Understanding IP Security (IPSec)


EXAM 70-293 OBJECTIVE 3.3.1, 5, 5.3, 5.6, 5.6.1, 5.6.2

Microsoft’s modern operating systems, which include Windows 2000 Server and Professional, Windows Server 2003, and the Windows XP Client operating system, give you the ability to enforce smart security policies without excessive overhead and expense, as well as to encrypt data traveling across the network, using IPSec.

The Internet Engineering Task Force (IETF) designed the IPSec specifications. The IP Security Working Group of the IETF developed IPSec as an industry standard for encrypting TCP/IP traffic within networking environments. The two main goals of IPSec are to protect IP packets and to give network administrators the ability to use packet filtering as a defense against network attacks. Microsoft’s Windows Server 2003 IPSec deployment includes the following features:

  • Enhanced IPSec security monitoring with the MMC

  • IPSec integration with Active Directory that allows for security policies to be centrally administered

  • Use of Kerberos 5 authentication as the default method by IPSec policies to verify the authenticity of connecting computers

  • Backward compatibility with the Windows 2000 Security Framework

  • Client and application transparency, because IPSec works at the Network layer of the OSI model

  • Automatic security negotiation

IPSec in transport mode is based on an end-to-end security model, meaning that security and trust are established from the source IP address and end with the destination IP address. Each computer handles security at its respective end with the assumption that the medium over which the communication takes place is not secure. IPSec is not required to be supported by any intermediary computer that routes data from the source to destination IP address, unless network address translation (NAT) or packet filtering has been implemented on the firewall. IPSec can be deployed with IPSec policy in Windows Server 2003 under any of these circumstances:

  • Client-to-client and peer-to-peer support

  • Gateway-to-gateway and router-to-router support

  • Remote-access client dial-up and Internet access from private networks

The IP Security Policy Management MMC allows network administrators to set security policy settings and options that will allow the systems to negotiate with other systems regarding the traffic that is sent and received from that system.

start sidebar
Head of the Class…
When Not to Use IPSec

IPSec is useful in a number of different scenarios, as we discuss in the text. However, Microsoft recommends that IPSec not be used in certain situations, because deployment can be difficult and cause access problems on your network. Specifically, you should not use IPSec to secure the messages that pass between a domain controller and members of the domain. Getting this to work requires setting up very complex policies, and according to Microsoft, it is best avoided.

In addition, you generally should not try to configure IPSec to secure all traffic between all clients and all servers on a network. Broadcast traffic and multicast traffic cannot be secured via IPSec, and there are many types of application traffic that won’t work with IPSec, including traffic that is generated by real-time communications programs, peer-to-peer applications, and applications that rely on Internet Control Message Protocol (ICMP).

There are other cases where using IPSec is generally not a good idea, including using IPSec to secure 802.11 wireless communications (the 802.1X security protocol is recommended instead).

end sidebar

Terminology and Concepts

Before you create a security plan to implement IPSec within your organization, it is important to understand the terminology and concepts relating to IPSec. This chapter deals entirely with IPSec and is not a generic security chapter; however, we will briefly touch on some basic security terms to clarify how these concepts are integrated with IPSec in Windows Server 2003.

IPSec uses two primary protocols: Authentication Header (AH) and Encapsulating Security Payload (ESP). These protocols can be used individually or together, and provide data security on wide area networks (WANs), local area networks (LANs), remote offices, corporate workgroups, domain servers, and client computers. Because IPSec works at the Network layer of the OSI model rather than at the Application layer as many other security applications (for example, the Secure Sockets Layer (SSL) protocol) do, it is easy to implement without making changes to client computers (other than setting client policy).

The main components of IPSec are shown in Table 10.1. In the following sections, we will discuss how each of these components is involved in securing data with IPSec.

Table 10.1: IPSec Terminology

Term

Definition

Authentication Header (AH)

One of the two primary IPSec protocols. AH is used to provide data authentication and integrity. It does not provide data confidentiality.

