• 欢迎访问速搜资源吧,如果在网站上找不到你需要的资源,可以在留言板上留言,管理员会尽量满足你!

【速搜问答】安全关联是什么

问答 admin 1个月前 (04-11) 35次浏览 已收录 0个评论

汉英对照:
Chinese-English Translation:

安全关联是指一组用来保护信息的策略和密钥。安全关联的概念是IPSec的基础。AH和ESP都使用了安全关联,所有AH和ESP的实现都必须支持安全关联。安全关联有两种类型:传输模式和隧道模式。传输模式安全关联是两台主机间的安全关联。

Security association refers to a set of policies and keys used to protect information. The concept of security association is the foundation of IPSec. Both ah and ESP use security association, and all implementation of ah and ESP must support security association. There are two types of Security Association: transport mode and tunnel mode. Transport mode security association is the security association between two hosts.

安全关联是指一组用来保护信息的策略和密钥。安全关联的概念是 IPSec 的基础。AH 和 ESP 都使用了安全关联,所有 AH 和 ESP 的实现都必须支持安全关联。安全关联有两种类型:传输模式和隧道模式。传输模式安全关联是两台主机间的安全关联。隧道模式安全关联是运用于 IP 隧道的安全关联。

Security association refers to a set of policies and keys used to protect information. The concept of security association is the foundation of IPSec. Both ah and ESP use security association, and all implementation of ah and ESP must support security association. There are two types of Security Association: transport mode and tunnel mode. Transport mode security association is the security association between two hosts. Tunnel mode security association is applied to IP tunnel Security Association.

定义

definition

安全关联是单向的,在两个使用 IPSec 的实体(主机或路由器)间建立的逻辑连接,定义了实体间如何使用安全服务(如加密)进行通信。它由 3 个元素——安全参数索引 SPI、IP 目的地址和安全协议组成。

Security association is one-way. The logical connection between two entities (host or router) using IPSec defines how to use security services (such as encryption) to communicate between entities. It consists of three elements: security parameter index SPI, IP destination address and security protocol.

SA 是一个单向的逻辑连接。也就是说,在一次通信中 IPSec 需要建立两个 SA:一个用于入站通信,另一个用于出站通信。若某台主机,如文件服务器或远程访问服务器,需要同时与多台客户机通信,则该服务器需要与每台客户机分别建立不同的 SA,每个 SA 用唯一的 SPI 索引标识,当处理接收数据包时,服务器根据 SPI 值来决定该使用哪个 SA。

SA is a one-way logical connection. In other words, in a communication, IPSec needs to establish two SAS: one for inbound communication, the other for outbound communication. If a host, such as a file server or a remote access server, needs to communicate with multiple clients at the same time, the server needs to establish different SAS with each client. Each SA is identified by a unique SPI index. When processing received packets, the server decides which SA to use according to the SPI value.

参数

parameter

一个安全关联由下面 3 个参数唯一确定:

A security association is uniquely determined by the following three parameters:

1)安全参数索引号(SPI):一个与 SA 相关的位串,由 AH 和 ESP 携带,使得接收方能选择合适的 SA 处理数据包。

1) Security parameter index number (SPI): a bit string related to SA, carried by ah and ESP, so that the receiver can select the appropriate SA to process packets.

2)IP 目的地址:只允许使用单一地址,表示 SA 的目的地址。

2) IP destination address: only a single address is allowed, indicating the destination address of SA.

3)安全协议标识:标识该 SA 是 AH 安全关联或 ESP 安全关联。

3) Security protocol identifier: identifies whether the SA is an ah security association or an ESP Security Association.

每个 SA 条目除了有上述参数外,还有下面的参数:

In addition to the above parameters, each SA entry has the following parameters:

1)序列号计数器:一个 32bit 的值,用于生成 AH 或 ESP 头中的序号字段,在数据包的“外出”处理时使用。SA 刚刚建立时,该参数的值为 0,每次用 SA 来保护一个数据包时,序列号的值便会递增 l。目标主机可以用这个字段来探测所谓的“重放”攻击。

1) Serial number counter: a 32bit value used to generate the serial number field in the header of ah or ESP, which is used in the “out of office” processing of packets. When SA is just established, the value of this parameter is 0. Each time SA is used to protect a packet, the value of the serial number will increase by L. The target host can use this field to detect so-called “replay” attacks.

2)序列号溢出:用于输出包处理,并在序列号溢出的时候加以设置,安全策略决定了一个 SA 是否仍可用来处理其余的包。

2) Serial number overflow: used to process the output package, and set it when the serial number overflows. The security policy determines whether an SA can still be used to process other packages.

