NBB-800
User Manual for NRSW version 4.5.0.100
5.6.2. IPsec
IPsec is a protocol suite for securing IP communications by authenticating and encrypting each packet
of a communication session and thus establishing a secure virtual private network.
IPsec includes various cryptographic protocols and ciphers for key exchange and data encryption and
can be seen as one of the strongest VPN technologies in terms of security. It uses the following
mechanisms:
Mechanism
Description
AH
Authentication Headers (AH) provide connectionless integrity and data origin authentica-
tion for IP datagrams and ensure protection against replay attacks.
ESP
Encapsulating Security Payloads (ESP) provide confidentiality, data-origin authentication,
connectionless integrity, an anti-replay service and limited traffic-flow confidentiality.
SA
Security Associations (SA) provide a secure channel and a bundle of algorithms that pro-
vide the parameters necessary to operate the AH and/or ESP operations. The Internet
Security Association Key Management Protocol (ISAKMP) provides a framework for au-
thenticated key exchange.
Negotating keys for encryption and authentication is generally done by the Internet Key Exchange
protocol (IKE) which consists of two phases:
Phase
Description
IKE
phase 1
IKE authenticates the peer during this phase for setting up an ISAKMP secure associa-
tion. This can be carried out by either using
main
or
aggressive
mode. The
main
mode
approach utilizes the Diffie-Hellman key exchange and authentication is always encrypted
with the negotiated key.The
aggressive
mode just uses hashes of the pre-shared key and
therefore represents a less-secure mechanism which should generally be avoided as it is
prone to dictionary attacks.
IKE
phase 2
IKE finally negotiates IPSec SA parameters and keys and sets up matching IPSec SAs in
the peers which is required for AH/ESP later on.
100