Encapsulating Security Payload (ESP)

One of the two primary IPSec protocols. ESP provides authentication and integrity services via a keyed hash that is computed for just the ESP header, trailer and payload. It provides data confidentiality.

Security association (SA)

Consists of an agreement of security settings associated with keying material.

Internet Key Exchange (IKE)

Used to manage and exchange cryptographic keys between client machines and negotiate a common set of security settings between client machines, eliminating the need for the two client machines to have exact policies configured.

Internet Security Association and Key Management Protocol (ISAKMP)

An add-on protocol for IPSec.

Triple Data Encryption

A strong encryption algorithm that is standard on all Windows Standard (3DES)Server 2003 computers and client machines running Windows. 3DES uses 56-bit keys.

Oakley key-determination protocol

A secondary protocol for IPSec by which two authenticated parties agree on secret key material. It uses the DiffieHellman algorithm.

Diffie-Hellman groups

A method used for key agreement, to establish a shared key over insecure media. Diffie-Hellman groups are based on the number of bits in the base prime numbers used in key exchange. Group 1 provides 768-bit key strength. Group 2 uses 1024 bits, and group 2048 uses 2048 bits. Windows Server 2003 supports group 2048, but it is not supported by Windows 2000, Windows XP, or other Microsoft operating systems.

Resultant Set of Policy (RSoP)

A Windows Server 2003 tool that is used to view advanced IPSec policy assignments for clients who belong to a particular Group Policy container in Windows Server 2003.

How IPSec Works

Before secure data can be exchanged, a security agreement between the two communicating computers must be established. This security agreement is called a security association (SA). Both IPSec-enabled computers agree on how to send and receive data, as well as how to protect the information contained in the data packets. Because IPSec SAs are unidirectional, at least two separate SAs are established to protect the data for every communication: one for inbound traffic and one for outbound traffic. There is a unique SA for each direction and for each protocol. Thus, if you are using both AH and ESP, there will be two SAs for AH and two for ESP.

Note

In addition to the SAs used by IPSec itself, there is another type of SA (called a main mode SA) that protects the IKE negotiation. The SAs used by IKE are bidirectional, so a single SA can handle both outgoing and incoming traffic.

Using the IP Security Policy Management console, you can configure the security policy to block, permit, or negotiate security within your networked environment. Because this security is transparent to users, it is easy to implement and administer. Figure 10.1 shows how this process takes place.

click to expand
Figure 10.1: How the SA Process Functions

Securing Data in Transit

An SA is a combination of three things:

  • Security protocols

  • A negotiated key

  • A security parameters index (SPI)

These items together define the security settings that are used to protect the communication from the source IP to the destination IP. The SPI is a unique entry in the IPSec header of each packet and is used to identify which SA is being used to secure data. As mentioned earlier, there will always be separate SAs for inbound and outbound traffic. If a computer is communicating with multiple machines (for example, a database server with multiple clients sending queries), many SAs will exist. The receiving computer uses the SPI to determine which SA should be used to process incoming IP packets.

Purposes of Encryption

IPSec functions by using cryptographic techniques. The term cryptography refers to methods of making data unreadable or undecipherable by anyone except the authorized recipient in the event that the message is intercepted by someone else. IPSec uses cryptography to provide three basic services:

  • Authentication

  • Data integrity

  • Data confidentiality

There are times when only one or two of these services is needed, and other times when all of these services are needed. We will take a look at each of these services individually.

start sidebar
Head of the Class…
IPSec Encryption Algorithms

IPSec provides computer-level authentication, as well as data encryption, for virtual private network (VPN) connections that use the Layer Two Tunneling Protocol (L2TP). One important purpose of IPSec encryption is to provide for data confidentiality so that the messages that travel through the VPN tunnel cannot be read by unauthorized persons. This is the “private” part of virtual private networking.

Before an L2TP connection is established, IPSec is negotiated between the client computer and the VPN server that uses L2TP. When the negotiation is completed, the data and the password are secure. One point of negotiation is the encryption algorithm that will be used. Windows Server 2003 supports the following encryption algorithms:

  • Data Encryption Standard (DES) This method uses a single 56-bit key encryption level.

