FORGOT YOUR DETAILS?

CREATE ACCOUNT

Unison Help

  1. Unison Kernel
    1. Pthreads
      1. pthread_create()
      2. pthread_exit()
      3. pthread_self()
      4. pthread_equal()
      5. pthread_join()
      6. pthread_detach()
      7. pthread_setschedparam()
      8. pthread_getschedparam()
      9. pthread_attr_init()
      10. pthread_attr_destroy()
      11. pthread_attr_setstackaddr()
      12. pthread_attr_getstackaddr()
      13. pthread_attr_setstacksize()
      14. pthread_attr_getstacksize()
      15. pthread_attr_setschedparam()
      16. pthread_attr_getschedparam()
      17. pthread_attr_setdetachstate()
      18. pthread_attr_getdetachstate()
      19. pthread_stackinfo()
      20. pthread_setprio()
      21. pthread_getprio()
      22. sched_get_priority_max()
      23. sched_get_priority_min()
      24. sched_yield()
    2. Pthread Cancellation
      1. pthread_cleanup_pop()
      2. pthread_cleanup_push()
      3. pthread_cancel()
      4. pthread_setcanceltype()
      5. pthread_setcancelstate()
      6. pthread_testcancel()
    3. Mutex
      1. pthread_mutex_init()
      2. pthread_mutex_destroy()
      3. pthread_mutex_lock()
      4. pthread_mutex_trylock()
      5. pthread_mutex_unlock()
    4. Semaphores
      1. sem_open()
      2. sem_close()
      3. sem_unlink()
      4. sem_init()
      5. sem_destroy()
      6. sem_wait()
      7. sem_trywait()
      8. sem_timedwait()
      9. sem_post()
      10. sem_getvalue()
    5. Message Queues
      1. mq_open()
      2. mq_close()
      3. mq_unlink()
      4. mq_send()
      5. mq_receive()
      6. mq_notify()
      7. mq_setattr()
      8. mq_getattr()
      9. mq_timedreceive()
      10. mq_timedsend()
    6. Conditional Variables
      1. pthread_cond_init()
      2. pthread_cond_destroy()
      3. pthread_cond_wait()
      4. pthread_cond_timedwait()
      5. pthread_cond_signal()
      6. pthread_cond_broadcast()
      7. pthread_condattr_init()
      8. pthread_condattr_destroy()
    7. Barriers
      1. pthread_barrier_init()
      2. pthread_barrier_destroy()
      3. pthread_barrier_wait()
    8. Timers
      1. timer_create()
      2. timer_delete()
      3. timer_settime()
      4. timer_gettime()
      5. timer_getoverrun()
      6. timer_tick()
      7. nanosleep()
    9. Clocks
      1. time()
      2. uptime()
      3. sleep()
      4. clock_settime()
      5. clock_gettime()
      6. clock_getres()
      7. clock_init()
    10. Memory Allocation
      1. POSIX.1
        1. malloc()
        2. free()
      2. Variable Length (Pools)
        1. pool_create()
        2. pool_destroy()
        3. pool_alloc()
        4. pool_free()
      3. Fixed Length (Partitions)
        1. pt_create()
        2. pt_destroy()
        3. pt_getblock()
        4. pt_freeblock()
    11. Rendezvous
      1. mr_init()
      2. mr_send()
      3. mr_receive()
      4. mr_reply()
      5. mr_sigrecv()
      6. mr_sigpost()
    12. Interrupts
      1. interrupts
      2. i_disable()
      3. i_restore()
    13. Directory Services
      1. dir_register()
      2. dir_deregister()
      3. dir_lookup()
      4. dir_lookup_string()
    14. Miscellaneous
      1. checkIstack()
      2. NanoStart() or DSPexec_Start()
      3. _isrStackFill
      4. Kernel Scaling
      5. kfatal()
      6. kalloc()
      7. kfree()
      8. mpu or mmu
      9. pthreadStackFill
      10. thread_numb()
      11. thread_utilization_start()
      12. thread_utilization_stop()
      13. xprintf()
      14. xputs()
      15. xputchar()
  2. Unison I/O Library
    1. accept()
    2. bind()
    3. chmod()
    4. close()
    5. connect()
    6. creat()
    7. fstat()
    8. getpeername()
    9. getsockname()
    10. getsockopt()
    11. ioctl()
    12. link()
    13. listen()
    14. lseek()
    15. mkdir()
    16. mkfs()
    17. mount()
    18. open()
    19. read()
    20. recv()
    21. recvfrom()
    22. rename()
    23. renameat()
    24. rmdir()
    25. select()
    26. send()
    27. sendto()
    28. setsockopt()
    29. shutdown()
    30. socket()
    31. stat()
    32. sync()
    33. umount()
    34. unlink()
    35. write()
  3. Unison STDIO Library
    1. STDIO Library Calls
      1. clearerr()
      2. dprintf()
      3. fclose()
      4. fdopen()
      5. feof()
      6. ferror()
      7. fileno()
      8. fflush()
