IPsec Flashcards
IPsec
IP Security:
Provides authentication & encryption of packets to create a secure encrypted communication path between two computers
Confidentiality - Using encryption
Integrity - Ensuring data is not modified in transit
Authentication - Verifying parties are who they claim to be
Anti-Replay:
Checking sequence numbers on all packets prior to transmission
Key exchange request, IKE Phase 1, IKE Phase 2, Data Transfer, Tunnel termination
(Prevents duplicate transmissions, prevents attackers from capturing/resending packets)
IPsec: Main Mode
Conducts three two-way exchanges between peers, from the initiator to receiver
1st Exchange: Agrees upon which algorithms/hashes will be used to secure the IKE
2nd Exchange: Uses a Diffie-Hellman exchange to generate shared secret keying material so that both parties can prove their identities
3rd Exchange: Verifies the identity of the other side by looking at an encrypted form of the other peer’s IP address
IPsec: Aggressive Mode
Uses fewer exchanges, resulting in fewer packets & faster initial connection than main mode
Sender sends to receiver & receiver agrees on:
Diffie-Hellman public key
Signed random number
Identity packet
IPsec: Quick Mode
Only occurs after IKE already established the secure tunnel in Phase 1 using either main/aggressive mode
Negotiate IPsec SA parameters protected by existing IKE SA
Establish IPsec SA
Periodically renegotiate IPsec SAs to maintain security
Perform additional Diffie-Hellman exchanges if needed
You can negotiate a replacement SA once SA expires
Diffie-Hellman Key Exchange
Allows two systems that don’t know each other to be able to exchange keys & trust each other
IPsec: Transport Mode
Uses packet’s original IP header & used for client-to-site VPNs
By default, MTU size in most networks is 1500 bytes
IPsec: Tunneling Mode
Encapsulates the entire packet & puts another header on top of it
For site-to-site VPNs, you may need to allow jumbo frames
Transport = Client-to-site Tunneling = Site-to-site
IPsec: Authentication Header
Provides connectionless data integrity & data origin authentication for IP datagrams & provides protection against replay attacks
Integrity for each packet sent (no confidentiality)
IPsec: ESP
Encapsulating Security Payload:
Provides authentication, integrity, replay protection, & data confidentiality
In transport mode, use AH to provide integrity for the TCP header & ESP to encrypt
In tunneling mode, use AH & ESP to provide integrity/encryption of the end payload
Does not encrypt the end-to-end header
IPsec: 5 Main Steps
PC1 sends traffic to PC2 & then RTR1 initiates creation of IPsec tunnel
RTR1 & 2 negotiate SA (Security Association) to form IKE Phase 1 tunnel (ISAKMP tunnel)
IKE Phase 2 tunnel (IPsec tunnel) is negotiated & set up
Tunnel is established & info is securely sent between PC1/2
IPsec tunnel is torn down & IPsec SA is deleted
IKE SA Contents
Authentication Method Encryption & hash algorithms used Diffie-Hellman groups used Expiration of IKE SA Shared secret key values for the encryption algorithms