  • Triple Data Encryption Standard (3DES) This method uses three 56-bit keys for encryption.

    In today’s security-conscious environments, most servers are set to allow encryption and allow the client machines to select their encryption methods (algorithms). You can also set the server settings to deny encryption, select the specific encryption strength, or allow the client computer to select the encryption strength. Data encryption is very important if you want to ensure that your data is not readable in the event that it is captured by a “sniffer” or otherwise intercepted as it travels across the network.

end sidebar

Authentication

Authentication is the process of verifying the identity of a data sender or recipient. This allows the message recipient to know that the message was actually sent from the sender and not from someone posing as the sender. IPSec can use different methods to authenticate identities, including pre-shared keys, digital certificates, and Kerberos authentication. Authentication is needed when it is important to verify that a message came from the person who claims to have sent it.

A concept closely related to authentication is nonrepudiation, which refers to a way of ensuring that the sender cannot later deny sending the message.

IPSec can also provide anti-replay. This refers to ensuring that an unauthorized person cannot capture the authentication credentials as they’re sent across the network and “replay” them to establish a communications session with the server.

Note

The use of pre-shared keys is not recommended, because it is the least secure of the authentication methods supported by Windows Server 2003 IPSec. The biggest problem with any shared secret such as a pre-shared key is the difficulty of sharing the key with both parties without compromising it.

Data Integrity

Data integrity refers to the ability to ensure that the data that is received at the endpoint of the communication is exactly the same data that was sent from the originating computer, and it has not been modified in any way in transit. IPSec uses the hash functions to ensure that the contents of the data packet have not changed between the time it was sent and the time it was received.

start sidebar
Head of the Class…
Hashing and Hash Algorithms

A hash algorithm used for encryption is a mathematical calculation that has been proven to be one-way so that it cannot be reverse-engineered (discovery of the original message using the hash result). (Two-way hashes are sometimes used for purposes other than encryption.) The result of the application of the algorithm is called the hash result.

Hashing uses a secret key to create a message digest, which is a combination of the message itself and the hash result. The message digest is sent to the recipient, and the same key is applied to it. The recipient applies the same key to the message, and the result will be identical if there has been no alteration.

The Message Digest 5 (MD-5) and Secure Hash Algorithm (SHA) algorithms are two popular hashing algorithms.

end sidebar

Data Confidentiality

Data confidentiality refers to the ability to “scramble” the data using encryption algorithms so that it cannot be understood by an unauthorized person who intercepts it. IPSec provides data confidentiality only through the ESP protocol. AH does not provide for encryption of the data. ESP uses the 3DES and DES algorithms to ensure data confidentiality.

IPSec Modes

IPSec in Windows Server 2003 has two different modes: tunnel mode and transport mode. Your choice of which IPSec mode to use depends on your organizational needs. We will take a look at how each of these works and when each is appropriately used.

Tunnel Mode

Tunneling refers to a method of encapsulating a data packet inside another packet and routing the new packet across a network. Tunnels are used to create VPNs that allow data to go across the Internet (or another public or nonsecure network) without compromising security, because the inner packet and its header information are not visible on the public network.

In tunnel mode, IPSec encrypts the IP header and the payload, thereby securing the entire IP packet. It is used primarily when end systems or gateways do not support the L2TP/IPSec or the Point-to-Point Tunneling protocol (PPTP). In other words, tunnel mode allows you to use IPSec to create a tunnel, in addition to encrypting the data within the tunnel, with servers that cannot use the traditional VPN tunneling protocols (L2TP and PPTP). However, Windows Server 2003 does not support using IPSec as the tunneling protocol for remote access VPNs; it is only supported between gateways, routers, and servers. Remote access clients must use PPTP or L2TP for VPN connections.

The entire packet is encrypted by either AH or ESP. These two protocols will be discussed in more detail in the “IPSec Protocols” section. The outer IP header contains the addresses of the tunnel endpoints, and the encapsulated IP header contains the ultimate source and destination addresses, as illustrated in Figure 10.2.

click to expand
Figure 10.2: The IPSec Tunnel Mode

Tunnel mode is used to protect data traveling between different networks that must pass through an untrusted network (such as the Internet). Tunnel mode works in the following configurations:

  • Gateway to gateway

  • Server to gateway

  • Server to server

Transport Mode

Transport mode, the default mode for IPSec, provides for end-to-end security. It can secure communications between a client and a server. When using the transport mode, only the IP payload is encrypted. AH or ESP provides protection for the IP payload. Typical IP payloads are TCP segments containing a TCP header and TCP segment data, User Datagram Protocol (UDP) messages containing a UDP header and UDP message data, and ICMP messages containing an ICMP header and ICMP message data.

Exam Day Warning

Know and understand the differences between tunnel and transport modes in IPSec. Be aware of how each is used to make secure communications possible.

IPSec Protocols

As we mentioned earlier, IPSec itself is merely a framework within which a number of components work together. Those components include services, drivers, and protocols. IPSec uses many different protocols to provide various types of security for traffic that is passed through the network. The protocols that are used in a given IPSec communication session depend on several factors, such as whether you need data confidentiality or only authentication and integrity.

The primary IPSec protocols are ESP and AH. You can configure IPSec to use both of these protocols together to secure the data if you need both data encryption and integrity/authentication for the entire packet. Other IPSec protocols include ISAKMP, IKE, and Oakley, which uses the Diffie-Hellman algorithm.

Primary IPSec Protocols

ESP and AH can be used with both tunnel and transport mode. Which you choose depends on whether you wish to have data confidentiality. In the following subsections, we discuss each of these protocols in more depth.

Exercise 10.01: Using Network Monitor to Determine IPSec Protocol

start example

In this exercise, you will learn how to determine which IPSec protocol is in use by using the Network Monitor. This exercise assumes that the Network Monitor has been installed via Control Panel | Add/Remove Programs.

  1. Select Start | Programs | Administrative Tools | Network Monitor.

  2. When the Network Monitor opens, begin the capture by either clicking the Capture button and selecting Start or by pressing the F10 key.

  3. Allow the capture to run for a few minutes. To stop it, either click the Capture button and then the Stop and View button, or press the F11 key.

  4. To view the IPSec protocol traffic on the captured packets, choose the Display and then select the Captured Data option.

  5. Choose Display | Filter Data. Then choose Edit Expression option and select the Protocol tab.

  6. All protocols are enabled by default. You can chose to Disable All and then reenable the AH and ESP traffic. Enabled traffic will appear in the left pane, and disabled traffic will appear in the right pane.

  7. Click OK after the IPSec protocols have been enabled.

  8. Select the OK option again, and the frames should be displayed in the Network Monitor window. Notice that when you open a packet that is IPSec-secured, you are unable to read the data inside.

end example

ESP

ESP provides confidentiality (in addition to authentication, integrity, and anti-replay protection) for the IP payload. ESP in transport mode does not sign the entire packet. Only the IP payload (not the IP header) is protected. ESP can be used alone or in combination with AH (in order to provide for signing of the entire packet).

Note

IPSec is based on machine certificates, thus authentication pertains to only the computer from which the message was sent. IPSec cannot verify that data was sent from a particular user (although there are other mechanisms for doing so).

The ESP header is placed before the IP payload, and an ESP trailer and ESP authentication trailer are placed after the IP payload. The ESP header contains the following fields:

  • Security Parameters Index (SPI) Used to identify which SA is used in conjunction with the security protocol and destination address. This value is used by the receiver to determine the packet identification.

  • Sequence Number Provides anti-replay protection for the packet. The sequence number starts at 1 and increases in 32-bit increments. It is used to indicate the packet number sent over the quick mode SA for the communication. This number cannot be repeated. If a recipient gets a number that has been repeated, it will not accept the packet.

The ESP trailer contains the following fields:

  • Padding Validates that byte boundaries are present on encrypted payloads. This process is required by the encryption algorithm.

  • Padding Length Used to show the length, in bytes, of the Padding field.

