Monday 9 March 2015

IPSec Theory

Before jumping into this one I would firstly like to describe the process of establishing an IPSec VPN.

Network Terminology:
- Remote Gateway: Specifies IP address to bind to.
- Interface: Specifies interface to bind to.

Authentication:
- Authentication Method:
  - Pre-shared key: Symmetrical - both sides use the same key.
  - Certificate: Uses RSA (Public Key Infrastructure) - ideal for large     enterprises since you don't need to add matching keys on all devices.

IKE (Internet Key Exchange):
Is a standard for creating a secure way of communication between two nodes.

IKEv1 Phase:
The first stage of IKE is too establish a secured communication channel between the two nodes. IKE will negotiate with the other host to find a common Phase 1 Proposal - which consists of Encryption and Authentication types:

Encryption: AES, DES, 3DES etc.
Authentication: MD5, SHA1, SHA256 etc.

Initially the diffie-hellman key exchange algorithm (PKI) will be used to generate a shared secret. The shared secret (that uses symmetric encryption) is used to save bandwidth and CPU time (opposed to using the diffie-hellman algorithm that uses PKI and hence uses more CPU cycles.) The reason PKI is performed initially is too validate the authenticity of the identity of the hosts - during this phase the pre-shared key is sent over. The end result being a bi-directional security association (SA) between the two nodes.

The are two IKE modes:

Main Mode or Aggressive Mode - Aggressive Mode protects the identities of the peers while Main mode does not and also is quicker as it uses less packets to perform the negotiation.

A secure channel can then be setup to negotiate IKE phase two parameters.
The purpose of IKE Phase 2 is too negotiate IPSec SAs (Security Associations) to setup a IPSec tunnel. There are several available parameters for this Phase 2:
Encryption Type (same as Phase 1)
Authentication Type
SA Lifetime (Time before SA needs to be re-established)
Selectors for all IP protocols, all ports, between the two networks, using IPv4 subnets.

As mentioned above in order to negotiate the IPSec SA's we utilize an existing IKE Phase 1 SA. These IPSec SA's are periodically re-negotiated in order to ensure security.

Quick Mode is the only mode available during IKE Phase 2 and occurs after a secure tunnel has been established during the Phase 1 of IKE. It negotiates a shared IPSec policy and in turn establishes the IPSec SA's.

Once quick mode has been performed data can be sent / received via the secure IPSec tunnel created and encryption / decryption is performed as defined in the IPSec SAs.

0 comments:

Post a Comment