Security Association (SA) form the basis of Internet Protocol Security (IPSec).
A Security Association (SA) is a simplex (one-way channel) and logical connection that provides relationship between two or more systems to build a unique secure connection. A Security Association (SA) can be viewed as an agreement between two devices about how to protect information during transit.
The Security Association (SA) are one way (simplex). If two devices, Dev-A and Dev-B, are communicating using IPSec, then the DevA will have two Security Association's. One Security Association is used for processing out-bound packets and other Security Association is used for processing inbound packets.
A Security Association (SA) consists of three things.
1) A Security Parameter Index (SPI)
2) An IP destination address
3) A IPSec Protocol Identifier. IPSec protocols are Authentication Header (AH) and Encapsulating Security Payload (ESP).
The protocol Internet Key Exchange (IKE or IKEv2) is used to set up Security Associations (SAs) between two devices. IKE uses a Diffie-Hellman key exchange to set up a shared secret key, from which cryptographic keys are derived. Diffie-Hellman (developed by Whitfield Diffie and Martin Hellman) algorithm is a method for securely exchanging a shared secret (key) between two devices over an untrusted network. The secret key is generated at two devices and it is never transmitted over the network.
Internet Key Exchange (IKE) protocol used for generating Security Association is a two-phase process.
The first phase (also known as Main Mode negotiation) is a policy negotiation phase in which four parameters are negotiated.
• The encryption algorithm (DES or 3DES).
• The hash algorithm (MD5 (Message Digest 5) or SHA (Secure Hash Algorithm)).
• The authentication method (Certificate, Pre-shared key, or Kerberos).
• The exchange of DH material for key generation.
In the second phase (also known as Quick Mode negotiation), the following parameters are negotiated.
• The IPSec protocol (AH or ESP).
• The hash algorithm (MD5 of SHA).
• The algorithm for encryption, if requested (DES or 3DES).
After Main Mode and Quick Mode negotiations, common agreement is reached, and two Security Associations (SAs) are established. One Security Association (SA) is for inbound communication and the other Security Association (SA) is for outbound communication. As part of the second phase (Quick Mode), session key material is refreshed, and a new pair of keys is generated. This can prevent the cracking of session key by an attacker.
FAQs
Quick mode occurs after the Main monde and the IKE has established the secure tunnel in phase 1. Quick Mode negotiates the shared IPSec policy, for the IPSec security algorithms and manages the key exchange for the IPSec SA establishment.
What is Internet Key Exchange (IKE) in regard to IPSec? ›
Internet Key Exchange (IKE) is a secure key management protocol that is used to set up a secure, authenticated communications channel between two devices. IKE does the following: Negotiates and manages IKE and IPsec parameters. Authenticates secure key exchange.
What are the different modes of IPSec? ›
The IPsec standards define two distinct modes of IPsec operation, transport mode and tunnel mode. The modes do not affect the encoding of packets. The packets are protected by AH, ESP, or both in each mode.
What is main mode in IKE? ›
The main mode protects the identity of the peers and is more secure because more packets are exchanged when setting up the tunnel. Main mode is the recommended mode for IKE negotiation if both peers support it.
What are 6 messages in main mode? ›
Main mode requires a total of six messages, three from the initiator and three from the responder. Aggressive mode is faster, in that fewer messages are exchanged. Aggressive mode requires only three messages, two from the initiator and one from the responder.
What are the two types of key management techniques in IPsec? ›
Managing keys with IPsec can be done through two main methods: manual and automatic. Manual key management involves configuring and updating the keys on each IPsec endpoint, using static or pre-shared keys.
What is the difference between main mode and aggressive mode in IPSec? ›
Main mode uses six messages, while aggressive mode uses only three. Main mode also protects the identity of the endpoints by encrypting their information, while aggressive mode sends it in clear text. Therefore, main mode is more secure but slower than aggressive mode.
What are the three protocols used in IPSec? ›
The three main protocols comprising IPsec are: Authentication Header (AH), Encapsulating Security Payload (ESP), and Internet Key Exchange (IKE).
What are the five steps of IPSec tunnel initiation? ›
While IPSec incorporates many component technologies and offers multiple encryption options, the basic operation includes the following five main procedures:
- Interesting Traffic or On-Demand. ...
- IKE Phase 1. ...
- IKE Phase 2. ...
- IPSec Data Transfer. ...
- IPSec Tunnel Session Termination.
What are the 3 major components of IPSec? ›
Components of IP Security
- Encapsulating Security Payload (ESP)
- Authentication Header (AH)
- Internet Key Exchange (IKE)
An IPsec Security Association (SA) is a simplex (one-way) connection, which may be used to negotiate ESP or AH parameters. If two systems communicate via ESP, they use two SAs (one for each direction).
What is quick mode in IPSec? ›
IPSec Quick Mode establishes IPSec SAs. When the lifetime of an IPSec SA expires, Quick Mode is used to renegotiate for a new IPSec SA. Quick Mode also derives shared secret keying material via IPSec security algorithms and negotiates a shared IPSec policy.
What is IKE in IPSec? ›
In computing, Internet Key Exchange (IKE, versioned as IKEv1 and IKEv2) is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP.
What is the difference between IKEv1 and IKEv2? ›
IKEv2 provides the following benefits over IKEv1: IKEv2 mode is considered to be more secure,reliable and faster. In IKEv2 Tunnel endpoints exchange fewer messages to establish a tunnel. IKEv2 uses four messages; IKEv1 uses either six messages (in the main mode) or three messages (in aggressive mode).
What is the difference between main mode and aggressive mode in IPsec? ›
Main mode uses six messages, while aggressive mode uses only three. Main mode also protects the identity of the endpoints by encrypting their information, while aggressive mode sends it in clear text. Therefore, main mode is more secure but slower than aggressive mode.
What are the two modes in which IPsec can be configured to run? ›
IPsec Protocols. AH and/or ESP are the two protocols that we use to actually protect user data. Both of them can be used in transport or tunnel mode, let's walk through all the possible options.
What is quick mode? ›
Quick mode lets you build animations scene-by-scene. The timeline displays a series of thumbnails, one for each scene.
What are the two modes supported by IPsec multiple answers are correct? ›
In order to authenticate data packets and guarantee their integrity, IPsec includes two protocols. These are the AH (Authentication Header) protocol and the ESP (Encapsulating Security Payload) protocol. Both protocols, in turn, support two encapsulation modes—tunnel mode and transport mode.