  • Next Header Used to identify whether the payload data is TCP or UDP.

The ESP authentication trailer contains the Authentication Data field, which holds the message authentication code, also known as the integrity check value (ICV). The ICV is used for message verification and authenticity. The ICV is calculated by the packet receiver and checked against the sender’s value for integrity verification.

Figure 10.3 illustrates how ESP affects the data. You can see that the IPSec AH header has been placed after the IP header and before the TCP header.

click to expand
Figure 10.3: The Effects of the ESP Header in Tunnel Mode

AH

AH does not provide confidentiality, which means that the data is not encrypted. Without data encryption, unauthorized people could use a sniffer-type program on your network to capture and read the packets, but they could not modify the data. AH works by using keyed hash algorithms, which are used to sign the packet for integrity verification.

Here is the process by which AH works:

  1. Computer A sends data to Computer B.

  2. The IP header, the AH header, and the data are signed to provide integrity.

  3. The recipient at Computer B can be assured that the data was sent from Computer A and that the data arrived at the destination unmodified.

The AH header is placed between the IP header and IP payload to ensure integrity and authentication. AH can be used alone or combined with ESP. The AH header contains the following fields:

  • Next Header Used to identify the IP payload via the IP protocol ID. The value here indicates the protocol (for example, TCP is represented by a value of 6).

  • Length Used to indicate the length of the AH header.

  • SPI A combination field that contains the destination address and the security protocol. This field is used to identify the correct SA for communication.

  • Sequence Number Used to provide the packet with anti-replay protection. The sequence number starts at 1 and then increases in increments. The value in this field is a 32-bit number. For the life of the quick mode SA, the sequence number cannot repeat itself. If the receiver does a check on this field and finds that an SA with this number has been received in the past, the packet is denied.

  • Authentication Data Used to verify message integrity and authentication using the ICV. The ICV value is checked and calculated by the receiver over the IP header, the AH header, and the IP payload.

  • Packet Signature with the AH Header Used by AH to sign the entire packet. The packet is checked for integrity. The AH header will be inserted before any additional IPSec headers if other IPSec headers are present.

  • Packet Signature and Encryption Used to protect IP payloads, as shown in Figure 10.4. The signed portion of the packet indicates the packet has been signed for integrity and authentication, and the encrypted portion of the packet indicates that the information itself is confidential.

The AH packet signature is shown in Figure 10.4.

click to expand
Figure 10.4: AH Using Transport Mode

If you need both data integrity and authentication for the IP header, use ESP and AH in combination, as illustrated in Figure 10.5.

click to expand
Figure 10.5: ESP Used with AH Transport Mode

Exam Day Warning

Be able to differentiate between the AH and ESP IPSec protocols, and know how each of these protocols operate to make the data secure.

Additional Protocols

In addition to AH and ESP, the ISAKMP, IKE, and Oakley protocols and the Diffie-Hellman algorithm are used with IPSec. In the following subsections, we will discuss each of these in more detail.

ISAKMP and IKE

ISAKMP is used by IPSec as a key management system by combining the ISAKMP protocol and another protocol named IKE. IKE is used to centralize SA management and to generate and manage the secret shared keys that are used to secure data in transport.

There are two parts, or phases, involved in IKE SA establishment. The first phase is referred to as the main mode SA. In this first phase, the communicating IPSec-enabled systems create a secure channel. Based on the policies set on each system, they negotiate to determine which encryption algorithm, integrity algorithm, Diffie-Hellman group, and authentication method to use. The encryption algorithm can be DES or the more secure 3DES. The integrity algorithm will be one of two hashing algorithms: Message Digest 5 (MD5), which uses a 128-bit key, or the Secure Hash Algorithm 1 (SHA1), which uses a 160-bit key. Diffie-Hellman group 1, 2, or 2048 can be used, and the authentication method can be a pre-shared key, Kerberos, or digital certificates.

