP
datagram³Q¥]¦b·sªºdatagram¤¤¡C¹Ï(¥|).a~c¤À§O¬°ì©lªºIP datagram ¡A AH¶Ç°e¼Ò¦¡¤Î AHÀG¹D¼Ò¦¡¡A¹ï©óAHÀG¹D¼Ò¦¡¦Ó¨¥¡A³Ì«á¥¦¥u¬O¤@Ó·sªºIP datagram¦Ó¤w¡C
¤T¡BIP ESP®æ¦¡
IP
ESP¼Ð·Ç´yz¦p¦ó¥[±KIPªº¸Ë¸ü¸ê®Æ(Payload)
¡A¥[±Kªº½d³ò¥i¥H¬O¾ãÓIP Datagram©ÎªÌ¥u¬O¤W¼hTCP¡AUDP¡A©ÎICMP¸ê®Æ(§¹¥þ¨M©w¦b¨Ï¥ÎÀG¹D¼Ò¦¡©Î¶Ç°e¼Ò¦¡)¡CIP ESP©Ò¨Ï¥Îªº«O±K§Þ³N¬O¼Æ¾Ú«O±K¼Ð·Ç(Data Encryption Standard; DES)©Î¬OTriple-DES¡A¼Ò¦¡«h¬O¥[±K°Ï¶ôÃì(Cipher
Block Chain ; CBC)¡C°£¤F¥[±K¥H¥~¡AIP ESP¤]¯àÀ³¥Î¦b»{ÃÒ¡A§¹¾ã©Ê¡A¥H¤Î¨¾¤î«°e§ðÀ»¡C
IP
ESPªºÀG¹D¼Ò¦¡¤Î¶Ç°e¼Ò¦¡¦U¦³¨äÀuÂI¡CÀG¹D¼Ò¦¡¥i¥H¦b¨âÓSecurity Gateway¶¡«Ø¥ß¤@Ó¦w¥þ ¡§ÀG¹D¡¨¡A¦p¹Ï(¤)©Ò¥Ü¡A¸g¥Ñ³o¨âÓGateway
Proxyªº¶Ç°e§¡¦b³oÓÀG¹D¤¤¶i¦æ¡C¤ÏÆ[¶Ç°e¼Ò¦¡¥[±Kªº³¡¥÷¸û¤Ö¡A¨S¦³ÃB¥~ªºIP¼ÐÀY¡A¬G¤u§@®Ä²v¸û¨Î¡C
³o¨âºØ¼Ò¦¡ªº¾Þ§@¸Ô²Ó»¡©ú¦p¤U:
1.¶Ç°e¼Ò¦¡:
¹Ï(¤»).a¬°IP ESPªº¶Ç°e¼Ò¦¡¡AESP¼ÐÀYª½±µ¥[¦b±ý¶Ç°eªº¸ê®Æ«e¡A³oºØ¼Ò¦¡¥i¸`¬ÙÀW¼e¡C¦]¬°IP¼ÐÀY¤£»Ý¥[±K¡A©Ò¥H¤£¹³ÀG¹D¼Ò¦¡¡A¤@Ó«Ê¥]¤¤¦³¨âÓIP¼ÐÀY¡C
º¥ý±NIP¸Ë¸ü¸ê®Æ¨Ï¥ÎESP«Ê¸Ë°_¨Ó(ESP Header©M ESP
Trailer)¡C¶Ç°eºÝ§Q¥Î¨Ï¥ÎªÌID©M¥ØªººÝ¦ì§}¥H±o¨ìSAÀô¹Ò(¤U¤@¸`·|¥[¥H¤¶²Ð)¡AµM«á¥Î¥[±Kºtºâªk(DES©ÎTriple-DES)¥[±K¶Ç°eªº¸ê®Æ¡C±µ¦¬ºÝ¦¬¨ìESP«Ê¸Ëªº«Ê¥]®Éª½±µ³B²zIP¼ÐÃD(¦]¬°¨S¦³¥[±K)¡AµM«á±qESP Header®³¨úSPIÈ¥H±o¨ì¬Û¹ïªºSA¡A¦A§Q¥ÎSAªº¦w¥þÀô¹Ò©Òqªº¸Ñ±K¨ç¼Æ¸Ñ¥X©Ò¥[±Kªº¸ê®Æ¡C
¹ï¶Ç°e¼Ò¦¡¦Ó¨¥¡A¸Ñ±Kªº¤H´N¬O¥Øªº¦ì§}ºÝªº¨Ï¥ÎªÌ¡C¦ý¬O°w¹ïFirewall¡A Gateway
Proxy¦Ó¨¥¡A¨Ï¥ÎÀG¹D¼Ò¦¡«h¸û¬°¦X¾A¡A¦]¬°¥L̨䣬Oì©lªº°e¡A¦¬ºÝ¡C
2.ÀG¹D¼Ò¦¡
