Fusion IPsec (IP Security) allows for secure connections between different networking sites and is used for VPN applications. Fully integrated with the Fusion Net Stack, this removes the bump in the stack issue where data is copied thus reducing overall throughput. The Fusion IPsec implementation removes 1-2 extra memory copies from a standard bump in the stack implementation.



Fusion IPsec Protocol Features

Strong encryption
Encrypting your system’s Internet traffic means the content that is passed over the Internet cannot be easily read by intermediate nodes. The strength of the encryption refers to how easy it would be for the encrypted data to be ‘cracked’. Fusion IPsec offers varying levels of encryption, and different encryption algorithms, trading off between processor usage and level of security.

Data integrity
By calculating a checksum and placing the checksum within the encrypted data, it can be made very difficult for the data that is passed over the Internet to be modified. Fusion IPsec automatically checks whether a packet received using IPsec has been tampered with. A modified packet is discarded and will normally be re-sent by the originator.

Peer Authentication
Authentication is achieved with digital signatures*. This means that a recipient of data can be sure that any data received is from the real source and not an imposter.

Replay Protection
Duplicated packets (duplicated by an intermediate node on the Internet) can be prevented using an encrypted sequence number within the packet*. Duplicate packets are discarded.

Fusion Embedded IPsec Source Code Features

• Integral part of the Fusion TCP/IPv4/v6 stack. By integrating the IPsec Source Code into the Fusion TCP/IP stack, we avoid the unnecessary additional processing that a “Bump-In-The-Stack” (BITS) implementations suffer.
• ‘Drop-in’ solution saving engineering cost and time-to-market
• Not based on Open Source - designed and written for Embedded Systems
• Port available for MS Windows
• Manual Configuration of Security Associations (SA)
• Dynamic configuration of Security Associations through optional IKE interface (IKEv2 enhancements also available)
• Authentication Header (AH) and Encapsulating Security Payload (ESP)
• Authentication transforms using HMAC-MD5 and HMAC-SHA-1 (as per RFC 2402) and NULL (RFC 2406)
• Encryption using DES, 3DES, AES and Blowfish (RFC 2451) and NULL (RFC2406)
• Both Transport and Tunnel modes are supported (Gateway and Host)
• Security policies based on individual or ranges of IP address(es), Port number(s) and/or protocol number
• Security policies determine whether to “apply” IPsec, “bypass” or “discard”
• Open configuration API
• Uses extensible PKI library written and designed for embedded systems with hooks for alternative cryptography providers including hardware assistance
• Royalty-free license for OEMs
• Ansi C Embedded Source Code

RFC Compliance

• RFC 1321 The MD5 Message-Digest Algorithm
• RFC 1829 The ESP DES-CBC Transform
• RFC 1853 IP in IP Tunneling
• RFC 2401 Security Architecture for the Internet Protocol
• RFC 2402 IP Authentication Header
• RFC 2403 The Use of HMAC-MD5-96 within ESP and AH
• RFC 2404 The Use of HMAC-SHA-1-96 within ESP and AH
• RFC 2406 IP Encapsulating Security Payload (ESP)
• RFC 2410 The NULL Encryption Algorithm and Its Use With IPsec
• RFC 2451 The ESP CBC-Mode Cipher Algorithms
• RFC 3602 The AES-CBC Cipher Algorithm and its use with IPsec