|
阅读:1631回复:0
win2000 ipsec 实现的部分资料
Internet Protocol Security
Internet Protocol security (IPSec), which is integrated with the Windows 2000 TCP/IP stack, provides protection for IP data against snooping and manipulation and defends against IP-based attacks. Both goals are met through cryptography-based protection services, security protocols, and dynamic key management. IPSec-based communication includes these properties: Authentication verifies the origin and integrity of an IP message. Integrity protects IP data from being modified in transit without being detected. Confidentiality uses encryption to ensure that only valid recipients of a message can decipher the contents of the message. Antireplay ensures that each packet is unique and can\'t be reused. This property prevents a snooper from replying to captured messages to establish a session or gain unauthorized access to data. IPSec on Windows 2000 relies on group policies that are stored in Active Directory for configuration, and it uses Active Directory\'s Kerberos version 5 authentication to authenticate computers that participate in IPSec message exchange. IPSec uses private/public keys pairs based on the Windows 2000 CryptoAPI certificate services for encrypting and decrypting IPSec message data and passwords as part of its authentication process. (See the section \"Encrypting File System Security\" in Chapter 12 for more information on CryptoAPI.) IPSec\'s implementation consists of an IPSec device driver (\\Winnt\\System32\\Drivers\\Ipsec.sys) that integrates with the TCP/IP protocol driver. In user space, a policy agent obtains IPSec configuration information from Active Directory and passes IPSec filtering information (IP address filters for which IPSec communications should be used) to the IPSec driver and security settings to an Internet Key Exchange (IKE) module. The IKE module waits for security association requests from the IPSec driver and negotiates the requests, passing the results back to the IPSec driver for use during authentication and encryption. |
|
|