¹Ï(¤»).b¬OÀG¹D¼Ò¦¡ªº¬[ºc¹Ï¡AÀG¹D¼Ò¦¡¥i¥H²³æ¦a¥Î¤@¥y¸Ü¨Ó»¡©ú ¡§IP-in-IP¡¨¡Cº¥ý¨Ï¥ÎSAªº¬ÛÃö°T®§±NIPªº«Ê¥]¥[±K(§tIP¼ÐÀY)¡A±µ¤U¨Ó¦b«e±¥[¤WESP Header¡CµM«áPrepend·sªºIP¼ÐÀY¡C±µ¦¬ºÝ¦¬¨ìESP«Ê¥]«á¡A¨Ï¥ÎESP
Header¤º®e¤¤ªºSPIȨM©wSA¡AµM«á¸Ñ¥XESP Header«áªº¸Ë¸ü¸ê®Æ¡A´N¥i¥H¨ú¦^ì©lªºIP¼ÐÀY»P«Ê¥]¡A¥i¥HÄ~Äò¦a©¹¤U¶Ç¡C
¹Ï(¤C)¬OESP Header¤ÎESP
Trailerªº¤º®e¡A ESP Header¥]§t¤FSPIÈ¡A±Ò©l¤Æ¦V¶qIV¡A¤Î¶¶§Ç¸¹½XÄæ¦ìµ¥¡A¨ä¤¤¶¶§Ç¸¹½X¥i¨¾¤î«°e§ðÀ»¡C
3.IP AH»PIP ESP²V¦X¨Ï¥Î
IP
AH»PIP ESP¥i¥H¿W¥ß©Î¤À¶}¨Ï¥Î¡C¹Ï(¤K).a¬O¥ý¥[±K¦A»{ÃÒ¡A¸ê®Æ»{ÃÒ¤§«e§@¥[±K¡C¹Ï(¤K).b«h¬O¥ý»{ÃÒ¦A¥[±K¡A¥¦ªº¦n³B¬O¹ï»{ÃÒ¸ê®Æ¤]¦³¥[±K¡A¦]¦¹¨S¦³¤H¥i¥H§ó°Ê»{ÃÒ¸ê®Æ¡C
¦b¤¶²Ð§¹¤U¤@¸`¦w¥þ¸s²ÕSAªºÆ[©À¤§«á¡A§Ú̱N·|¥H¤@Ó¹ê»Úªº¨Ò¤l¨Ó»¡©úIPSec¤¤IP Header ¡AIP AH¡A IP ESP¡A SPIµ¥ªº¾Þ§@±¡§Î¡C
²Ä¤@¥NªºIPSecª©¥»©ó1995¦~´£¥X(rfc 1825, rfc 1826, rfc 1827)¡A¥¦¹ïª÷Æ_ªº¥æ´«©MºÞ²z¨Ã¥¼©w¸q¡A©Ò±j½Õªº¤º®e¬O«Ê¥]Âà´«ªº®æ¦¡¡C¦ýºô¸ô¦w¥þ³W®æªñ¦~¨Ó§ï²ÀWÁc¡A¥Ø«e³Ì·sªºIPSecª©¥»¤w©ó1998¦~´£¥X(rfc 2401, rfc 2402, rfc 2406)¡A¼W¥[¦Û°Êª÷Æ_¥æ´«¥B§ó·s¤F«Ê¥]Âà´«ªº®æ¦¡¡A¨Ï±oIPSec¬[ºc·UÁͧ¹¾ã¡C
¥|¡B¦w¥þ¸s²ÕSA
¦bIPSec¼Ð·Ç¤¤³Ì«nªº¶µ¥Ø´N¬OSA¡A¥¦©w¸q¤F¤@Ó¦w¥þªº¡¨Àô¹Ò¡¨¡A³oÓÀô¹Òªº¤º®e¥]§t¤FIP«Ê¥]¥[±K¡A¸Ñ±K¡A©M»{ÃÒªº¬ÛÃö°T®§¡A±Ôz¦p¤U:
l
±K½X¥\¯à:´£¨Ñ¥[±K©Î»{ÃҩΨâªÌ¦P®É¡C
l
±K½Xºtºâªk:¨Ò¦p¥[/¸Ñ±K¨Ï¥ÎDES(©Î Triple-DES)»{ÃҨϥÎMD5 (©ÎSHA-1)¡C
l
±K½Xºtºâªk¤¤©Ò¨Ï¥Îªºª÷Æ_¡Aª÷Æ_ªº¥Í©R¶g´Áµ¥¡C
l
¬O§_¦³±Ò©l¤Æ¦V¶q¡C
l
SAªº¥Í©R¶g´Á
