HP 635n Practical IPsec Deployment for Printing and Imaging Devices - Page 30

Because IKE is so important, we are going to go through a simple construction analogy to better

Get HP 635n - JetDirect IPv6/IPsec Print Server PDF manuals and user guides
UPC - 882780301016
View all HP 635n manuals
Add to My Manuals
Save this manual to your list of manuals

Page 30 highlights

Because IKE is so important, we are going to go through a simple construction analogy to better illustrate the key concepts. The IPsec Policy Corporation is expanding and has decided it needs a new building. The IPsec Policy Corporation has hired IKE Construction to build this company building. The company building will be very tall and will require two large cranes. IKE Construction doesn't have any cranes so it decides to build a small crane which will then be used to build the two larger cranes. IKE Construction gets together the suppliers and builders in order to build the small crane. Because there are many suspect suppliers, the IKE Corporation gives its valid builders and valid suppliers two secret passwords so that when they meet, they may authenticate each other. The builders and suppliers discuss various proposals about the materials that will be used to build the small crane. The stronger the steel that the crane will use limits the number of steel suppliers. The stronger the bolts that are used to hold the steel together also limits the number of suppliers. Finally, after many proposals, the builders and suppliers agree on one proposal. Once this proposal has been accepted, the first secret password is exchanged. If that password is valid, then the next secret password is exchanged. If that secret password is valid, then the contract is finalized and the small crane is built. Now, the same proposal process happens again for the two larger cranes. When the builders and suppliers agree on one proposal for both the large cranes, no secrets need to be exchanged because IKE Construction is using the same builders and suppliers for the large cranes as it did for the small crane. Therefore, the small crane can begin building the two large cranes. Once the large cranes have been built, IKE Construction can now work on building the actual building for IPsec Policy Corporation. As the building is being built, the larger cranes begin to suffer wear and tear. The smaller crane disassembles the larger cranes and rebuilds them, replacing worn out parts with new parts. Depending on the agreement between the builders and suppliers, the parts that are not worn out could be reused in the newly rebuilt cranes. Also, but less frequently, the small crane gets worn out too and must be rebuilt every so often. There are a few takeaways from this analogy: • The small crane represents the IKE Security Association (SA) • To establish an IKE SA, a proposal of the cryptographic algorithms must be accepted which is represented by the proposals between the builders and suppliers • IKE must authenticate the endpoints specified by the IPsec Policy - which is represented through the secret passwords here. • The process of building the small crane is called IKE Phase 1 • The IKE SA is used to build two IPsec SAs which are represented by the two large cranes. • The IPsec SAs are constructed via a different set of proposals than the IKE SA. • The process of building the two large cranes is called IKE Phase 2 • When the IPsec SAs expire or when the two large cranes suffer wear and tear, new IPsec SAs (large cranes) are rebuilt using the IKE SA (small crane). • IPsec SAs can require Perfect Forward Secrecy which represented when no parts from the worn out large crane can be reused in the next large crane being built • The IKE SA (small crane) can also expire and must be rebuilt as well. We will start with IKE Phase 1 which will establish the IKE SA. IKE Phase 1 can be done in one of two modes: Main Mode or Aggressive Mode (back to our analogy, you can think of these modes as the difference between "formal" negotiations - or main mode - and "aggressive" negotiations). For the purposes of this whitepaper, only Main Mode will be used. Main Mode looks like the following: 30

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
30
Because IKE is so important, we are going to go through a simple construction analogy to better
illustrate the key concepts.
The IPsec Policy Corporation is expanding and has decided it needs a new building.
The IPsec Policy Corporation has hired
IKE Construction to build this company building.
The company building will be very tall and will require two large cranes.
IKE
Construction doesn’t have any cranes so it decides to build a small crane which will then be used to build the two larger
cranes.
IKE Construction gets together the suppliers and builders in order to build the small crane.
Because there are many
suspect suppliers, the IKE Corporation gives its valid builders and valid suppliers two secret passwords so that when they meet,
they may authenticate each other.
The builders and suppliers discuss various proposals about the materials that will be used to
build the small crane.
The stronger the steel that the crane will use limits the number of steel suppliers.
The stronger the bolts
that are used to hold the steel together also limits the number of suppliers.
Finally, after many proposals, the builders and
suppliers agree on one proposal.
Once this proposal has been accepted, the first secret password is exchanged.
If that
password is valid, then the next secret password is exchanged.
If that secret password is valid, then the contract is finalized
and the small crane is built.
Now, the same proposal process happens again for the two larger cranes.
When the builders
and suppliers agree on one proposal for both the large cranes, no secrets need to be exchanged because IKE Construction is
using the same builders and suppliers for the large cranes as it did for the small crane.
Therefore, the small crane can begin
building the two large cranes.
Once the large cranes have been built, IKE Construction can now work on building the actual
building for IPsec Policy Corporation.
As the building is being built, the larger cranes begin to suffer wear and tear.
The
smaller crane disassembles the larger cranes and rebuilds them, replacing worn out parts with new parts.
Depending on the
agreement between the builders and suppliers, the parts that are not worn out could be reused in the newly rebuilt cranes.
Also, but less frequently, the small crane gets worn out too and must be rebuilt every so often.
There are a few takeaways from this analogy:
The small crane represents the IKE Security Association (SA)
To establish an IKE SA, a proposal of the cryptographic algorithms must be accepted which is represented by the
proposals between the builders and suppliers
IKE must authenticate the endpoints specified by the IPsec Policy – which is represented through the secret passwords
here.
The process of building the small crane is called IKE Phase 1
The IKE SA is used to build two IPsec SAs which are represented by the two large cranes.
The IPsec SAs are constructed via a different set of proposals than the IKE SA.
The process of building the two large cranes is called IKE Phase 2
When the IPsec SAs expire or when the two large cranes suffer wear and tear, new IPsec SAs (large cranes) are
rebuilt using the IKE SA (small crane).
IPsec SAs can require Perfect Forward Secrecy which represented when no parts from the worn out large crane can
be reused in the next large crane being built
The IKE SA (small crane) can also expire and must be rebuilt as well.
We will start with IKE Phase 1 which will establish the IKE SA.
IKE Phase 1 can be done in one of
two modes: Main Mode or Aggressive Mode (back to our analogy, you can think of these modes as
the difference between “formal” negotiations – or main mode – and “aggressive” negotiations).
For
the purposes of this whitepaper, only Main Mode will be used.
Main Mode looks like the following: