IPsec

Question 1

IPsec

Answer 1

IP Security:
Provides authentication & encryption of packets to create a secure encrypted communication path between two computers

Confidentiality - Using encryption
Integrity - Ensuring data is not modified in transit
Authentication - Verifying parties are who they claim to be

Anti-Replay:
Checking sequence numbers on all packets prior to transmission
Key exchange request, IKE Phase 1, IKE Phase 2, Data Transfer, Tunnel termination
(Prevents duplicate transmissions, prevents attackers from capturing/resending packets)

Question 2

IPsec: Main Mode

Answer 2

Conducts three two-way exchanges between peers, from the initiator to receiver

1st Exchange: Agrees upon which algorithms/hashes will be used to secure the IKE

2nd Exchange: Uses a Diffie-Hellman exchange to generate shared secret keying material so that both parties can prove their identities

3rd Exchange: Verifies the identity of the other side by looking at an encrypted form of the other peer’s IP address

Question 3

IPsec: Aggressive Mode

Answer 3

Uses fewer exchanges, resulting in fewer packets & faster initial connection than main mode

Sender sends to receiver & receiver agrees on:
Diffie-Hellman public key
Signed random number
Identity packet

Question 4

IPsec: Quick Mode

Answer 4

Only occurs after IKE already established the secure tunnel in Phase 1 using either main/aggressive mode

Negotiate IPsec SA parameters protected by existing IKE SA
Establish IPsec SA
Periodically renegotiate IPsec SAs to maintain security
Perform additional Diffie-Hellman exchanges if needed

You can negotiate a replacement SA once SA expires

Question 5

Diffie-Hellman Key Exchange

Answer 5

Allows two systems that don’t know each other to be able to exchange keys & trust each other

Question 6

IPsec: Transport Mode

Answer 6

Uses packet’s original IP header & used for client-to-site VPNs
By default, MTU size in most networks is 1500 bytes

Question 7

IPsec: Tunneling Mode

Answer 7

Encapsulates the entire packet & puts another header on top of it
For site-to-site VPNs, you may need to allow jumbo frames

Transport = Client-to-site
Tunneling = Site-to-site

Question 8

IPsec: Authentication Header

Answer 8

Provides connectionless data integrity & data origin authentication for IP datagrams & provides protection against replay attacks

Integrity for each packet sent (no confidentiality)

Question 9

IPsec: ESP

Answer 9

Encapsulating Security Payload:
Provides authentication, integrity, replay protection, & data confidentiality

In transport mode, use AH to provide integrity for the TCP header & ESP to encrypt

In tunneling mode, use AH & ESP to provide integrity/encryption of the end payload

Does not encrypt the end-to-end header

Question 10

IPsec: 5 Main Steps

Answer 10

PC1 sends traffic to PC2 & then RTR1 initiates creation of IPsec tunnel

RTR1 & 2 negotiate SA (Security Association) to form IKE Phase 1 tunnel (ISAKMP tunnel)

IKE Phase 2 tunnel (IPsec tunnel) is negotiated & set up

Tunnel is established & info is securely sent between PC1/2

IPsec tunnel is torn down & IPsec SA is deleted

Question 11

IKE SA Contents

Answer 11

Authentication Method
Encryption & hash algorithms used
Diffie-Hellman groups used
Expiration of IKE SA
Shared secret key values for the encryption algorithms