SA¥i¥H¨Ï¥Î¦w¥þ°Ñ¼Æ¯Á¤ÞSPI(32¦ì¤¸)¨Ó´yz¡A¤]´N¬O¤@ÓSPIȨM©w¤@Ó¯S©wªºSA¡A¦Ó¥D¾÷ªºIP¦ì§}»PSPI«h©w¸q¤F°ß¤@ªºSA¡C¨Ò¦p¥D¾÷A¥i¥H³qª¾¥D¾÷B SPIȬ°1000¡A¥¦©Ò¬Û¹ïªºSAÀô¹Ò¡A±K½X¥\¯à¬°¦³¥u¥[±K¡A¥ÎDES¡Aª÷Æ_¬°0x1234567890abcdef(ªø«×64¦ì¤¸¡A¨ä¤¤8Ӧ줸¬°¦P¦ì¤¸)¡C©Ò¥H¥D¾÷A´N¥i¥HÂÇ¥ÑSPI 1000ªºÈ¨Ó¥[±K¥¦ªº¸ê®Æ¡AµM«á¶Ç°e¨ì¥D¾÷B¡C·íB¦¬¨ì«Ê¥]«á§Q¥Î¥D¾÷A©MSPIªºÈ´N¥i¥H¨M©w¥XSA¦Ó¸Ñ±K¨ú¦^ì©l¸ê®Æ¡C
±q¤W±ªº±Ôz¥i¥Hµo²{SA¬O³æ¦Vªº(A®B)¡A¦ý¬O¹ï¥D¾÷A»P¥D¾÷B³o¨âÓn«Ø¥ß¦w¥þ³q°Tªº¥D¾÷¦Ó¨¥«h»Ýn¨âÓSA¡A¨C¤@¤è¦V¤@Ó¡A(A®B)©M(B®A)¡C
¦¹¥~SAªº¨Ï¥Î¦³¨âºØÁä¤J¤è¦¡¡A¥D¾÷¾É¦VÁä¤J¤è¦¡(Host-Oriented Keying)»P¨Ï¥ÎªÌ¾É¦VÁä¤J¤è©Î(User-Oriented Keying)¡C«eªÌ¬O¤£¦Ò¼{¨Ï¥ÎªÌ¡A±q¦P¤@Ó¨t²Î©Òµo¥Xªº«Ê¥]¡A§¡¨Ï¥Î¬Û¦Pªºª÷Æ_¡A¦Ó«áªÌ«h¬O¥H¨Ï¥ÎªÌ¬°¦Ò¶q¡A¤¹³\¨Ï¥ÎªÌ¦³¤£¦Pªºª÷Æ_¡C¨Ò¦p:¦P¤@¨Ï¥ÎªÌ¦³¦h§âª÷Æ_¥Î©ó¤£¦PªºªA°È¡A¦pFTP»PTelnet¨Ï¥Î¤£¦Pªºª÷Æ_¡C
¤¡B¤@ÓIPSecªº¹ê»Ú¨Ò¤l
¤G~¥|¸`¤w¤¶²Ð¤FIPSecªº°ò¥»¬[ºc¡AIP AH¡A IP ESP¡A SA¡A SPIµ¥¡C²{¦b§Ú̱N³o¨Ç¥þ³¡©ñ¦b¤@°_¥H¹ê»Úªº¨Ò¤l¨Ó¥[¥H»¡©ú¡C
EXAMPLE:°²³]¦³¤@Ó¥D¾÷yang.chtti.com.tw±ýÂÇ¥ÑIPSec¦w¥þ¾÷¨î±N¨ã¦³¥[±K¤Î»{ÃÒªºTCP«Ê¥]°e¨ì¥t¤@³¡¥D¾÷yang.csie.ndhu.edu.tw¡C¥¦§Æ±æ¥¦ªºgateway gatekeeper.chtti.com.tw¯à°µ¥[±K¡A»{µýªº¤u§@¡A¦Ó¹ï¤èªºgateway gw.csie.ndhu.edu.tw¯à¸Ñ±K³o¨Ç«Ê¥]¨Ã»{µý¡A¨Ï¥ÎªºSPI°Ñ¼ÆÈ°²³]¬O0x1234¬O«ü¦V¤j®a¨Æ¥ý¦P·Nªº¦w¥þ¸s²ÕSA¡C
¹Ï(¤E)¬O³oÓIPSec¨Ò¤lªº»¡©ú¥Ü·N¹Ï¡A·í¥D¾÷yang.chtti.com.tw©Ò°eªº«Ê¥]¨ì¥¦ªºgateway®É¡A gateway¥[±K«Ê¥]¨Ã¥[¤JESP Header¡AµM«á¥[¤JAH©M·sªºIP¼ÐÀY¡A¨ä¤¤¥Hgatewayªº¦ì§}gatekeeper.chtti.com.tw·í§@·sªº¨Ó·½¦ì§}¡A¨Ã¥Hgw.csie.ndhu.edu.tw·í§@·sªº¥ØªººÝ¦ì§}¡A³Ì«ápºâÂø´ê¨ç¼ÆȨå[¦bAH¤¤¡C
