Security Global Forum

Security Global Forum

Our mission is to provide clients with an online user community of industry peers and IBM experts, to exchange tips and tricks, best practices, and product knowledge. We hope the information you find here helps you maximize the value of your IBM Security solutions.

 View Only

Setting up AIX/LINUX as Router for IPsec with Traffic Control

By Vinayak Telkar posted Thu November 25, 2021 11:14 AM

  
Setting up AIX/LINUX as Router for IPsec with Traffic Control

With the constant threat of security breaches, companies are under pressure to lock down every aspect of their applications, infrastructure, and data.  One method of securing network transactions is to establish networks based on the IPSEC protocol.


The AIX operating system uses IP Security (IPsec), which is an open, standard security technology developed by the Internet Engineering Task Force (IETF).

IPsec provides cryptography-based protection of all data at the IP layer of the communications stack. No changes are needed for existing applications. IPsec is the industry-standard network-security framework chosen by the IETF for both the IP Version 4 and 6 environments.

IPsec protects your data traffic using the following cryptographic techniques:

Authentication
Process by which the identity of a host or end point is verified
Integrity Checking
Process of ensuring that no modifications were made to the data while in transit across the network
Encryption
Process of ensuring privacy by "hiding" data and private IP addresses while in transit across the network

IPsec Channel or Tunnel needs to be established between two or more machines. We need to have minimum two machines to have secured connection and below services up and running on both the machines.

1) IPSEC Device Enablemnet for IPV4 and IPV6

2) XML needs to be configured with proper authentication, encryption methods and IP addresses that needs to be uploaded in ikedb using command (ikedb -p <filename.xml>)

3) IPSEC Daemons needs to be up and running.

4) There are different ways of IPsec tunnel configurations Using Preshared Key Exchange or with Certificate Exchange. The command "ike=cmd activate" will activate the tunnel. The machine where tunnels are activated called as "inititator" and other machine called as "responder"
PSK: Certificate:


IPsec Tunnel Creation via ROUTER:

When IPsec Tunnel gets established the network traffic reaches from source to destination with different hops. It might travel via one router or many routers to reach destination and the routers are real routers.
We are going to study more on to making existing AIX or LINUX box as router. Such setup helps in simulating actual router environment and gives more freedom to check IPsec robustness and also helps in traffic control.

AIX/LINUX as Router: IPV4
The vlan id of network interface at initiator and one of network interface at router need to be same.
The vlan id of network interface at responder and one of network interface at router need to be same
"route add" needs to be performed on both initiator and responder. Router needs to enabled with IP forwarding.
The below diagram shows pictorial router setup and commands needs to be executed on all the machines with user defined ipv4 sets.

AIX/LINUX as Router: IPV6
The below diagram shows pictorial router setup and commands needs to be executed on all the machines with user defined ipv6 sets.


Traffic Control at LINUX as ROUTER:
Traffic control is the name given to the sets of queuing systems and mechanisms by which packets are received and transmitted on a router. This includes deciding which (and whether) packets to accept at what rate on the input of an interface and determining which packets to transmit in what order at what rate on the output of an interface. The below some of the traffic control mechanism are used at LINUX router on IPsec network traffic control.

Packet Drop add rule at LINUX Router
sudo tc qdisc add dev eth7 root netem loss 50%

Packet Drop del rule at LINUX Router
sudo tc qdisc del dev eth7 root netem

Packet Delay add rule at Linux Router
sudo tc qdisc add dev eth7 root netem limit 1 delay 30s

Packet Delay del rule at Linux Router
sudo tc qdisc del dev eth7 root netem

Traffic control rule display.
sudo tc qdisc show dev eth7



0 comments
37 views

Permalink