IPSec offers two basic protocols for data transmission. Name both and brieflz describe their properties
- Authentication Header (AH)
- Encapsulating Security Protocol (ESP)
AH provides data origin authentication, integrity protection, and replay protection.
Inserted between the IP header and the data to be protected.
ESP provides confidentiallity and data origin authentication and replay protection. A header and a trailer encapsulating the data to be protected.
What are these 2 endpoints?
- Cryptographic endpoints
- Communication endpoints
What is cryptographic Endpoints?
Entities that process IPSec headers
What is Communication Endpoints?
Source and destination of an IP packet
How many Security Associations are required for bidirectional communication
2 security association
How many SAs are required for bidirectional IPSec secure channel with both AH and ESP protection?
bidirectional communitation requires 2 SAs for each transform. resulting 4 SAs for two transformations in duplex mode.
Is it a good idea to manually configue SAs? Why?
Is possible but generally bad idea.
- The chosen keys might be insecure and not provide PFS
- Manual configuation is error prone
- Mnaua configuation doesnt scale
Use key management negotiation deamon such as IKE instead
What are the 2 exchanges from IKEv2 protocol?
IKE_SA_INIT: IKE SA parameters, nonces, DH values
IKE_AUTH: Initiator& Responder identities, Auth previous messages, prove knowledge of secrets, first CHILD_SA parameters
Aftre IKEv2 exchanges are done, which data has been negotiated?
After the two exchanges, an IKE security association, as well as an IPSec child security association have been established.
All messages and the identities of Initiator&Responder have been authenticated.
What is the difference between an IPSec Security Policy and Securiy Association
Security Policy: Description of how security services should be provided to categories of packets
Security Association: Explicit packet transformations for simplex channel between two communication parties.
What does Diffie Hellman key exchange do
Establish a shared secret session key over an secure network, wirhout pre shared keys
Requirements for PFS
- sessiont kezs must from ephemeral secrets
- Ephemeral secrets must be deleted after the session
long term key leak must not allow recovery of old session keys
