HP 635n Practical IPsec Deployment for Printing and Imaging Devices - Page 36

IKE Phase 2/Quick Mode - jetdirect review

Get HP 635n - JetDirect IPv6/IPsec Print Server PDF manuals and user guides
UPC - 882780301016
View all HP 635n manuals
Add to My Manuals
Save this manual to your list of manuals

Page 36 highlights

Figure 28 - HP Jetdirect Authentication Method Unfortunately, many pass-phrases like this one are configured once and then never changed. There is no enforcement of a Pre-Shared Key change and Microsoft and HP do not recommend it be deployed in a production environment. Our attacker Jane can begin a brute force search for the Pre-Shared Key password by attempting to communicate to an IPsec node and trying a variety of different PreShared key values. The great benefit of Pre-Shared Key authentication is that it is easy to test and gain experience with IPsec in a lab environment. It is also a good way to explain how IPsec works. Although we have two other forms of Authentication to cover, let's stop here with Pre-Shared Key Authentication and talk about IKE Phase 2 and IPsec SA negotiation. We'll cover Kerberos and Certificate methods of IKE authentication later in the whitepaper. IKE Phase 2/Quick Mode Note: The proposals for IKE Phase 1 concern the establishment of the IKE SA. Therefore, it is possible to use different confidentiality and encryption algorithms for the establishment of the IKE SA than for the establishment of the IPsec SA. In the author's opinion, this flexibility is offset by the amount of confusion it causes. For the purposes of this whitepaper, the algorithms proposed in the IPsec SA establishment phase (Phase 2 or Quick Mode - refer again to Table 2) are the same ones that will be used for IKE SA establishment phase. It is important to review where we are at this point - we have covered a whole lot of information and there is still much more to come! The good news is that the first six entries we have already done, we are on IKE Phase 2, and we have five more entries to cover. Here is our list: • An application decided to print data to a printer • The first packet sent to the printer is intercepted within the host's IP stack by IPsec without the application's knowledge • IPsec checks the IPsec policy and determines that the packet needs to be protected by IPsec • IPsec checks the SADB and sees that there are no entries for this packet • IPsec calls on IKE to populate the SADB 36

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
36
Figure 28 – HP Jetdirect Authentication Method
Unfortunately, many pass-phrases like this one are configured once and then never changed.
There is
no enforcement of a Pre-Shared Key change and Microsoft and HP do not recommend it be deployed
in a production environment.
Our attacker Jane can begin a brute force search for the Pre-Shared
Key password by attempting to communicate to an IPsec node and trying a variety of different Pre-
Shared key values.
The great benefit of Pre-Shared Key authentication is that it is easy to test and gain experience with
IPsec in a lab environment.
It is also a good way to explain how IPsec works.
Although we have two
other forms of Authentication to cover, let’s stop here with Pre-Shared Key Authentication and talk
about IKE Phase 2 and IPsec SA negotiation.
We’ll cover Kerberos and Certificate methods of IKE
authentication later in the whitepaper.
IKE Phase 2/Quick Mode
Note: The proposals for IKE Phase 1 concern the establishment of the IKE SA.
Therefore, it is possible
to use different confidentiality and encryption algorithms for the establishment of the IKE SA than for
the establishment of the IPsec SA.
In the author’s opinion, this flexibility is offset by the amount of
confusion it causes.
For the purposes of this whitepaper, the algorithms proposed in the IPsec SA
establishment phase (Phase 2 or Quick Mode – refer again to Table 2) are the same ones that will be
used for IKE SA establishment phase.
It is important to review where we are at this point – we have covered a whole lot of information and
there is still much more to come!
The good news is that the first six entries we have already done,
we are on IKE Phase 2, and we have five more entries to cover.
Here is our list:
An application decided to print data to a printer
The first packet sent to the printer is intercepted within the host’s IP stack by IPsec without the
application’s knowledge
IPsec checks the IPsec policy and determines that the packet needs to be protected by IPsec
IPsec checks the SADB and sees that there are no entries for this packet
IPsec calls on IKE to populate the SADB