¹Ï(¤Q)¬OCHECK POINT Firewall-1(CHEK POINT¦bFirewall¥«³õ¦û¦³²v¬ù44%)ªº¨Ò¤l¡AFirewall-1¦³«Ü¦nªº¤H¾÷¬É±(GUI)¡A±q¹Ï¤¤¥i¥H²M·¡¬Ý¥X¨Ï¥Î¤FAH©MESP¡A»{ÃҥΪº³æ¦VÂø´ê¨ç¼Æ¬°SHA-1¡A¥[±Kºtºâªk¬°DES¡A¦P®É¤]¥i¬Ý¨ì¥[±K¤Î»{ÃÒªºª÷Æ_¡ASPIªº¼ÆȬ°0x1234¡C
¥Ñ©ó¦w¥þ¸s²ÕSA¥i¥H¬O¤£¦Pªº¡A©Ò¥H§Ṳ́]¥i¥H¦bCHECK POINT Firewall-1¤¤ªºSecurity Policy¥[¤J¤U±¨â±ø³W«h(rule)¡A¦p¹Ï(¤Q¤@)©Ò¥Ü¡C¦]¬°¨Ï¥ÎªºSPIȤ£¤@¼Ë¡A±qyang.chtti.com.tw¨ìyang.csie.ndhu.edu.twªº¤è¦V¬O¨Ï¥ÎSPI
0x1000¡A¤Ï¤è¦V«h¬O¨Ï¥ÎSPI 0x2000¡A³o¨â¥x¥D¾÷©¼¦¹°µFTP®É¨Ï¥Îªººtºâªk¸òª÷Æ_¥i¥H¬O¤£¦Pªº¡C
¤»¡BIPSceªºª÷Æ_ºÞ²z¤èªk
¦bIP AH©MIP ESP¤¤©Ò¥Î¨ìªº»{ÃÒ»P¥[±Kª÷Æ_¡A¦p¦ó¥æ´«»PºÞ²z©O!¤@§âª÷Æ_¬O§_¤@ª½¨Ï¥Î©O!³o¨Ç°ÝÃD³£©|¥½´£¤Î¡A³o¨Ç°ÝÃD¹ïIPSec¦Ó¨¥¬O«D±`«nªº½ÒÃD¡C
¦pªG¬O´X¥x¥D¾÷¡A¥i¥H¥Î¤H¤uªº¤è¦¡¨Ó¥æ´«ª÷Æ_¡A¨Ò¦p¥´¹q¸Ü©ÎE-mail¡A¦ý¬O¥D¾÷¼Æ¥Ø¤@¦h¡A©ÎªÌ¬O¥D¾÷¸ê®Æ±`§ó§ï¡A³o®É«J´N»Ýn¤@®M¦w¥þ¥B¥¿¦¡ªº¨ó©w¨Ó°µ³o¥ó¨Æ±¡¤F¡C
¥Ø«e¥Dnªºª÷Æ_ºÞ²z¨ó©wªº°Ñ¦Ò³W½d¦³:(1)SKIP(Simple Key-management for IP)(2)ISAKMP/Oakley(Internet
Security Association Key Management Protocol /Oakley )¡C¤Wz¨âºØ¤èªk³£¥iÀ³¥Î¦bIPv4»PIPv6¤¤¡ASKIP¸û¬°Â²³æ¡A¦ÓISAKMP/Oakley«h¥i¥HÀ³¥Î©ó¸û¦hªº¨ó©w¡C¨Æ¹ê¤W¡AIP¼hªºª÷Æ_¥æ´«¨ó©w©|¦³Photuris©MSKEMEµ¥¡C
1.SKIP:
SKIP¬O¥ÑSun Microsystem©Òµo®i¡A¥Ø¦³¤TºØª©¥»:Sun¡A TIK¡A©MELVIS+SKIP¡CSKIPª÷Æ_ºÞ²zªºÆ[©À¬O¶¥¼h¦¡ªºª÷Æ_ºÞ²z¡A¦p¹Ï(¤Q¤G)©Ò¥Ü¡C³q°TªºÂù¤è¯u¥¿¦@¨Éªº±KÆ_¬OKij(³o¬O§Q¥ÎDiffie
