IPSec & IKE
HCC’s IPv4 & IPv6 stack is supported by an extensive set of protocols and applications that provide unrivalled performance and security. All software components are created using a strong development process and are supplied with quality verification including a full MISRA-compliant static analysis report. IPsec can be used to create secure host-host, host-gateway and gateway-gateway paths and works seamlessly with HCC’s Embedded Encryption Module (EEM) to provide a complete security solution.
IPsec provides a robust approach to security in embedded applications such as cars, ‘point-of-sale’ terminals, medical devices, industrial equipment and many others. It ensures integrity, confidentiality and authentication between two devices in a network, providing strong defense against threats such as ‘man in the middle’ attacks and packet sniffers.
IPsec & IKEv2 Operation
IPsec operates at the network layer and is transparent to applications that still operate as normal using TCP/UDP. It is considered mandatory for fully compliant IPv6 implementation.
HCC’s IPSec module implements the Security Architecture for IP protocol suite, commonly abbreviated to IPsec. The IPsec module filters all incoming IPv4/IPv6 and upper layer messages and uses the Authentication Header (AH) to ensure the integrity of data. It implements a simple firewall that determines what to do with each incoming packet. It also provides an authenticating and encrypting protocol, Encapsulating Security Payload (ESP) to ensure data remains confidential.
The solution provides all database management functionality required to manage the storage of the authentication certificates and encryption keys.
IPsec’s ‘tunnel mode’ is used to create secure point-to-point Virtual Private Networks (VPNs) where the whole packet is encrypted. This means that any data can be transmitted securely across the network. Internet Key Exchange (IKEv2) is the protocol used by IPsec to set up a Security Association (SA), which stores a list of parameters such as encryption keys, algorithm source IP address, etc.
The IPsec and IKEv2 modules are part of the HCC MISRA-compliant TCP/IP stack, and are designed specifically using strong quality processes to ensure a high level of network security and performance.
- Security Architecture for IP (IPsec) implementation is compliant with RFC 4301 and RFC 3168.
- Internet Key Exchange (IKEv2) implementation is compliant with RFC 7427 (version 2bis).
- Extended Authorization Protocol (EAP) implementation is compliant with RFC 3748.
- Encapsulating Security Payload (ESP) implementation is compliant with RFC 4303.
- Authentication Header (AH) implementation is compliant with RFC 4302.
- The NAT traversal implementation is compliant with RFC 3948.
Implementation & Integration
- Conforms to the HCC Advanced Embedded Framework so can be dropped into any RTOS, processor or compiler environment without modification (all required abstractions supplied).
- Complies with the HCC MISRA coding standards.
- Can be used with or without a commercial RTOS.