      9. fgetc()
      10. fgetpos()
      11. fgets()
      12. fopen()
      13. fprintf()
      14. fputc()
      15. fputs()
      16. fread()
      17. freopen()
      18. fscanf()
      19. fseek()
      20. fseeko()
      21. fsetpos()
      22. ftell()
      23. ftello()
      24. fwrite()
      25. getc()
      26. getc_unlocked()
      27. getchar()
      28. getchar_unlocked()
      29. getdelim()
      30. getline()
      31. gets()
      32. get_stderr_ptr()
      33. get_stdin_ptr()
      34. get_stdout_ptr()
      35. noperprintf()
      36. perprintf()
      37. perror()
      38. posix_compat()
      39. printf()
      40. putc()
      41. putc_unlocked()
      42. putchar()
      43. putchar_unlocked()
      44. puts()
      45. remove()
      46. rewind()
      47. scanf()
      48. setbuf()
      49. setvbuf()
      50. snprintf()
      51. sprintf()
      52. sscanf()
      53. stderr_init()
      54. stderr_close()
      55. stdin_init()
      56. stdin_close()
      57. stdout_init()
      58. stdout_close()
      59. vdprintf()
      60. vscanf()
      61. vsscanf()
      62. vfscanf()
      63. vprintf()
      64. vsnprintf()
      65. vsprintf()
      66. vfprintf()
      67. ungetc()
    2. Do-nothing Stubs
      1. ctermid()
      2. flockfile()
      3. fmemopen()
      4. ftrylockfile()
      5. open_memstream()
      6. pclose()
      7. popen()
      8. tempnam()
      9. tmpfile()
      10. tmpnam()
  4. Unison LIBC Library
    1. LIBC Library Calls
      1. assert()
      2. realloc()
      3. strcasecmp()
      4. strdup()
      5. strncasecmp()
      6. strftime()
    2. Do-nothing Stubs
      1. abort()
      2. execve()
      3. exit()
      4. _Exit()
      5. fork()
      6. getpid()
      7. isatty()
      8. kill()
      9. sbrk()
      10. times()
      11. wait()
    3. Do-nothing Wide-character Stubs
      1. <wchar.h>
      2. <wctype.h>
  5. Unison I/O Servers
    1. File Servers
      1. Multimedia File Server - fsys
      2. FAT File System - fatfs
      3. NAND File Server - nandfsys
      4. NOR File Server - norfsys
      5. Network File Server - nfs
  6. Graphics, Camera, Video, Audio
    1. Vendor Graphics
    2. Prism++ Graphics
    3. ADPCM Services - adpcmd
    4. Camera
  7. Network Protocols
    1. TCP and UDP Server - tcpd
      1. IPv4 only server
      2. IPv4/IPv6 server
    2. DHCP Client Service - dhcp client
    3. DHCP Server - dhcpd
    4. Telnet Server - telnetd
    5. Tiny FTP Server - tftpd
    6. Point to Point - pppd
    7. Network Translation - NAT with PAT
    8. Firewall
      1. Packet filter: pf
      2. Packet filter control: pfctl
      3. Fitler rules: pf.filtering
      4. Translation rules: pf.nat
    9. Tiny HTTP Server - thttpd
    10. Tiny HTTP Server with TLS
    11. POP3 Server
    12. Simple Mail Transfer Protocol Services (SMTP)
    13. Bootp Protocol
    14. File Transfer Protocol Server (FTP)
    15. File Transfer Client Services
    16. RPC / XDR
    17. DNS Client
    18. HTTP/HTTPS Client
    19. REST Client
    20. AutoIP Service - autoip client
    21. mDNS server - mdnsd
    22. SNTP Client
    23. SNMP Agent - Snmpd server
    24. SSL/TLS library
    25. SSH server
    26. IP security
      1. IPsec description
      2. IPsec administration: ipsecadm
      3. Virtual Private Network: VPN
    27. Power Control
      1. Motor and Motion Control Servers
      2. PWM, Encoders
    28. Serial I/O
      1. Asynchronous Serial I/O Server - ttyserver
      2. CAN Server - cand
      3. I2C Server - i2cd
      4. I2S Server - i2sd
    29. System Services
      1. Power Management Servers
      2. Login Service - login_services
      3. XML
      4. POSIX Shell and Login Service - posh
    30. Universal Serial Bus (USB)
      1. USB Server
      2. USB Device Server
      3. USB Embedded Host Server
    31. Wireless
      1. Wireless Servers and Drivers
      2. 802.15.4 Radio Servers
      3. TCP/v6 with 6loWPAN
      4. ZigBee
      5. BlueTooth Server
      6. 802.11 Wi-Fi
      7. GPRS, UHF and GPS Radio Servers
    32. Remedy Tools for Unison
      1. Remedy Data Logging and Event Display Tools
      2. Remedy Diagnostics
      3. Remedy Flash Downloader/Bootloader
      4. Remedy Power On Self Test - POST
      5. Remedy OS Object Viewer
      6. Remedy Remote Control Tools

