- IPSec is an architecture or framework for security services for IP networks. It works at the Network Layer of the OSI Model.
- It is actually a standard for secure data transmission.
- It provides mechanisms for authentication and encryption.
- Defined by RFC 4301 and carries a set of functions, it is mandatory in IPv6.
- IPSec allows the use of several different protocol options for each VPN feature.
IPSec Encryption: IPSec supports several variations of encryption algorithms, such as, AES.
1.Sending device feeds the original packet and the session key into the encryption formula, calculating the encrypted data.
2.The sending device encapsulates the encrypted data into a packet, which includes the new IP header and VPN header.
3.The sending device sends this new packet to the destination VPN device.
4.The receiving device runs the corresponding decryption formula, the same value as was used by the sending device to decrypt the data.
IPSec KEY Exchange: IPSec uses a dynamic key exchange called Internet Key Exchange (IKE) – defined by RFC 4306. IKE uses a specific process called the Diffie-Hellman (DH) key exchange protocol.
DH allows the devices to make up and exchange key securely.
Internet Key Exchange (IKE)
- IKE is the protocol that IPSec uses to negotiate and establish authenticated keying materials for security associations (SA’s).
- IKE came out of the combination/hybrid of two protocols namely, Internet Security Associations and Key Management Protocol (ISAKMP) and the Oakley Key Management Protocol.
- A security association (SA) is an agreement between the communicating peers (devices) on factors such as IPSec protocols (AH & ESP), mode of operation of the protocols (transport or tunnel), cryptographic algorithms, cryptographic keys, and the lifetime of the keys, among others.
- SA parameters are stored in the Security Association Databases (SADs).
Security Associations (SAs)
- Defines the mechanisms that an endpoint will use to communicate with its partner.
- All SAs cover transmission in one direction only.
- A second must be defined for a two-way communication.
- Defined SA mechanisms include encryption and authentication algorithms, and usage of protocols such as AH and ESP.
IPSec KEY Authentication and Message Integrity:
Authentication here generally refers to the process by which a receiving VPN device can confirm that a received packet was really sent by a trusted VPN peer.
Message Integrity , sometimes referred to as message authentication, allows the receiver to confirm that the message was not tampered with in transit.
Hashed-based Massage Authentication Code (HMAC) is used. The sending device computes a has and stores the result in the VPN header. The receiving device re-computes the hash using a shared key, and compares the value with the value listed in the VPN header. If it matches then receiver knows message did not change.
|Message integrity||HMAC-MD5||Uses a 128-bit shared key, generating a 128-bit hash value|
|Message integrity||HMAC-SHA||SHA uses different key sizes – 160, 256, 512. Considered better than MD5 but has more overhead.|
|Authentication||Pre-shared Keys||Both VPN devices must be preconfigured with same secret key|
|Authentication||Digital Signatures||RSA is used for encryption.|
The ESP and AH Security Protocols – IPSec defines these two security protocols with each defining a header.
Encapsulating Security Payload (ESP) – defines the rules for performing authentication, message integrity, encryption and anti-replay. ESP can be used with or without AH.
Authentication Header (AH) – supports authentication and message integrity. AH does not offer any encryption services.
Endpoint communicate with IPSec using either transport or tunnel mode.
- Transport Mode – encrypts only the IP payload. This mode is mostly used for end-to-end protection, for example, between a client and server.
- Tunnel Mode – encrypts both the IP payload and headers. Tunnel mode is often used between networks, such as with firewall- to-firewall VPN’s.
To Become Certified For CISSP Please Visit This Link;