Home $5K RTOS Bundle Technical Support The Blunk Difference Contact Us

TargetIPSec™

Internet Protocol Security

Blunk Microsystems' Internet Protocol Security (IPsec) is available for both TargetTCP-IPv6™ and TargetTCP-IPv4™. IPsec was built from the ground up as an enterprise grade security subsystem for VPN's or devices such as those requiring USGv6 conformance. Security Policy (SP) configurations can secure categories of network traffic with fine grained precision. Port and address specific traffic can be secured for UDP, TCP and ICMP (ICMP uses code instead of port). SP's can be configured at compile, boot or run time with API or shell commands. All security is applied transparently of upper layer protocols, including customer and legacy network applications. Internet Key Exchange (IKEv2) was designed to automatically negotiate Security Associations (SAs) for all network traffic affected by a security policy (SP). SA's can also be configured manually for testing or integration with alternate key exchange algorithms.

Features

  • RFC-compliant protocol suite adds high performance Internet Protocol Security.

    • Internet Protocol Security (IPsec): RFC 4301
    • Authentication Header (AH): RFC 4302
    • Encapsulated Security (ESP): RFC 4303
    • Internet Key Exchange version 2 (IKEv2): RFC 5996

  • IKEv2- Internet Key Exchange version 2
    • Authenticates peers and negotiates new Security Association pairs between IPsec peers covered by a Security Policy.
    • Peers can use RSA X.509 certificates (up to 8192 bit key) or Pershared Keys (PSK) for authentication. ID types supported are IP address, FQDN, Email address or opaque identifier.
    • Full support for IKEv2 and IPsec NAT traversal allows either peer to be behind one or more NAT gateways. Includes NAT detection, UDP encapsulation as well as IPv4 and IPv6 checksum updating when in transport mode.
    • Automatic port narrowing for SA pairs created. IKEv2 will attempt to narrow every SA created to be as specific as possible, increasing security by assigning all traffic flows unique keys.
    • Compact and unique implementation was clean room designed from the ground up to be compact and responsive for even the most resource constrained embedded systems. Designed and implemented using only IETF RFCs and the IETF mailing list as references.
    • Includes programmable API and shell interface for IDs and time out values
      • ike [‹ADD|DEL› ‹IPV4|IPV6|FQDN|EMAIL|KEY› ‹id› ‹PSK|CRT› ‹name› [‹pk›]]
        - add or remove IKE peer identities (IDs)
        [‹TMR› ‹RETRY|IKE|SA|IKE_HO|SA_HO› ‹seconds›]
        - change retry, life time and half open times for IKE and SAs
      • ikesave - save modified time out values and all ID's in IKE to NVRAM

  • IPsec- Security Architecture for the Internet Protocol
    • includes programmable API and shell interface for associations and policies
      • spshow - display Security Policies
      • sashow - display Security Associations
      • spsave - Save Security Policies to NVRAM
      • sasave - Save Security Associations to NVRAM
      • spadd ‹dir› ‹src› ‹dst› ‹tp› ‹pr› ‹rp› ‹lp› ‹m› ‹ty› [PFS] [START] [NAT] [spi]
        - Add Security Policy
      • saadd ‹6|4› ‹spi› ‹src› ‹dst› ‹AH|ESP› ‹algo1› ‹key1› ‹algo2› ‹key2›
        - Add Security Association
      • spdelete ‹dir› ‹src› ‹dst› ‹tp› ‹pr› ‹rp› ‹lp› - Remove Security Policy
      • sadelete ‹spi› - Remove Security Association

  • ESP- Internet Protocol Encapsulating Security Payload
    • Authentication algorithms NULL, MD5, MD5 96, SHA, SHA 96
    • Encryption algorithms DES CBC, 3DES CBC, AES CBC, AES CTR

  • AH- Internet Protocol Authentication Header
    • Authentication algorithms NULL, MD5, MD5 96, SHA, SHA 96

  • Tested interoperable with Windows, Linux, OSX, iOS, Andriod and other TCP/IP stacks
  • Daemon mode allocates one task for IPsec and four tasks for IKE. Whether using daemon or polled integration, IKE and IPsec each require one semaphore. IKE deamon mode is designed to minimize impact during a denial of service attack. One IKE task is used to process inbound packets, another task negotiates new IKE SA's, another task negotiates SA's requiring PFS and the last task negotiates IKE SA rekeying. Limiting queue sizes for the daemons and setting priorities to favor existing connections minimizes any denial of service attempts from affecting the system. For example, the default priorities have the IKE SA rekey and SA's with PFS tasks set to a higher priority than the new IKE SA's task, preventing a flurry of new IKE SA requests from being anything more than an annoyance.

  • Options available when IKE is under attack include the ability to require new peer IKE SA requesters to use a unique cookie. By responding to all new IKE SA requests with a cookie, the requester/attacker must retry the IKE SA request using this unique cookie. This feature alone prevents the most common attacks. In the case of more open or sophisticated attacks, there is the additional capability to block hostile peers using the TargetTCP firewall.

  • Developed using TargetOS™, Blunk Microsystems' real-time operating system, the source code is 100% ANSI C and is easily ported to both other real-time kernels and to polling environments that do not use a kernel.

  • Integrated with TargetTools™, the IDE for embedded development from Blunk Microsystems with an integrated compiler and kernel-aware debugger, visual code editor, search and replace tool, BDM for board bring-up, and fast Ethernet download.

  • Royalty-free. Includes source code, sample applications, and one year of technical support.