3)抗重放窗口:用于确定一个入栈的 AH 或 ESP 包是否是重放。

3) Anti replay window: used to determine whether a stack ah or ESP package is replay.

4)AH 信息:AH 认证算法、密钥、密钥生存期和其他 AH 的相关参数。

4) Ah information: ah authentication algorithm, key, key lifetime and other ah related parameters.

5)ESP 信息:ESP 认证和加密算法、密钥、初始值、密钥生存期和其他 ESP 的相关参数。

5) ESP information: ESP authentication and encryption algorithm, key, initial value, key lifetime and other ESP related parameters.

6)SA 的生存期:一个 SA 最长能存在的时间。到时间后,一个 SA 必须用一个新的 SA 替换或终止,生存期有两种类型——软的和硬的。软生存期用来通知内核 SA 马上到期了,这样,在硬生存期到来之前,内核能及时协商好一个 SA,从而避免了 SA 过期后造成的通信中断。

6) SA survival: the longest time an SA can exist. When time comes, an SA must be replaced or terminated with a new SA. There are two types of survival – soft and hard. Soft lifetime is used to inform the kernel that SA is about to expire. In this way, the kernel can negotiate a SA in time before the hard lifetime arrives, so as to avoid the communication interruption caused by SA expiration.

7)IPSec 协议模式:隧道、传输、通配符(隧道模式、传输模式均可)。

7) IPSec protocol mode: tunnel, transmission, wildcard (tunnel mode, transmission mode can be).

8)路径 MTU:在隧道模式下使用 IPSec 时,必须维持正确的 PMTU 信息,以便对这个数据包进行相应的分段。

8) Path MTU: when using IPSec in tunnel mode, the correct pmtu information must be maintained so that the packet can be segmented accordingly.

使用

use

一个 SA 对 IP 数据报不能同时提供 AH 和 ESP 保护。有时,特定的安全策略要求对通信提供多种安全保护,这就需要使用多个 SA。当把一系列 SA 应用于业务流时,称为 SA 束。SA 束的顺序由安全策略决定,SA 束中各个 SA 的终点可能不同。例如,一个 SA 可能用于移动主机与路由器之间,而另一个可能用于移动主机与路由器内的主机。

An SA cannot provide ah and ESP protection for IP datagram at the same time. Sometimes, a specific security policy requires a variety of security protection for communication, which requires the use of multiple SAS. When a series of SAS are applied to a business flow, they are called SA bundles. The order of SA bundles is determined by the security policy, and the endpoints of each SA in SA bundles may be different. For example, one SA may be used between the mobile host and the router, while another SA may be used between the mobile host and the host in the router.

IPSEC 的实现需要维护两个与 SA 有关的数据库:

The implementation of IPSec needs to maintain two databases related to sa

(1)安全策略数据库(SPD)。用于为 IPSEC 实现提供安全策略配置,包括源地址、目的地址、子网掩码、端口、传输层协议、动作(丢弃、绕过、应用)、进出标志等。这些数据项指定某些数据流必须绕过 IPSEC 的处理,某些必须丢弃,其余的必须经过 IPSEC 模块的处理。SPD 中的数据项跟防火墙规则或包过滤器规则很相似。

(1) Security policy database (SPD). Used to provide security policy configuration for IPSec implementation, including source address, destination address, subnet mask, port, transport layer protocol, action (discard, bypass, application), in and out flag, etc. These data items specify that some data streams must be bypassed by IPSec, some must be discarded, and the rest must be processed by IPSec module. Data items in SPD are very similar to firewall rules or packet filter rules.

(2)安全联盟数据库(SADB)。SADB 是 SA 的集合,其中包含每一个 SA 的参数信息,例如目的地址、安全协议、SPI、序列号计数器、序列号溢出标志,抗重播攻击窗口、AH 或 ESP 算法和密钥、IPSEC 协议模式以及 SA 生命周期等。对于流出数据的处理,会有一个 SPD 数据项包含指向某个 SADB 数据项的指针。也就是说,SPD 决定了一个给定的数据包究竟使用哪一个 SA。对于流入数据的处理,由 SADB 来决定如何对给定数据包做处理。

(2) Security federation database (SADB). SADB is a collection of SA, which contains the parameter information of each SA, such as destination address, security protocol, SPI, sequence number counter, sequence number overflow flag, anti replay attack window, ah or ESP algorithm and key, IPSec protocol mode, SA life cycle, etc. For the processing of outflow data, an SPD data item contains a pointer to a SADB data item. In other words, SPD determines which SA to use for a given packet. For the processing of incoming data, SADB decides how to process a given packet.

基本组合

Basic combination

IPSec 体系结构文档列举了 IPSec 主机(如工作站、服务器)和安全网关(如防火墙、路由器)必须支持的 4 个 SA 组合的例子,如图 910 所示。在该图中,每种情况的下部表示元素的物理连接;上部表示一个或多个嵌套 SA 的逻辑连接。每个 SA 可以是 AH 或 ESP 对于主机对主机的 SA 来说,既可以是传输模式也可以是隧道模式,除此之外都是隧道模式。

The IPSec architecture document lists four SA combinations that must be supported by IPSec hosts (such as workstations and servers) and security gateways (such as firewalls and routers), as shown in Figure 910. In this diagram, the lower part of each case represents the physical connection of elements; the upper part represents the logical connection of one or more nested SAS. Each SA can be ah or esp. for a host to host SA, it can be either transport mode or tunnel mode. In addition, it is tunnel mode.

情况 1:实现 IPSec 的终端系统提供所有的安全。对于通过 SA 通信的任意两个终端系统而言,它们必须共享密钥,有下面儿种组合:

Case 1: the terminal system that implements IPSec provides all the security. For any two terminal systems that communicate through SA, they must share a secret key

a.传输模式下的 AH:

a. Ah in transmission mode

b.传输模式下的 ESP;

b. Esp in transmission mode;

c.在传输模式下,ESP 后面紧接 AH( ESP SA 内置于 AHSA 中)

c. In transmission mode, ESP is followed by ah (ESP SA is built into AHSA)

d.a、b、c 任何一个内置于隧道模式下的 AH 或 ESP。

d. Any one of a, B, C is built into ah or esp in tunnel mode.

已经讨论了各种组合是如何用来支持认证、加密、先认证再加密和先加密再认证的。

It has been discussed how various combinations can be used to support authentication, encryption, authentication before encryption, and encryption before authentication.

情况 2:仅在安全网关(比如路由器、防火墙等)之间提供安全性,主机没有实现 IPSec 这种情况说明了简单的虚拟专用网络支持。安全体系结构文档说明在这样的情况下仅需要单个隧道模式的 SA。隧道可以支持 AH、ESP 或带认证选项的 ESP。因为 IPSec 服务被应用于整个内部包,所以不需要嵌套的隧道。

Case 2: it only provides security between security gateways (such as routers, firewalls, etc.), but the host does not implement IPSec. This situation shows that the simple VPN support. The security architecture document states that only a single tunnel mode SA is required in such a case. Tunnel can support ah, esp or ESP with authentication option. Because IPSec services are applied to the entire inner package, nested tunnels are not required.

情况 3:在情况 2 的基础上加上端对端安全。在情况 1 和情况 2 中讨论的组合在情况 3 中均被允许。网关对网关的隧道为终端系统间的所有流提供了认证或保密或认证加保密。当网关对网关隧道为 ESP 时,则对流提供了一定的保密性。个人主机可以根据特定的应用或用户的需要实现任何额外的 IPSec 服务,这是通过使用端对端 SA 来实现的。

Case 3: add end-to-end security to case 2. The combinations discussed in case 1 and case 2 are allowed in case 3. Gateway to gateway tunnel provides authentication or secrecy or authentication plus secrecy for all flows between terminal systems. When the gateway to gateway tunnel is esp, the flow provides a certain degree of confidentiality. Personal hosts can implement any additional IPSec services according to the needs of specific applications or users, which is realized by using end-to-end SA.

情况 4:为通过互联网到达组织的防火墙然后获得在防火墙后面特定的工作站和服务器的访问权限的远程主机提供支持。在远程主机和防火墙之间仅需要隧道模式,如情况 1 提到的,在远程主机和本地主机之间可能使用一个或者多个 SA。

Case 4: support for remote hosts that reach the organization’s firewall through the Internet and then gain access to specific workstations and servers behind the firewall. Only tunnel mode is needed between remote host and firewall. As mentioned in case 1, one or more SAS may be used between remote host and local host.


速搜资源网 , 版权所有丨如未注明 , 均为原创丨转载请注明原文链接:【速搜问答】安全关联是什么
喜欢 (0)
[361009623@qq.com]
分享 (0)
发表我的评论
取消评论
表情 贴图 加粗 删除线 居中 斜体 签到

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址