Cryptography Reference
In-Depth Information
There may be other minor parameters added to the above, but the bulk of
what is required is contained in this list.
Security Policy Database (SPD) Parameters
IPSec documentation refers to SAs as management constructs used to enforce
security policies for tra
J
c crossingan IPSec boundary. Therefore, since the SPD
is responsible for the screeningof all inbound and outbound tra
J
c (IPSec and
non
-IPSec), it is necessary to have a clear indication of what services are offered
and in what manner. To do so SPD needs what are called
selectors
, which are
top-level protocol field values. These are defined as follows.
1.
Destination IP Address
: Typically this is a list of IP addresses of those
systems sharingthe same SA, especially if the IPSec implementation is
operating behind a gateway. Yet, this selector will support a single IP
address.
2.
Source IP Address
: As with the Destination IP Address, this is usually a
list, if there is sharingof the same SA, but this could be a sinle address
in the case of a simple configuration.
3.
Next Layer Protocol (NLP)
: This is obtained from one of the IPv4
Protocol field, or IPv6 Next Header field. Other selectors depend on the
NLP value. For instance, if a port such as TCP is used, there are selectors
for Source and Destination Ports, each of which is a list of values. If
the NLP is a mobile header, there is a selector for IPv6 Mobility Header
Message Type, which is an 8-bit value that identifies a specific mobility
message. There may be others, depending on the message type.
4.
Name
: This is a symbolic identifier for an IPSEC origin or target ad-
dress, which may be an X.500 distinguished name or an operating system
identifier.
5.
Data Sensitivity Level
: This is an indicator of the security level of the
information beingtransferred, such as classified or unclassified.
There is a third, not often mentioned, database — the
Peer Authorization
Database
(PAD) — which is also needed within a secure IPSec architecture.
The reason that this database is often ignored in descriptions of IPSec is that
the PAD may already be integrated within the SA management protocol itself.
Nevertheless, it is important to understand the PAD functions. The PAD es-
tablishes a connection between an SA management protocol (such as IKE), and
the SPD. Amongthe PAD duties are definingthe range of identities that a peer
(one of a set of entities that are in the same protocol layer or the equivalent
layer of another system), is authorized to represent when SAs are negotiated
with a peer; defininghow to authenticate a peer (such as via a certificate); and
verification of the authorization of SPD traJc selectors relative to the autho-
rized peer of the SA management protocol. PADs may also be needed to locate
secure gateways.
Search WWH ::
Custom Search