Hellmanªº¤½¶}ª÷Æ_¹ï¦Ó¹F¨ì¦@¨Éªº)¡C¬°¤F¦w¥þªº¦Ò¶q¡A¤½¶}ª÷Æ_À³¦Ü¾ÌÃÒºÞ²z¤¤¤ß(Certificate Authority;CA)¥Ó½Ð¾ÌÃÒ¡C¦]¦¹IPSecªº¨Ï¥Î¤]»Ýn¨C¤@°ê®aªº¤½¶}ª÷Æ_°ò¦«Ø³](Public Key Infrastructure;PKI)¨Ó°t¦X¡C
¨Ï¥ÎKij±À¾É¦Ó±oKijn=MD5(Kij/n)¡A¨ä¤¤n¬O²{¦b®É¶¡¶ZÂ÷1995¦~1¤ë1¤é¹sÂIªº®É¼Æ¡AKijn¬O¤@Óªø´Áª÷Æ_(¨C¹j1¤p®É§ó´«¤@¦¸)¡A§Q¥ÎKijn³o§âª÷Æ_±Nµu´Áª÷Æ_Kp(¨C¹j2¤ÀÄÁ§ó´«¤@¦¸)¥[±K«á´¡¤JSKIP Header°e¨ì¹ï¤è¡C±µ¦¬ºÝ¦¬¨ì«á§Q¥ÎKijn¸Ñ¦^Kp¡C±µ¤U¨ÓÂù¤è¨Ï¥ÎE_Kp=MD5(Kp/0)¤ÎA_Kp=MD5(Kp/2)¾É¥X¥[±Kª÷Æ_E_Kp©M»{ÃÒª÷Æ_A_Kp¡C¥Ñ©óª÷Æ_±À¾É¹Lµ{¬O¤@¼h¤@¼hªº¡A¦]SKIPºÙ¤§¬°¶¥¼h¦¡ªºª÷Æ_ºÞ²z¬[ºc¡C
§Ṳ́@¼Ë¨Ï¥Î²Ä¤¸`ªº¨Ò¤l:¡¨·í¥D¾÷yang.chtti.com.tw±ý»P¥D¾÷yang.csie.ndhu.edu.tw±Ò°Ê³q°T¡¨¡A¨Ó°Q½×SKIP¨ó©w¡A¹Ï(¤Q¤T)¬OSKIP«Ê¥]¤º®eªº´yz¡C
SKIPì±ý»PISAKMP¾ã¦X¦Ò¶q¡A¦ý¥¢±Ñ¤F¡C¦]¬°IPv6¤w¨M©w¨Ï¥ÎISAKMP»POakleyª÷Æ_¥æ´«ªº¦X¨Ö¨ó©w¡A¤]´N¬OISAKMP/Oakley(²{¤wºÙ§@IKE;Internet Key Exchange)¡C©Ò¥HSKIP¨Ã«DIPSec±j¨î³W©wªºª÷Æ_ºÞ²z¤èªk¡C
2.ISAKMP/Qakley(IKE):
Oakleyª÷Æ_¥æ´«¨ó©w¬O¥Ñ¨È§Q®á¨º¤j¾Ç©Ò´£¥X¡A¥¦»PSEKME¦³¬Û·í¦hªº¦@¦P³¡¥÷(µù:SEKME«h¬OPhoturisªº©µ¦ù)¡C
ISAKMP¦³¨âÓ¾Þ§@¶¥¬q¡C²Ä¤@¶¥¬q¤¤¡A¬ÛÃöªº¤@¨Ç¦w¥þÄݩʸg¹L¨ó°Ó¡A¨Ã²£¥Í¤@¨Çª÷Æ_¡A¡Kµ¥¡C³o¨Ç¤º®eºc¦¨²Ä¤@ÓSA¡A¤@¯ëºÙ§@ISAKMP SA¡A»PIPSec SA¤£¤@¼Ëªº¬O¥¦¬OÂù¦Vªº¡C²Ä¤G¶¥¬q«h¬O¥HISAKMP SAªº¦w¥þÀô¹Ò¨Ó«Ø¥ßAH©ÎESPªºSA¡C
IKE«h¬OISAKMP¨Ï¥ÎOakleyªº¤@¨Ç¼Ò¦¡©MSKEME§Ö³trekeyªºÆ[©À¦X¨Ö¦Ó¦¨¡A¥¦¦³(1)Main Mode (2)Aggressive Mode (3)Quick
Mode(4)New group modeµ¥¥|ºØ¼Ò¦¡¡C
¤C¡BIPSec¦bVPN¤WªºÀ³¥Î(¥Nµ²½×)
