Five Steps of IPSec: Tying it All Together

Previous page
Table of content
Next page

Now that we have discussed some of the fundamentals of IPSec, it is important to examine the mechanisms that take place when initiating and terminating an IPSec tunnel.

graphics/alert_icon.gif

It is imperative to remember these five steps of IPSec. It is especially important to recognize the names and the number of steps involved in each phase of IKE negotiations.


  1. Interesting Traffic In this initial step, traffic is deemed interesting in accordance with IPSec's policy parameters. These parameters define IPSec peers and the type of encryption and authentication methods that are enabled on the local device for those given peers. This policy configuration determines which traffic is to be secured or sent in the clear.

  2. IKE Phase 1 In phase 1, IKE can operate in one of two modes: main mode or aggressive mode. Main mode comprises three 2-way interactions. The first exchange involves both sides requesting secure negotiations. In this process, both sides try to secure IKE communications by finding matching policy parameters, such as hash and encryption algorithms. When the policy is successfully negotiated, it is known as a security association (SA). After this is accomplished, Diffie-Hellman performs its key exchange, followed by peer authentication.

    In aggressive mode, the process is considerably shorter. In the initial exchange, the initiating device sends a multitude of information, including the Diffie-Hellman public keys. The receiver completes the exchange, thus establishing a security association that uses less time and fewer packets than main mode does. The disadvantage to aggressive mode is that it is susceptible to eavesdropping because the key is advertised before a secure channel is established.

  3. IKE Phase 2 Unlike IKE phase 1, phase 2 has only one mode, called quick mode. In quick mode, IPSec SAs are established by both devices negotiating a set of security parameters and rules called a transform set. An IPSec SA must be established for each unidirectional inbound and outbound IPSec session.

  4. IPSec Encrypted Traffic After IKE has established security parameters, traffic destined for the tunnel is secured in accordance with those policies defined in the established SA. Security associations have a lifetime determined by a number of seconds or bytes. If the SAs expire and the traffic still warrants secure traffic over that session, IKE phase 2 quick mode reoccurs and a new key and SA is created before the existing SA expires to ensure uninterrupted secure data transfer.

  5. IPSec Tunnel Termination The tunnel terminates when the SA lifetime expires or the tunnel is manually deleted.

Previous page
Table of content
Next page
CSVPN Exam Cram 2 (Exam 642-511)
CCSP CSVPN Exam Cram 2 (Exam Cram 642-511)
ISBN: 078973026X
EAN: 2147483647
Year: 2002
Pages: 185
Authors: David Minutella
BUY ON AMAZON
Beginning Cryptography with Java
SQL Hacks
The New Solution Selling: The Revolutionary Sales Process That Is Changing the Way People Sell [NEW SOLUTION SELLING 2/E]
Programming Microsoft ASP.NET 3.5
Special Edition Using FileMaker 8
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy