IPSec

Internet Protocol Security (IPSec) is a framework of open standards for ensuring private, secure communications over Internet Protocol (IP) networks.

IPSec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection.

IPSec implemented on all host devices provides flexibility and security. It enables end-to-end security between two peers on the network.

IPsec delivers data confidentiality services by executing a “transform” on plain text data into a block of ciphertext. Common ciphers used in the IPsec transforms are DES, 3DES, and AES.

Encryption/Hashing Algorithms

AH and ESP are generic and do not specify the exact mechanism used for encryption, this provides the flexibility to work with a variety of encryption algorithms. The most common algorithms used with IPSec are Message Digest 5 and Secure Hash Algorithm 1 (SHA-1). These are called hashing algorithms.

Security Policies and Associations, and Management Methods

Since IPSec provides flexibility in letting different peers decide how they want to implement security. Security Policies and Security associations are used in providing standard ways to exchange security association information.

Key Exchange Framework and Mechanism

The two communicating Peers exchange encrypted information and share keys for decrypting the encrypted information. They also need a way to exchange security association information. IPSec uses a protocol called Internet Key Exchange.

How IPSec Works

Step 1: Define Interesting Traffic

For every packet protected by IPSec, the system administrator must specify the security services applied to the packet. The security policy database specifies the IPSec protocols, modes, and algorithms applied to the traffic.

 

 

Step 2: IKE Phase 1

 

• First exchange—The algorithms and hashes used to secure the IKE communications are negotiated and agreed on between peers.
• Second exchange—Uses a DH exchange to generate shared secret keys and to pass nonces, which are random numbers sent to the other party, signed, and returned to prove their identity. The shared secret key is used to generate all the other encryption and authentication keys.
• Third exchange—Verifies the other side's identity. It is used to authenticate the remote peer. The main outcome of main mode is a secure communication path for subsequent exchanges between the peers. Without proper authentication, it is possible to establish a secure communication channel with a hacker who is now stealing all your sensitive material.
  

In a point-to-point application, each end might need only a single IKE policy set defined. However, in a hub-and-spoke environment, the central site might require multiple IKE policy sets to satisfy all the remote peers.

Step 3: IKE Phase 2

The purpose of IKE Phase 2 is to negotiate the IPSec security parameters that are applied to the interesting traffic traversing the tunnel negotiated during Phase 1.

 

 

Router A sends IPSec transform sets 30 and 40 to Router B. Router B compares its set, transform set 55, with those received from Router A. In this instance, a match occurs. Router A's transform set 30 matches Router B's transform set 55. These encryption and authentication algorithms form an SA.

When the peers agree on the security services, each VPN peer device enters the information in a security policy database (SPD). The information includes the encryption and authentication algorithm, destination IP address, transport mode, key lifetime, and so on.

This information is the SA—a one-way logical connection that provides security to all traffic traversing the connection. Because most traffic is bidirectional, two SAs are required: one for inbound traffic, and one for outbound traffic. The VPN device indexes the SA with a number, a Security Parameter Index (SPI). 

Rather than send the SA's individual parameters across the tunnel, the source gateway, or host, inserts the SPI into the ESP header. When the IPSec peer receives the packet, it looks up the destination IP address, IPSec protocol, and SPI in its SA database (SAD) and then processes the packet according to the algorithms listed under the SPD

Step 4: Data Transfer

 After IKE Phase 2 is complete and quick mode has established IPSec SAs, traffic is exchanged between Hosts A and B via a secure tunnel. 

IPSec Tunnel Termination

 IPSec SAs terminate through deletion or by timing out. An SA can time out when a specified number of seconds has elapsed or when a specified number of bytes has passed through the tunnel. When the SAs terminate, the keys are also discarded.