IPSEC (IP Security Option) by the OSI network
model is transport layer encryption. See the IETF
network security group for details (
http://www.ietf.org )
***
The IP security protocols as defined by the IETF operate at the
NETWORK (IP) layer hence the term IP security.
There are two security protocols defined :
1. Authentication Header (AH) -
- providing authentication and integrity services;
2. Encapsulating Security Protocol (ESP)
- providing privacy and optional, authentication and integrity
services.
for more details see www.ietf.org/ids.by.wg/ipsec.html
***
***
SKIP (Simple Key management for IP) is a superset
of IPSEC, with the addition of in-line keying of
IPSEC encryption and authentication keys. This is
still transport layer encryption. Details are
available at http://skip.incog.com
Superset ?
SKIP was a key management protocol (IKMP) proposed for use
with the IPSec protocols. In its basic form it is quite simple
although not very flexible. To achieve the flexibility required by
the IETF Working Group (WG) responsible for developing the IKMP SKIPs
developers (SUN) defined a number of add-on protocols, this resulted
in a complex suite of protocols.
Consequently, the key management protocol mandated for use with IPv6
by the IETF IPSec WG is ISAKMP (Internet Security Association and Key
Management Protocol). This protocol, in its native form, provides
both the flexibility and forward migration path (to enable new key
exchanges to be integrated as and when they are developed) required
by the IPSec WG.
Note: both IPSec and ISAKMP can be used over IPv4 based networks in
fact, the majority of implementations currently available are for
IPv4.
for more details see www.ietf.org/ids.by.wg/ipsec.html
***
SSL (Secure Socket Layer ???) by OSI network
model is a session/application based
authentication and encrption. Netscape originated
the protical ( http://www.netscape.com to search
for their SSL white paper).
The most significant difference between network
and session based encryption/authentication, is
that with network layer, anything that goes over
IP is protected, but with session based
encryption/authentication, you need security
aware applications to complete the security
handshake. (e.g. Netscape Navigator >= 3.0, IE
>=3.0, and a SSL aware Web Server)
***
depends on how IPSec services are applied ?
***
Note:
IPSec can be used to protect applications IF the system is able to
provide the required level of granularity for Security Association
(SA) identification i.e. if information is available which can be
used to identify application X. then a SA can be negotiated with the
peer entity and used to protect the communications.
***
The main advantage of SSL is that identification
and authentication (via X.509 certificates) is
well documented, while with SKIP/IPSEC, the
standards are still in a state of flux (e.g.
ISAKMP key exchange)
***
ISAKMP is not in a state of flux, it HAS BEEN MANADATED for IPv6,
SKIP HAS NOT. The MAJORITY of vendors implementing IPSec capable
products are implementing ISAKMP as their key management protocol.
Also, specifications for the use of ISAKMP to support the security
services defined for the OSPFv2 and RIPv2 Internet routing protocols
are currently being developed.
***
All of these can be used as part of a VPN
deployment. The question you must ask first is
'What kind of VPN do I want?' Depending on how
paranoid you are, you can have all of the above,
with the addition of application encryption (e.g.
S/MIME, PGP, SHTTP ), smart tokens, WAN Link
encryption, bio-metric ID scanners, Multi-level
CMWs, etc. etc.
****************************************************
"The views expressed above are entirely those of
the writer and do not represent the views, policy or
understanding of any other person or official body."
Elfed T. Weaver
DERA
Malvern
UK
weaver @
hydra .
dra .
hmg .
gb
****************************************************
Follow-Ups:
|
|
