Netgear FVM318 – Cable and DSL ProSafe Wireless VPN Security Firewall 참조 매뉴얼
Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall
B-22
Network, Routing, Firewall, and Wireless Basics
•
Exchange keys
•
Keep track of the agreements
Negotiating the SA - the Internet Key Exchange (IKE)
IKE provides a way to:
•
Ensure that the key exchange and the IPSec communication occurs only between
authenticated parties;
authenticated parties;
•
Negotiate the protocols, algorithms and keys to be used between the two IPSec hosts
•
Securely update and renegotiate SAs when they have expired
.
IKE functions in two phases:
1.
Phase 1. The peers establish a secure channel. After Phase 1, all IKE packets are encrypted.
2.
Phase 2. The peers negotiate a general purpose SA.
IKE provides three modes of key exchange and setting up of SAs. Two of the modes are used in
the first phase and one in the second.
the first phase and one in the second.
Authentication: Phase 1
Main mode or Aggressive mode can be chosen in the first phase.
•
Main mode. This mode accomplishes the first phase by establishing a secure channel before
sending a user identity.
sending a user identity.
Main mode secures an IKE SA in three two-way exchanges between the initiator and the
responder.
responder.
a.
Both agree on basic algorithms and hashes.
b.
Both exchange Diffie-Hellman public keys and pass nonces. Nonce is a cryptographic
term for a fresh random number that is used only once.
term for a fresh random number that is used only once.
c.
Both parties verify each other’s identity. This exchange is already encrypted.
•
Aggressive mode. Unlike Main mode, it does not protect identities because it establishes the
secure channel after the information has been exchanged.
secure channel after the information has been exchanged.
Aggressive mode establishes a connection with two exchanges. Only one of these is a
round-trip exchange.
round-trip exchange.
a.
The initiator generates a Diffie-Hellman public value, sending it with the nonce.