¦b¤F¸ÑIPSec¨ó©wªº¤u§@ì²z«á¡A§Ų́Ӭݥ¦¤£¦Pªº¥Î³õ¦X¡Aȱoª`·Nªº¬O¦bºô¸ô¼h´£¨Ñ¦w¥þ¾÷¨î¡A¹ïÀ³¥Î¼h¦Ó¨¥¬O§¹¥þ³z³qªº(trarsparent)¡CIPSec¥i¥H¸Ë³]¦bgateway©Î¥D¾÷¤W¡A©Î¬O¨âªÌ¦P®É¡AYIPSec¸Ë¦bgateway¤W¡A«h¥i¦b¤£¦w¥þªºInternet¤W´£¨Ñ¤@Ó¦w¥þªº³q¹D¡AY¬O¸Ë¦b¥D¾÷¡A«h¯à´£¨Ñ¥D¾÷ºÝ¹ïºÝªº¦w¥þ©Ê¡C¹Ï(¤Q¥|).a~c¤À§O¬Ogateway¹ïgateway¡A¥D¾÷¹ïgateway¡A¥D¾÷¹ï¥D¾÷¤TºØ¥i¯àªºÀ³¥Îª¬ªp¡C
ªí(¤@)¥Z¥X²Å¦XIPSecªº°Ó¥ÎVPN²£«~¡A§@¬°¥»¤åªºµ²§ô¡C
°Ñ¦Ò¸ê®Æ:
1.V. Ahuja¡A¡¨Secure Commerce on the Internet¡¨¡AAP Proffesional¡A1998.
2.L.J. HughesìµÛ¡A³s¨qÔíĶ¡A¡¨Internet¦w¥þ§Þ³N¹ê°È¡¨³ÕºÓ1996.
3.1998¡¨VPN§Þ³N»PÀ³¥ÎÁͶլã°Q·|¡¨¡A1998.
4.Internet Rosurces:
http://www.ietf.org/thml.charters/ipsec-charter.html
http://firewall.sysware.com.tw/faq/vpn/ipsec.html
http://firewall.sysware.com.tw/faq/vpn/SKIP.html
http://conway.cba.ufl.edu/ism6222/Ipsec.html
http://www.hsc.fr/veille/papier/papier.html.en
ªí(¤@):²Å¦XIPSecªºVPN²£«~
¶µ¦¸ |
²£«~¾P°âªÌ |
ª÷Æ_ºÞ²z |
¶µ¦¸ |
²£«~¾P°âªÌ |
ª÷Æ_ºÞ²z |
1 |
Checkpoint |
SKIP |
8 |
Raptor system Inc. |
ISAKMP/Oakley |
2 |
Cisco systems Inc. |
ISAKMP/Oakley |
9 |
Secure Computing |
¤â°Ê |
3 |
Cycon technologies |
¤â°Ê |
10 |
Securicor 3Net
Ltd. |
¤â°Ê |
4 |
IBM |
¤â°Ê |
11 |
Sun Microsystems I |
SKIP |
5 |
IRE Inc. |
ISAKMP/Oakley |
12 |
Timestep corp. |
ISAKMP/Oakley |
6 |
NSC(Net. Sys.
Corp.) |
Proprietary
dynamic |
13 |
TIS(Trusted Info.
Sys. ) |
ISAKMP/Oakley |
7 |
Radguard Ltd. |
ISAKMP/Oakley |
14 |
VPNet |
SKIP |