Professional Documents
Culture Documents
● designed by IETF
● RFCs 2401, 2402, 2406, 2408, 2409
● rather framework then single protocol
● high granularity
(different modes for each flow)
● Different Security Services
● optional for IPv4, mandatory for IPv6
security services
● Access Control
● Integrity
● Authentication
● Anti-Replay service
● Confidentiality
main parts
● 1st part („connection setup“)
– peer authentication
– negotiation of cryptographic parameters
– agreement on shared secret keys
IKE (Internet Key Exchange), SA (Security Association)
● encrypted messages
(with key from Phase1)
● second set of shared secret keys
● Phase1-SA is used to setup IPSec SAs
● usually (at least)two unidirectional IPSec SAs
tunnel
ESP modes
transport
tunnel
AH vs. ESP
● originally:
AH only integrity, ESP only confidentiality
● AH not possible with NAT
● AH prevents spoofing
● ESP: HMAC after trailer -> faster
Management Control
● IPSec protection
– based on policy choices defined in the SPD
– established and maintained by a user
● Security Policy Database (SPD)
– defines subset of IP traffic
ip-address (src,dst), ports, transport layer protocol, etc.
– points to SA
inbound traffic