Cisco Cisco Packet Data Gateway (PDG)
Introduction to IP Security (IPSec)
▀ Overview
▄ IPSec Reference, StarOS Release 17
14
Overview
IPSec is a suite of protocols that interact with one another to provide secure private communications across IP networks.
These protocols allow the system to establish and maintain secure tunnels with peer security gateways. IPSec provides
confidentiality, data integrity, access control, and data source authentication to IP datagrams.
These protocols allow the system to establish and maintain secure tunnels with peer security gateways. IPSec provides
confidentiality, data integrity, access control, and data source authentication to IP datagrams.
IPSec AH and ESH
Authentication Header (AH) and Encapsulating Security Payload (ESP) are the two main wire-level protocols used by
IPSec. They authenticate (AH) and encrypt-plus-authenticate (ESP) the data flowing over that connection.
IPSec. They authenticate (AH) and encrypt-plus-authenticate (ESP) the data flowing over that connection.
AH is used to authenticate – but not encrypt – IP traffic.Authentication is performed by computing a
cryptographic hash-based message authentication code over nearly all the fields of the IP packet (excluding
those which might be modified in transit, such as TTL or the header checksum), and stores this in a newly-
added AH header that is sent to the other end. This AH header is injected between the original IP header and
the payload.
those which might be modified in transit, such as TTL or the header checksum), and stores this in a newly-
added AH header that is sent to the other end. This AH header is injected between the original IP header and
the payload.
ESP provides encryption and optional authentication. It includes header and trailer fields to support the
encryption and optional authentication. Encryption for the IP payload is supported in transport mode and for
the entire packet in the tunnel mode. Authentication applies to the ESP header and the encrypted data.
the entire packet in the tunnel mode. Authentication applies to the ESP header and the encrypted data.
IPSec Transport and Tunnel Mode
Transport Mode provides a secure connection between two endpoints as it encapsulates IP payload, while Tunnel Mode
encapsulates the entire IP packet to provide a virtual “secure hop” between two gateways.
encapsulates the entire IP packet to provide a virtual “secure hop” between two gateways.
Tunnel Mode forms the more familiar VPN functionality, where entire IP packets are encapsulated inside another and
delivered to the destination. It encapsulates the full IP header as well as the payload.
delivered to the destination. It encapsulates the full IP header as well as the payload.
Security Associations (SAs) and Child SAs
An Internet Key Exchange-Security Association (IKE-SA) is used to secure IKE comicality. SA is identified by two,
eight-byte Security Parameter Indices (SPIs) shared by each peer during the initial IKE exchange. Both SPIs are carried
in all subsequent messages.
eight-byte Security Parameter Indices (SPIs) shared by each peer during the initial IKE exchange. Both SPIs are carried
in all subsequent messages.
A Child-SA is created by IKE for use in AH or ESP security. Two Child-SAs are created as a result of one exchange –
Inbound and Outbound. A Child-SA is identified by a single four-byte SPI, Protocol and Gateway IP Address and is
carried in each AH/ESP packet.
Inbound and Outbound. A Child-SA is identified by a single four-byte SPI, Protocol and Gateway IP Address and is
carried in each AH/ESP packet.
Each SA (IKE or Child) has an associated lifetime. After the expiry of lifetime, SAs are deleted. To proactively
establish an SA before the last one expires, SAs are rekeyed on soft lifetime expiry. Both IKE and Child SAs may be
rekeyed.
establish an SA before the last one expires, SAs are rekeyed on soft lifetime expiry. Both IKE and Child SAs may be
rekeyed.