7.26.1.IPsec description #

NAME

IPsec – IP Security Protocol

NOTE

IPsec may be enabled or disabled using the following external variables:

extern int esp_enable;      – Enable the ESP IPsec protocol
extern int ah_enable;       – Enable the AH IPsec protocol

By default, both protocols are disabled.

DESCRIPTION

IPsec is a pair of protocols, ESP (for Encapsulating Security Payload) and AH (for Authentication Header), which provide security services for IP datagrams.

The internet protocol (IP) does not inherently provide any protection to your transferred data. It does not even guarantee that the sender is who he says he is. IPsec tries to remedy this. There are several kinds of properties you might want to add to your communication, the most common are:

  Confidentiality
Make sure it is hard for anyone but the receiver to understand what data has been communicated. You do not want anyone to see your passwords when logging into a remote machine over the Internet.

 

  Integrity
Guarantee that the data does not get changed on the way. If you are on a line carrying invoicing data you probably want to know that the amounts and account numbers are correct and not altered while in-transit.

 

  Authenticity
Sign your data so that others can see that it is really you that sent it. It is clearly nice to know that documents are not forged.

 

  Replay protection
We need ways to ensure a transaction can only be carried out once unless we are authorized to repeat it. I.e. it should not be possible for someone to record a transaction, and then replaying it verbatim, in order to get an effect of multiple transactions being received by the peer. Consider the attacker has got to know what the traffic is all about by other means than cracking the encryption, and that the traffic causes events favourable for him, like depositing money into his account. We need to make sure he cannot just replay that traffic later. WARNING: as per the standards specification, replay protection is not performed when using manual-keyed IPsec (e.g., when using ipsecadm).

IPsec Protocols

IPsec can provide all of these properties, in two new protocols, called Authentication header (AH) and Encapsulated security payload (ESP).

ESP can provide authentication, integrity, replay protection, and confidentiality of the data (it secures everything in the packet that follows the IP header). Replay protection requires authentication and integrity (these two go always together). Confidentiality (encryption) can be used with or without authentication/integrity. Similarly, one could use authentication/integrity with or without confidentiality.

AH provides authentication, integrity, and replay protection (but not confidentiality). Its main difference with ESP is that AH also secures parts of the IP header of the packet (like the source/destination addresses).

Authentication Header (AH)

AH works by doing a computation of a value depending on all of the payload data, some of the IP header data and a certain secret value, the authentication key and sending this value along with the rest of each packet. The receiver will do the same computation, and if the value matches, he knows no one tampered with the data (integrity), the address information (authenticity) or a sequence number (replay protection). He knows this because the secret authentication key makes sure no man in the middle can recompute the correct value after altering the packet. The algorithms used for the computations are called hash algorithms and is a parameter in the SA, just like the authentication key.

Encapsulating Security Payload (ESP)

ESP optionally does almost everything that AH does except that it does not protect the outer IP header but furthermore it encrypts the payload data with an encryption algorithm using a secret encryption key. Only the ones knowing this key can decrypt the data, thus providing confidentiality. Both the algorithm and the encryption key are parameters of the SA.

