HP 635n Practical IPsec Deployment for Printing and Imaging Devices - Page 29
IPsec Basics: Internet Key Exchange and the SADB
UPC - 882780301016
View all HP 635n manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 29 highlights
IP TCP Print Data Configured by Administrator Does IP Traffic Require IPsec Protection? Consult IPsec Policy IPsec Policy Database Require IPsec Entry in the Security Association Database (SADB)? NO YES Security Association Database Call on IKE to populate the SADB Ethernet IP IPsec [TCP] [Print Data] Figure 24 - IKE In Figure 24, we can see that if there are no entries in the SADB, then IKE is called upon to populate an entry. What exactly is IKE populating? IKE is establishing two Security Associations (SAs) for IPsec. These SAs will be stored in the SADB - one is for transmitting IPsec traffic and one is for receiving IPsec traffic. Any communication that matches Rule 2 in the IPsec policy will use the transmit SA to retrieve the secret keys for the cryptographic algorithms as well as other information IPsec uses too. IPsec will then use this information to construct the packet shown in Figure 23. IPsec Basics: Internet Key Exchange and the SADB IKE is a protocol that uses UDP/IP to negotiate with another computer system in order to derive security parameters. IKE can be used for many security protocols, but to date, its most widespread implementation is for IPsec. Because IKE is being used to get security parameters for IPsec, we know that IKE cannot use IPsec to secure its own communication; otherwise, there would be a chicken-egg situation and an endless loop! Let's look at the things IKE will be responsible for: • Establishing a secure communication channel independent of IPsec. IKE needs this secure communication channel to be established so that it can establish the IPsec SAs securely. It would do IPsec no good if IKE established the IPsec SAs without any security since an attacker would just need to capture the IKE negotiation to decrypt later IPsec communication. In short, IKE needs to establish an IKE Security Association for itself to secure its communications. • Mutually authenticate to the other computer system • Negotiate and establish IPsec SAs. 29