Cryptography Reference
In-Depth Information
IPSec Part II: Bulk Data Confidentiality and Integrity
Now that we know how IPSec SAs are created, we now explore how they are
used in detail for part II bulk encryption as well as integrity for message or file
transport. In fact, it is possible for a single IKE SA to create several IPSec SAs,
which may be employed for varyingtasks. For instance, the established SA from
phase I above, can be used to establish, in phase II, say, SA m and SA f , where
SA m and its associated keys and parameters are used for encrypted e-mail, and
SA f and its (different) associated keys and parameters are used for transport
of encrypted database files.
Earlier in this section, we learned a bit about the two types of IPSec proto-
cols, AH and ESP. The function of these protocols is to protect the confiden-
tiality and/or message integrity of data packets.
The modes, which we study below, control how much of the data packets are
protected by these protocols. The details will now be presented for the individual
IPSec SA, its modes, parameters, security databases, and interoperability.
Security Association (SA)
This is a one-way “connection” or relationship — unicast tra A c — which
supplies security to the traJc it carries, allowingonly one of AH or ESP to
be used. If both AH and ESP are required, then two SAs must be created
and coordinated — multicast tra A c — to ensure a security shield via this
application. Typically, there is a two-way IPSec-enabled transmission between
two SAs (one in either direction). Since this is such common usage, IKE is set
up to explicitly create SA pairs, which must be of the same mode, defined as
follows.
SA Modes
1. Tunnel Mode : SA tunnel mode is essentially SA applied to an IP tunnel,
which means that an entire packet is protected as it travels from one site
of an IP network to another without beingscreened by any routers (a
“tunnel”), to examine any inner IP header. What this means, in practice,
is that when a packet
leaves the original host, and gets to the boundary
of its hosts's firewall, there is a determination of whether
P
needs IPSec
P
processing. If so, it encases
with an outer IP header, and is sent to the
P
target site.
When
is enroute, interveningrouters screen only the outer IP header,
and upon reachingthe target site, this outer header is stripped off by the
target's firewall and the inner packet is delivered to the target.
Hosts, shielded by firewalls, may communicate via tunnel mode, with-
out invokingIPSec. This is accomplished via communications where the
above-described “unprotected” data packets are sent by SAs in tunnel
mode set up by IPSec software in the firewall.
P
2. Transport Mode : SA transport mode is typically used between a pair
of hosts for protection of upper-layer protocols and selected IP header
Search WWH ::




Custom Search