Security Associations (SAs)

These protocols need some parameters for each connection, telling exactly how the wanted protection will be added. These parameters are collected in an entity called a security association, or SA for short. Typical parameters are: encryption algorithm, hash algorithm, encryption key, authentication key etc. When two peers have setup matching SAs at both ends, packets protected with one end’s SA, will be possible to verify and/or decrypt using the other end’s SA. The only problem left is to see that both ends have matching SAa, which can be done manually, or automatically with a key management daemon.

Unison supports only manual SA establishment which is described in ipsecadm.

Security Parameter Indexes (SPIs)

In order to identify a SA we need to have a unique name for it. This name is a triplet, consisting of the destination address, security parameter index (aka SPI) and the security protocol. Since the destination address is part of the name, a SA is a unidirectional construct. For a bidirectional communication channel, two SAs are needed, one outgoing and one incoming, where the destination address is our local IP address. The SPI is just a number that helps us making the name unique, it can be arbitrarily chosen in the range 0x100 – 0xffffffff. The security protocol number should be 50 for ESP and 51 for AH, as these are the protocol numbers assigned by IANA.

Modes of Operation

IPsec can operate in two modes, either tunnel or transport mode. In transport mode the ordinary IP header is used to deliver the packets to their endpoint, in tunnel mode the ordinary IP header just tells us the address of a security gateway, knowing how to verify/decrypt the payload and forward the packet to a destination given by another IP header contained in the protected payload. Tunnel mode can be used for establishing VPNs, virtual private networks, where parts of the networks can be spread out over an unsafe public network, but security gateways at each subnet are responsible for encrypting and decrypting the data passing over the public net. A SA will hold information telling if it is a tunnel or transport mode SA, and for tunnels, it will contain values to fill in into the outer IP header.

IPsec Examples

To better illustrate how IPsec works, consider a typical TCP packet:

[IP header] [TCP header] [data...]

If we apply ESP in transport mode to the above packet, we will get:

[IP header] [ESP header] [TCP header] [data...]

where everything after the ESP header is protected by whatever services of ESP we are using (authentication/integrity, replay protection, confidentiality). This means the IP header itself is not protected.

If we apply ESP in tunnel mode to the original packet, we would get:

[IP header] [ESP header] [IP header] [TCP header] [data...]

where, again, everything after the ESP header is cryptographically protected. Notice the insertion of an IP header between the ESP and TCP header. This mode of operation allows us to hide who the true source and destination addresses of a packet are (since the protected and the unprotected IP headers don’t have to be exactly the same). A typical application of this is in Virtual Private Networks (or VPNs), where two firewalls use IPsec to secure the traffic of all the hosts behind them. For example:

Net A <----> Firewall 1 <--- Internet ---> Firewall 2 <----> Net B

Firewall 1 and Firewall 2 can protect all communications between Net A and Net B by using IPsec in tunnel mode, as illustrated above.

Security Associations need be set up manually with the ipsecadm library.

API Details

The following IP-level setsockopt() and getsockopt() options are specific to IPsec. A socket can specify security levels for three different categories:

  IP_AUTH_LEVEL
Specifies the use of authentication for packets ent or received by the socket.

 

  IP_ESP_TRANS_LEVEL
Specifies the use of encryption in transport mode for packets sent or received by the socket.

 

  IP_ESP_NETWORK_LEVEL
Specifies the use of encryption in tunnel mode.

For each of the categories there are five possible levels which specify the security policy to use in that category:

  IPSEC_LEVEL_BYPASS
Bypass the default system security policy.

 

  IPSEC_LEVEL_AVAIL
If a Security Association is available it will be used for sending packets by that socket.

 

  IPSEC_LEVEL_USE
Use IP Security for sending packets but still accept packets which are not secured.

 

  IPSEC_LEVEL_REQUIRE
Use IP Security for sending packets and also require IP Security for received data.

 

  IPSEC_LEVEL_UNIQUE
The outbound Security Association will only be used by this socket.

When a new socket is created, it is assigned the default system security level in each category. These levels can be queried with getsockopt().

For example, a server process might want to accept only authenticated connections to prevent session hijacking. It would issue the following setsockopt() call:

         int level = IPSEC_LEVEL_REQUIRE;
         error = setsockopt(s, IPPROTO_IP, IP_AUTH_LEVEL, &level, sizeof(int));

The system does guarantee that it will succeed at establishing the required security associations.

NOTES

There is a demo available for the Unison and DSPnano IPsec which is found in installdir/demos.

SEE ALSO

ipsecadm, VPN

Suggest Edit

CONTACT US

TO GET YOUR PROJECT STARTED

TOP