The systems will negotiate to use the most secure parameters that are supported by both. Thus, the final negotiation can range from a less secure channel that uses DES, Diffie-Hellman group 1 that provides only 768 bits of keying material, and a pre-shared key for authentication, to a more secure channel that uses 3DES, Diffie-Hellman group 2048, and certificate-based authentication in a Public Key Infrastructure (PKI) environment.

The main mode SA lifetime can be set to as short as 5 minutes up to a maximum of 48 hours. As more traffic is sent, a new quick mode is negotiated to create two new IPSec SAs for application traffic protection. When the main mode SA expires, by default, it is renegotiated as needed.

Often, firewalls, proxy servers, and security gateways must be configured to allow IPSec and IKE traffic to be forwarded. If the packets are not encrypted, the firewall, proxy server, or security gateway can inspect the packet contents or the TCP and UDP ports. If any type of modification has been made to the contents of these packets, the receiving IPSec computer will detect the modification and discard the packets.

In Windows 2000, a major drawback of IPSec was that it could not be used when one of the communicating computers was behind a NAT system. That is because NAT changes the IP headers when it translates multiple internal private IP addresses to a single public external address (which it does so that many computers can access the Internet via one public address). NAT has been an important mechanism for addressing the growing shortage of available public IP addresses, which is a limitation of the IPv4 protocol currently used for most Internet communications. Thus, many networks use NAT to reduce their need for additional public IP addresses.

However, Windows Server 2003’s implementation of IPSec provides support for a new Internet specification that allows IPSec packets to be modified by a network address translator (NAT). This is called NAT traversal. IPSec’s ESP packets can pass through NATs that allow UDP traffic. The IKE protocol automatically detects the presence of a NAT and uses UDP-ESP encapsulation to allow IPSec traffic to pass through the NAT.

Test Day Tip

The Windows Server 2003 family’s implementation of IPSec finally provides support for NAT traversal, an Internet standard that allows IPSec packets to be modified by NAT. IPSec ESP packets can pass though NATs, which are configured to allow UDP traffic.

Oakley

Oakley is a key-determination protocol. It is used to define how to acquire keying material after it has been authenticated. The Diffie-Hellman algorithm is the basic mechanism for the Oakley protocol.

Diffie-Hellman

The Diffie-Hellman key-exchange algorithm is a secure algorithm that offers high performance, allowing two computers to publicly exchange a shared value without using data encryption. This exchanged information is protected with a hash function. The key itself is never exchanged by the two communicating machines, but each machine can generate the identical shared key.

The exchanged keying material that is shared by the two computers can be based on 768, 1024, or 2048 bits of keying material, known as Diffie-Hellman groups 1, 2, and 2048, respectively. The Diffie-Hellman key that is computed from the exchange is proportional to the strength of the Diffie-Hellman group. Longer key lengths that are created in conjunction with strong Diffie-Hellman groups make it more mathematically difficult to “crack” a secret key by brute force or other methods. Note that Diffie-Hellman does not provide authentication. For protection against man-in-the-middle attacks, identities are authenticated after the Diffie-Hellman exchange occurs. Diffie-Hellman algorithms can be embedded within a protocol that does provide for authentication.

IPSec Components

In addition to the protocols that operate within the IPSec framework, there are a number of operating system components involved in Microsoft’s implementation of IPSec. The major IPSec components that are installed with Windows XP and Windows Server 2003 family are the IPSec Policy Agent service and the IPSec driver.

IPSec Policy Agent

The IPSec Policy Agent is a service that resides on each computer running the Windows Server 2003 operating system. It is shown in the Service console as IPSec services. The IPSec Policy Agent begins when the system is started. This service has the following main functions:

  • For Active Directory clients, the IPSec Policy Agent captures the appropriate IPSec policy. Domain member computers will have central IPSec policy information stored in Active Directory. It will then be cached in the local Registry of the computer to which the policy applies.

  • For nondomain member computers, the IPSec Policy Agent retrieves the IPSec policy from the local Registry. The local Registry is used to store IPSec policy information for all nondomain member machines.

  • The IPSec Policy Agent surveys the IPSec policy configuration for any changes. For computers not connected to the domain, the cached IPSec policies will be replaced with newer IPSec policies when the computer reconnects to the domain controller.

