HP 635n Practical IPsec Deployment for Printing and Imaging Devices - Page 29

IPsec Basics: Internet Key Exchange and the SADB

Get HP 635n - JetDirect IPv6/IPsec Print Server PDF manuals and user guides
UPC - 882780301016
View all HP 635n manuals
Add to My Manuals
Save this manual to your list of manuals

Page 29 highlights

IP TCP Print Data Configured by Administrator Does IP Traffic Require IPsec Protection? Consult IPsec Policy IPsec Policy Database Require IPsec Entry in the Security Association Database (SADB)? NO YES Security Association Database Call on IKE to populate the SADB Ethernet IP IPsec [TCP] [Print Data] Figure 24 - IKE In Figure 24, we can see that if there are no entries in the SADB, then IKE is called upon to populate an entry. What exactly is IKE populating? IKE is establishing two Security Associations (SAs) for IPsec. These SAs will be stored in the SADB - one is for transmitting IPsec traffic and one is for receiving IPsec traffic. Any communication that matches Rule 2 in the IPsec policy will use the transmit SA to retrieve the secret keys for the cryptographic algorithms as well as other information IPsec uses too. IPsec will then use this information to construct the packet shown in Figure 23. IPsec Basics: Internet Key Exchange and the SADB IKE is a protocol that uses UDP/IP to negotiate with another computer system in order to derive security parameters. IKE can be used for many security protocols, but to date, its most widespread implementation is for IPsec. Because IKE is being used to get security parameters for IPsec, we know that IKE cannot use IPsec to secure its own communication; otherwise, there would be a chicken-egg situation and an endless loop! Let's look at the things IKE will be responsible for: • Establishing a secure communication channel independent of IPsec. IKE needs this secure communication channel to be established so that it can establish the IPsec SAs securely. It would do IPsec no good if IKE established the IPsec SAs without any security since an attacker would just need to capture the IKE negotiation to decrypt later IPsec communication. In short, IKE needs to establish an IKE Security Association for itself to secure its communications. • Mutually authenticate to the other computer system • Negotiate and establish IPsec SAs. 29

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
29
IP
TCP
Print Data
Ethernet
IP
IPsec
[TCP]
[Print Data]
IPsec Policy
Database
Configured by
Administrator
Does IP Traffic Require
IPsec Protection?
Consult IPsec Policy
Require IPsec
Security
Association
Database
Entry in the Security
Association Database
(SADB)?
YES
Call on IKE to
populate the SADB
NO
Figure 24 - IKE
In Figure 24, we can see that if there are no entries in the SADB, then IKE is called upon to populate
an entry.
What exactly is IKE populating?
IKE is establishing two Security Associations (SAs) for
IPsec.
These SAs will be stored in the SADB – one is for transmitting IPsec traffic and one is for
receiving IPsec traffic.
Any communication that matches Rule 2 in the IPsec policy will use the transmit
SA to retrieve the secret keys for the cryptographic algorithms as well as other information IPsec uses
too.
IPsec will then use this information to construct the packet shown in Figure 23.
IPsec Basics: Internet Key Exchange and the SADB
IKE is a protocol that uses UDP/IP to negotiate with another computer system in order to derive
security parameters.
IKE can be used for many security protocols, but to date, its most widespread
implementation is for IPsec.
Because IKE is being used to get security parameters for IPsec, we know
that IKE cannot use IPsec to secure its own communication; otherwise, there would be a chicken-egg
situation and an endless loop!
Let’s look at the things IKE will be responsible for:
Establishing a secure communication channel independent of IPsec.
IKE needs this secure
communication channel to be established so that it can establish the IPsec SAs securely.
It
would do IPsec no good if IKE established the IPsec SAs without any security since an
attacker would just need to capture the IKE negotiation to decrypt later IPsec communication.
In short, IKE needs to establish an IKE Security Association for itself to secure its
communications.
Mutually authenticate to the other computer system
Negotiate and establish IPsec SAs.