Cryptography Reference
In-Depth Information
avoid the costs of usingtwo SAs, but the nestingof two SAs ensures that more
fields are authenticated.
If one wants to authenticate first, in a bundlingof SAs, then an inner AH
transport SA may be formed with an outer ESP tunnel SA. Thus, authentication
is applied to the IP payload and the IP header, plus extensions, but minus
mutable fields. Then the IP packet is processed by ESP in tunnel mode. The
outcome is that the complete (authenticated) inner packet is encrypted and new
outer IP header and extensions are added.
Diagram 8.24 Nesting SAs: Authentication After Encryption
Security
Gateway A
Security
Gateway B
Host
A
Host
B
Internet
SA-2 (AH Transport)
SA-1(ESP Transport)
Diagram 8.25 Nesting SAs: Encryption After Authentication
Security
Gateway A
Security
Gateway B
Host
A
Host
B
Internet
SA-2 (ESP Tunnel)
SA-1(AH Transport)
Although numerous aspects of IP traJc processing and IPSec implemen-
tation are local matters, and thus not subject to standardization, there are
external features of the process that require such systematization in order to
guarantee interoperability and render a lower bound on the management capac-
ity that is crucial for effective use of IPSec. In order to accomplish this, we need
the following.
IPSec Security Databases
IPSec possesses two formal databases: the Security Policy Database (SPD),
and the Security Association Database (SAD). SPD prescribes the guidelines
that govern the configuration of all incoming and outgoing IP traJc. SAD
embodies parameters that are associated with each keyed SA.
Security Association Database (SAD) Parameters
The followingparameters are used to define an SA and each SA has an entry
in the SAD.
Search WWH ::




Custom Search