1:What is IPSec?
Originally defined as a means of securing IPv6 traffic across an insecure network, IPSec
is also widely used to secure IPv4 traffic between endpoints. Unlike other protocols, such as
TLS/SSL or SSH which encrypt the TCP payload, IPSec secures the IP payload and so provides an
even more secure communications channel. Secure keys are either 'pre-shared' or negotiated at
runtime using IKE.
2:What is IKE?
IKE stands for Internet Key Exchange and is used by both sides of an IPSec link
to negotiate security keys when they have not been previously shared. When keys expire
the protocol is reinvoked and new ones are created.
RFC4306 has this to say in definition of IKE:
IKE performs mutual authentication between two parties and
establishes an IKE security association (SA) that includes shared
secret information that can be used to efficiently establish SAs for
Encapsulating Security Payload (ESP) [RFC4303] and/or Authentication
Header (AH) [RFC4302] and a set of cryptographic algorithms to be
used by the SAs to protect the traffic that they carry.
3:What are Pre-Shared Keys and how are they managed?
Symmetric key cryptography relies on the use of shared
encryption keys for encryption and decryption of secured data. These
keys are either negotiated through protocols such as IKE or are
derived from a previously shared secret. These Previously Shared Keys
(PSK) must be known by both sides of the secure channel. Management
of this information is 'application specific' and require storage of
the PSK for each system with which it will be securely communicating.
In embedded systems, this usually is only a unique string or algorithm
for generating the secret. The central server, on the
other hand, may employ a database to hold this information.
4:How does IPSec differ from IKE?
IPSec and IKE work together, with IKE being optional.
IKE negotiates the security keys if they have not been pre-shared.
IPSec secures the connection and manages data encryption.
5:Do I need to use IKE?
No, but depending on the size of your network and its topology, key
management may become an issue for you. If you elect to not use IKE,
it can be omitted from your image at compile-time with a simple change
to a single
6:Can IKEv2 negotiate keys with a peer running IKE?
Unfortunately, the short answer here is 'no', but InterNiche's IKEv2
also includes IKEv1 so by including both implementations in your build,
your device will be able to negotiate keys through either scheme.
7:Will InterNiche's IPSec/IKEv2 operate over both IPv4 and IPv6?
Yes. The products can simultaneously negotiate and secure connections
over both IPv4 and IPv6.
8:Do my applications have to be changed to run over IPSec?
No, but systems on both sides of the communication must have their
application endpoints configured for IPSec to either secure, pass
or block network traffic between the systems.
9:Can I build a VPN with InterNiche's IPSec?
10:Do InterNiche's IPSec or IKE require a pre-emptive RTOS?
No. IPSec and IKE can run in a No-OS (SuperLoop), cooperative tasking
or a pre-emptive RTOS environment.
11:What are the licensing terms of InterNiche's IPSec and IKE?
Like all InterNiche protocol software, the source code license includes
pre-paid royalties, the amount of which depends upon whether you
sign a Product, Platform or Architecture license. Details can be
explained by Sales@iNiche.com
12:Can InterNiche's IPSec take advantage of my hardware's encryption logic?
It certainly can. InterNiche's CryptoEngine™ is a thin layer between
security related requests (encryption/decryption, digest computation, key agreement, etc)
and their implementations. If your system has an
alternate support for any cipher, hash or encoding, then taking
advantage of it may be as simple as writing a little driver and
slight change to the CryptoEngine's configuration tables.
13:Where do I go if I have problems or integration questions?
Every source code license includes one year of technical support.
Instead of forcing you to use forums, wikis, or going through a first-line
technican, InterNiche customers have direct access to its staff of development
engineers to answer questions or provide technical solutions.
14:Cipher Suite? Key Lengths? Certificates? HELP!
While InterNiche is not able to train its customers in the purpose
and tradeoffs of security specifics, its products come with extensive
documentation on the use, integration and configuration of the products.
And as every license includes a Support Agreement, InterNiche Support
personnel are available to help you integrate them with your embedded
15:Does InterNiche's IPSec support both 'transport' and 'tunnel' mode?
Yes. In transport mode, the IP layer's payload is encrypted using
the previously negotiated ciphers. In tunnel mode, the entire IP datagram
is also encrypted and the encrypted information becomes the
payload of a new, routable IP packet. Tunnel mode is used to create
virtual private networks, and both modes are supported by InterNiche's
16:Can IPSec protected traffic cross my IPv4 NAT?
Yes, communication protected by using IPSec's "tunnel mode" can
pass through a NAT Router. Transport mode, on the other hand, ensures
the integrity of the data through use of a hash value which protects
it from the type of modification employed by NAT. Additional means
are required to pass this mode through a NAT Router.
17:This sounds complex. What does the product do to help me debug, trace, monitor what's going on?
Between command-line commands, logging facilities and statistics,
InterNiche's IPSec and IKE include numerous facilities to assist with
debugging, monitoring and configuring the products.
18:Are InterNiche's products covered by GPL?
No. InterNiche products are 'closed-source' and do not subject your own
development efforts to GPL's requirement that you release your proprietary
software to the public.