One of the biggest challenges to learning about VPNs and IPSec is the tremendous amount of terms, acronyms, and definitions. We discuss a great majority of them here and then use them throughout the chapter. Following is a list of VPN and IPSec terms:
Tunnel A tunnel is a virtual point-to-point connection that carries traffic from one protocol encapsulated in another. Security is provided for the original IP packet, and the encrypted packet is placed inside another packet, which amounts to ciphertext inside a new IP packet. The IP address of the new packet is used to traverse the network. In tunnel mode, the hosts are not aware that encryption is taking place.
Transport Security is provided at the transport layer and above. It protects the data of the packet but exposes the IP address. The original IP address is used to traverse the network. Transport mode is used for end-host-to-end-host communication. Tunnel mode is more common.
Encryption Encryption is the process of taking cleartext and converting it into ciphertext to protect it from unauthorized viewing. The two types of encryption are symmetric, which uses a single shared secret key, and asymmetric, which uses a public and private key.
Decryption Decryption is the process of taking ciphertext and converting it back into cleartext so that authorized users can view it.
DES Single DES encryption uses a 56-bit key to encrypt and decrypt packet data.
3DES 3DES repeats the encryption with a different 56-bit key three times. You will see 3DES called 168-bit encryption as well.
CBC One of several methods of implementing DES, CBC requires that an IV is the same for both IPSec peers before encryption can take place.
Advanced Encryption Standard (AES) AES is a privacy transform for IPSec and IKE. It was developed to replace DES, and it uses a 128-, 192-, or 256-bit key.
Hashing Hashing uses an algorithm or formula to convert data and a key into a hash. The hash ensures that the transmitted message has not been tampered with. The sender generates a hash of the message and key, encrypts it, and sends it with the message itself. The recipient then decrypts both the message and the hash, produces another hash from the received message, and compares the two hashes. The recalculated hash verifies that the message and the key are intact.
HMAC-MD5 This hashing algorithm uses a 128-bit shared secret key. IKE, AH, and ESP can use MD5 for authentication.
HMAC-SHA-1 This hashing algorithm uses a 160-bit shared secret key. SHA stands for Secure Hash Algorithm. IKE, AH, and ESP can use SHA-1 for authentication.
Key Usually random binary digits, a key is the information used to set up and possibly change the operations of a cryptosystem. You can think of it as x (71399 x x = hash); although it's not technically accurate, you get the point.
Preshared key This type of key is a shared secret key or password that is usually entered manually on each peer for use in setting up an SA. It is used for authentication.
Key management Key management is the control of keys generated, stored, revoked, transferred, and used.
CA A trusted third-party service that eases in establishing secured communications, a CA produces digital certificates. The digital certificates can be used for key material in establishing a VPN. CAs allow tremendous scalability in a VPN infrastructure.
Cryptosystem It is the system that performs the encryption, decryption, hashing, authentication, and key management.
D-H D-H is a public-key cryptography protocol, which allows two parties to establish a shared secret key over an insecure communications channel. We look at two groups of D-H, group 1 at 768 bits and group 2 at 1024 bits.
RSA Digital Signatures This public-key cryptographic system is used for authentication. A CA provides RSA digital certificates, which can be used to produce a digital signature and allow for authentication without operator intervention. A D-H exchange can be authenticated with RSA signatures.
RSA encrypted nonces A nonce is a pseudo-random number. Peers do not exchange public keys with this form of authentication.
AH AH provides data authentication, integrity, and optionally antireplay. The AH process is applied to an entire datagram except mutable fields. A mutable field would be something like TTL (time to live), which gets modified by every router in the transmission path. AH provides no encryption and does not work with network address translation (NAT).
ESP ESP provides encryption, integrity, and optionally authentication and antireplay. With ESP, the entire IP packet is encapsulated. ESP does work with NAT.
IKE IKE is a hybrid protocol of the Oakley key exchange and Skeme key exchange. IKE is synonymous with ISAKMP; you will see both terms used and referenced throughout Cisco materials.
ISAKMP ISAKMP provides the authentication of IPSec peers, the negotiation of IKE and IPSec SAs, and the establishment of keys for IPSec encryption algorithms.
SA An SA is built between two or more peers and describes the security services that have been set up or negotiated. SAs are unidirectional and protocol specific. If two peers are communicating securely with an AH and an ESP, each host builds a separate SA for each protocol, inbound and outbound. There would be four SAs per peer. We discuss SAs further, but it is worth noting here that there is an SA for IKE and an SA for IPSec.
Transform sets Transform sets define the combinations of IPSec algorithms for encryption and authentication. A transform set describes authentication (such as AH), encryption (such as ESP), and mode (tunnel versus transport).
