duplicated. IPsec packets are protected by comparing the sequence number of the received packets and a sliding window on the destination host, or security gateway. A packet whose sequence number is before the sliding window is considered late, or a duplicate. Late and duplicate packets are dropped.
Content 3.2 Understanding IPsec Components and IPsec VPN Features 3.2.2 IPsec Protocols and Headers The IPsec standard provides a method to manage authentication and data protection between multiple peers engaging in secure data transfer. IPsec includes a protocol for exchanging keys called Internet Key Exchange (IKE) and two IPsec IP protocols, Encapsulating Security Payload (ESP) and Authentication Header (AH). In simple terms, IPsec provides secure tunnels between two peers, such as two routers. The sender defines what packets need protection and will be sent through these secure tunnels and then defines the parameters that are needed to protect these sensitive packets by specifying the characteristics of these tunnels. Then, when the IPsec peer sees such a sensitive packet, the IPsec peer sets up the appropriate secure tunnel and sends the packet through the tunnel to the remote peer. More accurately, these tunnels are sets of Security Associations (SA)s). established between two remote IPsec peers. The Security Associations define which protocols and algorithms should be applied to sensitive packets and specify the keying material to be used by the two peers. Security Associations are unidirectional and are established by the security protocol that is being used (AH or ESP). IPsec uses three main protocols to create a security framework: Note
RFC 2401 defines the architecture for IPsec, including the framework and the services that are provided. RFC 2401 also defines how the services work together and how and where to use the services. Other RFCs define individual protocols. Beyond these protocols, the framework consists of the implementation specifics, such as the exact encryption algorithm and the key length that is used for ESP. IPsec Headers
IPsec provides authentication, integrity, and encryption via the insertion of one or both of two specific headers, AH or ESP, into the IP datagram. The AH provides authentication and integrity checks on the IP datagram. Successful authentication means that the packet was, indeed, sent by the apparent sender. Integrity means the packet was not changed during transport. The ESP header provides information that indicates encryption of the datagram payload contents. The ESP header also provides authentication and integrity checks.
AH and ESP are used between two hosts. These hosts may be end stations or gateways. Note
AH and ESP provide services to transport layer protocols such as TCP and User Datagram Protocol (UDP). AH and ESP are Internet protocols and are assigned numbers 51 (AH) and 50 (ESP) by the Internet Assigned Numbers Authority (IANA). AH and ESP solutions require a standards-based way to secure data from modification and being read by a third party. IPsec has a choice of different encryptions (Data Encryption Standard [DES], Triple Data Encryption Standard [3DES], and Advanced Encryption Standard [AES]) so that users can choose the strength of their data protection. IPsec also has several hash methods to choose from (Hash-based Message Authentication Code [HMAC], Message Digest 5 [MD5], and Secure Hash Algorithm 1 [SHA-1]), each giving different levels of protection.
Content 3.2 Understanding IPsec Components and IPsec VPN Features 3.2.3 Internet Key Exchange To implement a VPN solution with encryption, it is necessary to periodicaly change the encryption keys. Failure to change these keys makes the network susceptible to brute-force attacks. IPsec solves the problem of suseptability with the Internet Key Exchange (IKE) protocol, which uses two other protocols to authenticate a peer and generate keys. The IKE protocol uses the DH key exchange to generate symmetrical keys to be used by two IPsec peers. IKE also manages the negotiation of other security parameters, such as data to be protected, strength of the keys, hash methods used, and whether packets are protected from replay. IKE uses UDP port 500. IKE negotiates a security association (SA), which is an agreement between two peers engaging in an IPsec exchange, and consists of all the parameters that are required to establish successful communication. IPsec uses the IKE protocol to provide these functions: A security association (SA) requires the following: IKE automatically negotiates IPsec SAs and enables IPsec secure communications without costly manual preconfiguration. IKE includes these features: Interactive Media Activity Checkbox: The Benefits of IKE Upon completion of this activity, the student will be able to better understand how IPsec uses IKE and the benefits of IKE.
Content 3.2 Understanding IPsec Components and IPsec VPN Features 3.2.4 IKE Phases and Modes IKE is executed in two phases to establish a secure communication channel between two peers: