Manualsbrain.com
  1. Инструкции и руководства
  2. Бренды
  3. Cirkuit Planet
  4. MH-1000
  5. Справочник Пользователя

Справочник Пользователя для Cirkuit Planet MH-1000

Скачать
Страница из 141
Multi-Homing Security Gateway User’s Manual 
Here is an example of a packet with ESP applied: 
 
Original Packet 
Packet with IPSec Encapsulation Security Payload 
IP Header 
TCP 
Data
New IP Header ESP Header 
TCP
Data
ESP Trailer
encrypted 
Org IP Header
Authentication 
ESP  
Authenticated 
 
A.2.5 Internet Key Exchange (IKE) 
Before either AH or ESP can be used, it is necessary for the two communication devices to exchange a 
secret key that the security protocols themselves will use. To do this, IPSec uses Internet Key Exchange 
(IKE) as a primary support protocol. IKE facilitates and automates the SA setup, and exchanges keys 
between parties transferring data. Using keys ensures that only the sender and receiver of a message can 
access it. These keys need to be re-created or refreshed frequently so that the parties can communicate 
securely with each other. Refreshing keys on a regular basis ensures data confidentiality. 
 
There are two phases to this process. Phase I deals with the negotiation and management of IKE and 
IPSec parameters. This phase can be carried out in either one of two modes: Main Mode or Aggressive 
Mode. Main mode utilizes three message pairs that negotiate IKE parameters, establish a shared secret 
and derive session keys, and exchange and provide identities, retroactively authenticating the information 
sent. This method is very secure, but when using the pre-shared key method for authentication, it is 
possible to use IDs other than the packets’s IP addresses. Aggressive mode reduces this process to three 
messages, but parameter negotiation is limited, identity protection is lacking except when using public key 
encryption, and is more vulnerable to Denial of Service attacks. 
 
Phase II, known as Quick Mode, establishes symmetrical IPSec Security Associations for both AH and ESP. 
It does this by negotiating IPSec parameters, exchange nonces to derive session keys from the IKE shared 
secret, exchange DH values to 
generate a new key, and identify which traffic this SA bundle will protect 
using selectors (IDi and IDr payloads). 
 
The following is an illustration on how data is handled with IKE: 
 
 
 
 
- 94 -