InterNiche/HCC Logo

Networking Protocol Software for Embedded Processors
Click Here to Contact Us via Email.
Also, consider using our Contact Form

IPSec : Frequently Asked Questions

⇒⇒Expand All FAQs
1:What is IPSec?
Originally defined as a means of securing IPv6 traffic across an insecure network, IPSec is also widely used to secure IPv4 traffic between endpoints. Unlike other protocols, such as TLS/SSL or SSH which encrypt the TCP payload, IPSec secures the IP payload and so provides an even more secure communications channel. Secure keys are either 'pre-shared' or negotiated at runtime using IKE.
2:What is IKE?
IKE stands for Internet Key Exchange and is used by both sides of an IPSec link to negotiate security keys when they have not been previously shared. When keys expire the protocol is reinvoked and new ones are created. RFC4306 has this to say in definition of IKE:
IKE performs mutual authentication between two parties and establishes an IKE security association (SA) that includes shared secret information that can be used to efficiently establish SAs for Encapsulating Security Payload (ESP) [RFC4303] and/or Authentication Header (AH) [RFC4302] and a set of cryptographic algorithms to be used by the SAs to protect the traffic that they carry.
3:What are Pre-Shared Keys and how are they managed?
Symmetric key cryptography relies on the use of shared encryption keys for encryption and decryption of secured data. These keys are either negotiated through protocols such as IKE or are derived from a previously shared secret. These Previously Shared Keys (PSK) must be known by both sides of the secure channel. Management of this information is 'application specific' and require storage of the PSK for each system with which it will be securely communicating. In embedded systems, this usually is only a unique string or algorithm for generating the secret. The central server, on the other hand, may employ a database to hold this information.
4:How does IPSec differ from IKE?
IPSec and IKE work together, with IKE being optional. IKE negotiates the security keys if they have not been pre-shared. IPSec secures the connection and manages data encryption.
5:Do I need to use IKE?
No, but depending on the size of your network and its topology, key management may become an issue for you. If you elect to not use IKE, it can be omitted from your image at compile-time with a simple change to a single .h file.
6:Can IKEv2 negotiate keys with a peer running IKE?
Unfortunately, the short answer here is 'no', but InterNiche's IKEv2 also includes IKEv1 so by including both implementations in your build, your device will be able to negotiate keys through either scheme.
7:Will InterNiche's IPSec/IKEv2 operate over both IPv4 and IPv6?
Yes. The products can simultaneously negotiate and secure connections over both IPv4 and IPv6.
8:Do my applications have to be changed to run over IPSec?
No, but systems on both sides of the communication must have their application endpoints configured for IPSec to either secure, pass or block network traffic between the systems.
9:Can I build a VPN with InterNiche's IPSec?
Yes, absolutely.
10:Do InterNiche's IPSec or IKE require a pre-emptive RTOS?
No. IPSec and IKE can run in a No-OS (SuperLoop), cooperative tasking or a pre-emptive RTOS environment.
11:What are the licensing terms of InterNiche's IPSec and IKE?
Like all InterNiche protocol software, the source code license includes pre-paid royalties, the amount of which depends upon whether you sign a Product, Platform or Architecture license. Details can be explained by Sales@iNiche.com
12:Can InterNiche's IPSec take advantage of my hardware's encryption logic?
It certainly can. InterNiche's CryptoEngine™ is a thin layer between security related requests (encryption/decryption, digest computation, key agreement, etc) and their implementations. If your system has an alternate support for any cipher, hash or encoding, then taking advantage of it may be as simple as writing a little driver and slight change to the CryptoEngine's configuration tables.
13:Where do I go if I have problems or integration questions?
Every source code license includes one year of technical support. Instead of forcing you to use forums, wikis, or going through a first-line technican, InterNiche customers have direct access to its staff of development engineers to answer questions or provide technical solutions.
14:Cipher Suite? Key Lengths? Certificates? HELP!
While InterNiche is not able to train its customers in the purpose and tradeoffs of security specifics, its products come with extensive documentation on the use, integration and configuration of the products. And as every license includes a Support Agreement, InterNiche Support personnel are available to help you integrate them with your embedded applications.
15:Does InterNiche's IPSec support both 'transport' and 'tunnel' mode?
Yes. In transport mode, the IP layer's payload is encrypted using the previously negotiated ciphers. In tunnel mode, the entire IP datagram is also encrypted and the encrypted information becomes the payload of a new, routable IP packet. Tunnel mode is used to create virtual private networks, and both modes are supported by InterNiche's IPSec.
16:Can IPSec protected traffic cross my IPv4 NAT?
Yes, communication protected by using IPSec's "tunnel mode" can pass through a NAT Router. Transport mode, on the other hand, ensures the integrity of the data through use of a hash value which protects it from the type of modification employed by NAT. Additional means are required to pass this mode through a NAT Router.
17:This sounds complex. What does the product do to help me debug, trace, monitor what's going on?
Between command-line commands, logging facilities and statistics, InterNiche's IPSec and IKE include numerous facilities to assist with debugging, monitoring and configuring the products.
18:Are InterNiche's products covered by GPL?
No. InterNiche products are 'closed-source' and do not subject your own development efforts to GPL's requirement that you release your proprietary software to the public.