Cryptography Reference
In-Depth Information
can provide end users with security when necessary, say, for those employees of
a corporation workingon highly classified material.
IPSec Services
IPSec security, provided at the IP level, enables a system by usingAH and
ESP in concert to provide the followingservices:
1.
Access Control
: usingAH and ESP.
2.
Confidentiality
: via encipheringof data or limited traJc-flow security,
usingESP for both encryption and authentication.
3.
Connectionless Integrity
: via an in-built IP detection mechanism.
4.
Data Origin Authentication
: usingAH.
5.
Rejection of Replay Data Packets
: usingAH and ESP.
Now we are ready to look at the various components that make up the IPSec
structure. At the time of this writingthe RFC 2401 overview of IPSec security
architecture has been rendered obsolete by a document currently beingupdated;
see
http://www.ietf.org/internet-drafts/draft-ietf-ipsec-rfc2401bis-01.txt
.
First, we examine how keys are used to set up the IPSec mechanism.
IPSec Key Management
IPSec provides another essential feature of any security protocol, namely,
the management of keys for use in data exchange, encryption, and for such, the
negotiation of keys with other entities. IPSec further mandates that a record of
such key negotiations be kept. There exist two kinds of IPSec support for this
key service.
Key Management Techniques
The followingprovides minimal requirements of IPSec key (and SA) man-
agement (see page 302).
Manual
: The manual key and SA management is the simplest type. In
this case an entity, typically a systems administrator, manually configures each
network with keyingmaterial and SA manaement information pertinent to
communications with other systems. This is really only practical for small,
relatively static communications environments. For instance, in a VPN, with a
small number of sites in a single administrative domain, this would be feasible.
Manual techniques might also work in larger environments where only a small
number of gateways need to be secured. However, in larger networks, in general,
this method is not practical.
Automated
: With an automated system, on-demand keys may be created
for SAs, and is scalable for ever-changing and growing larger networks. More-
over, this type of management enables options not available in manual mode
Search WWH ::
Custom Search