  • The IPSec Policy Agent routes information to the IPSec driver.

For all domain member computers, the IPSec policy will be retrieved by the IPSec Policy Agent when the machine boots up or at the default Winlogon polling interval, unless an IPSec policy is in place that has the interval already set. Active Directory can be manually polled by typing the command gpupdate /target:computer at the command prompt.

If the IPSec Policy Agent is unable to find or connect to the Active Directory domain, it will wait for the policy to be activated or assigned. This is also true if there are no IPSec policies in Active Directory or the Registry.

IPSec Driver

The IPSec driver is used to match all packets against filters in the filter list. Once it finds a packet that matches the filter, it applies the appropriate filter action. If a packet does not match any filter, the packet is not changed and is sent back to the TCP/IP driver. The packet will then be either received or transmitted. After the transmission has been allowed by the filter action, the packet will be sent or received and not modified. If the packet is blocked by the filter action, it will be discarded. If the action requires security negotiation, main mode and quick mode SAs will be negotiated. The IPSec driver uses a database to store all current quick mode SAs. Any outbound packet that matches an IP filter list that is in need of security negotiation will be queued. After the packet has been queued, IKE is notified and will begin the security negotiation. After the negotiation has been successfully completed, the sending computer’s IPSec driver will receive the session key from IKE. It will look in its database and locate the outbound SA, and then insert the SPI into the AH or ESP header. The packet will be signed, and if confidentiality is required, it will be encrypted and sent to the IP layer so it can be forwarded to the destination machine.

For inbound packets that match IP filters, the IPSec driver will receive the SA, session key, and SPI, and find the inbound SA in its database. The signature is then checked. If the packet was encrypted, it will be decrypted. The packet will search for the filter, and when it is found, it will send the packet to the TCP/IP driver so it can be forwarded to the receiver.

In summary, the IPSec driver plays a role in the following negotiation process:

  • The sending computer’s IPSec driver receives the SA containing the session key from IKE. Then it will locate the outbound SA in its database.

  • The SPI is then inserted from the SA into the AH or ESP header.

  • If confidentiality is required, the packets are encrypted; if not, the packets are signed.

  • If a negotiation failed for some reason, the packets are not used and are discarded.

The IPSec driver will perform the following when the IPSec-secured inbound packet matches a filter in the IP filter list:

  • The SPI and SA are received from IKE, and then the inbound SA is located in the database by destination address and SPI.

  • The signature is checked and the packet is decrypted if needed.

  • The IP packet then searches for a filter that matches the filter to make certain that no traffic that has not been agreed upon during the negotiation has been received.

  • The packet is then sent to the TCP/IP driver for delivery to the receiving application.

When an unsecured IP packet is received, the IPSec driver looks for a matching filter in the filter list. If one is found, and the filter action for that filter either requires IPSec or blocks the packet, the packet will be discarded.

IPSec and IPv6

IPSec is an important part of the specifications for IPv6, which is supported by Windows Server 2003. As noted earlier, IPv6 is the “next generation” of IP, and its primary design goals were to create a larger address space to alleviate the shortage of IP addresses available under IPv4 and to provide for security of IP communications. IPSec is the means by which IPv6 provides the following:

  • Authentication via the mechanism of digitally signing IPSec traffic with the shared encryption key so that the recipient of the data packet can verify that it was sent by the IPSec client transmitter

  • Integrity via signing of the packet to ensure that any modifications made in transit will be detected by the recipient

IPSec and IPv6 work together to provide these services by using cryptographic security services. The Windows Server 2003 implementation of IPv6 does not support making data confidential by using data encryption. Keep this in mind when considering deploying IPSec and IPv6 within your network.




MCSE Planning and Maintaining a Windows Server 2003 Network Infrastructure. Exam 70-293 Study Guide and DVD Training System
MCSE Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293 Study Guide and DVD Training System
ISBN: 1931836930
EAN: 2147483647
Year: 2003
Pages: 173

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net