Scribd
Upload
12 views

IPSEC

IPSEC ALL FULL EXPLAINATION

Uploaded by

toyisi5546
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
12 views

IPSEC

IPSEC ALL FULL EXPLAINATION

Uploaded by

toyisi5546
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Rakesh

IPSEC:

What’s the IPsec?


The IPsec (Internet Protocol Security) Protocol Suite is a set of network security protocols,
developed to secure the network traffic by establishing encrypted tunnels between two or
more end points across the public network.
IPsec provides the core benefits of confidentiality through encryption, data integrity through
hashing and HMAC, and authentication using digital signatures or using a pre-shared key
(PSK).
IPsec Goals
The goals can be described as follows:
■ Confidentiality: provided through encryption changing clear text into cipher text.
■ Data integrity: provided through hashing and/or through Hashed Message Authentication
Code (HMAC) to verify that data has not been manipulated during its transit across the
network.
■ Authentication: provided through authenticating the VPN peers near the beginning of a
VPN session using pre-shared keys (PSK) or digital signatures (leveraging digital certificates).
Authentication can also be done continuously through the use of an HMAC, which includes a
secret known only to two ends of the VPN.
■ Antireplay protection: when VPNs are established, the peers can sequentially number the
packets, and if a packet is attempted to be replayed again (perhaps by an attacker), the
packet will not be accepted because the VPN device believes it has already processed that
packet.
Internet Key Exchange (IKE) Protocol

IPsec uses the Internet Key Exchange (IKE) protocol to negotiate and establish secured site-
to-site or remote access VPN tunnels.
Internet Key Exchange (IKE) is a protocol used to set up a IPSec Security Associations (SAs) by
define security attributes like encryption key, encryption algorithm, and mode, between IPSec
peers.
Security Association (SA) is an one-way virtual tunnel between the two endpoints peers. Thus,
for full communication to occur, two SA’s must be established, one for each direction.

The establishment of an IPsec connection takes place in two phases, called


IKE phases:
■ IKE Phase 1: The two endpoints authenticate one another and negotiate keying
Rakesh

material. This results in an encrypted tunnel used by Phase 2 for negotiating the
ESP security associations.
■ IKE Phase 2: The two endpoints use the secure tunnel created in Phase 1
to establishes the IPsec tunnel (IPsec SA), which used to secure the actual user data
that is passed between the two endpoints.
IKE relies on ISAKMP to establish an initial secure channel over which the IPsec
tunnel can be negotiated. An IKE policy determines the attributes of the ISAKMP
session (typically called an IKE SA), including the encryption type and hashing
methods.
At IKE Phase 1, There are five basic items need to be agreed upon between
the two VPN endpoints peers as below:
■ Encryption algorithm: This could be AES, DES or 3DES.
■ Hash algorithm: This could be MD5 or SHA.
■ Diffie-Hellman (DH) group to use: for creating and sharing keys.
■ Authentication method: This could be pre-shared key (PSK) or RSA signatures.
■ The SA Lifetime: How long until this IKE Phase 1 tunnel should be torn down.
IKE Phase 1 negotiation can happen in two modes,either using Main Mode which be slower,
but more secure or using Aggressive Mode which faster, but less secure.
There are a two primary methods for implementing the encapsulation of
IPsec header as below:
■ Authentication Header (AH)
■ Encapsulating Security Payload (ESP)
Authentication Header (AH)
– While IPsec uses Authentication Header (AH) to provide Data Integrity, Authentication, and
Anti-Replay functions for IPsec VPN. Authentication Header (AH) DOES NOT provide any Data
Encryption at all.
– AH uses a hash algorithm to compute a hash value on both the payload and header of a
packet which cause AH is incompatible with NAT which changes the IP header of a packet
during translation which reflect on the receiving device will believe the packet has been
altered in transit, and reject the packet.
Encapsulation Security Payload (ESP)
– While IPsec uses ESP (Encapsulating Security Payload) to provide Data Integrity,
Encryption, Authentication, and Anti-Replay functions for IPsec VPN.
– ESP uses a hash algorithm to compute a hash value on the payload only and not include
the header of a packet which enable it to be compatible with NAT.

ESP is more widely deployed than AH, because ESP provides all the benefits of IPsec, that is,
Confidentiality, Integrity, Authentication and Re-Play attack protection….
Rakesh

IPsec Modes

IPsec uses two methods for encryption tunnel and transport mode.
– If IPsec tunnel mode is used, the both of IP header and payload are encrypted in addition a
new header be injected.
– But When transport mode is used, only the packet payload is encrypted and the original IP
header is left intact.
First let’s have a look at AH and ESP and how they tread original IP packet

And now about how those IP protocols fit in the two modes.
Rakesh

You might also like