Internet Protocol Security (IPSec) is a standard of IP security extensions that comprises a collection of protocols and that is used as an add-on for IPv4 and integrated into IPv6.
Each IPsec VPN uses two security associations, one for encrypted transmission and the other for encrypted reception. Thus, each IPsec VPN is composed of two simplex communication channels that are independently encrypted.
Protocols used in IPSec
Protocols used in IPSec:
- AH
- ESP
- HMAC
- IPComp
- IKE
Authentication Header
Authentication Header (AH) provides authentication and integrity.
ESP
Encapsulatig Security Payload (ESP) provides confidentiality and integrity.
Confidentiality is achieved by using symmetric encryption, using AES in modern implementations.
ESP operations modes:
- Transport mode
- Tunnel mode
A warning is that ESP in transport mode does not encrypt the packet header.
HMAC
Hash-based Message Authentication Code (HMAC) is the primary hashing mechanism of IPSec.
IPComp
IP Payload Compression (IPComp) is a compression tool prior to ESP encryption.
IKEv2
Internet Key Exchange version 2 (IKEv2) is the mechanism that uses IPSec for encryption.
It is composed of three elements:
- OAKLEY
- SKEME
- ISAKMP
OAKLEY
OAKLEY is a key generation and exchange protocol similar to Diffie-Helman.
SKEME
Secure Key Exchange Mechanism (SKEME) is a means to exchange keys securely.
ISAKMP
Internet Security Association and Key Management Protocol (ISAKMP) is used to organized and manage the encryption keys that have been generated and exchanged by OAKLEY.
It uses two security associations per VPN, enabling IPSec to support multiple simultaneous VPNs from each host.