HP 635n Practical IPsec Deployment for Printing and Imaging Devices - Page 37
Mode, one for each data flow direction, and puts them in the SADB.
UPC - 882780301016
View all HP 635n manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 37 highlights
• IKE establishes an SA for itself by negotiating security parameters, exchanging secret key material, and mutually authenticating both endpoints (via Pre-Shared Key) • Using the SA negotiated by IKE between the initiator and responder, IKE then can safely negotiate two IPsec SAs (IKE Phase 2 also referred to as IKE Quick Mode), one for each data flow direction, and puts them in the SADB. NOTE: IKE populates the SADB on both the initiator and responder. • IPsec uses these entries to provide IPsec protection to the packet and sends the packet out on the network • The printer receives the IPsec protected packet and checks the SADB for a matching entry based upon the IP addresses and Security Parameters Index (SPI) • IPsec decrypts the packet and then checks the Security Policy to make sure the proper protection was used for the packet • IPsec strips off the IPsec headers and puts the packet back to normal • IPsec forwards the normal packet to the higher layers as if IPsec processing never occurred. IKE Phase 2/Quick Mode is fairly straight forward. It uses the secure channel setup by IKE Phase 1 to negotiate the actual keys and parameters (i.e., Security Associations) that IPsec will use to protect the actual data. Here are some important items: • ESP • ESP Confidentiality Algorithm • ESP Authentication Algorithm • Transport Mode • IPsec SA Lifetimes • Perfect Forward Secrecy (i.e., DH Groups being specified) These items are specific to IKE Phase 2 and were not negotiated during IKE Phase 1. For the purpose of this whitepaper, IKE Phase 2 is very straightforward since we are using IPsec in a very specific configuration of ESP with authentication and confidentiality, transport mode, and recommending only certain cryptographic algorithms. Sometimes the differences between IKE Phase 1 and IKE phase 2 can be confusing. Let's go through a question and answer session so that we can fully understand these concepts before moving on. I selected cryptographic algorithms for IKE Phase 1, why do I have to select them again for IKE Phase 2? The reason is that each phase has its own cryptographic parameters that are required to establish the SA for that phase. These parameters are mutually exclusive. It makes the most sense from a configuration perspective to keep them the same. It would be silly to setup IKE Phase 1 to use DES/MD-5 and IKE Phase 2 to use AES256/AES-XCBC. This would be like spending so much money on an alarm system for your home that you no longer have enough money to buy a front door and instead just have an empty doorway where anyone can walk in. Tunnel Mode and Transport Mode are configuration parameters for IKE Phase 2, but I cannot select them for IKE Phase 1. Why? Remember, IKE Phase 1 cannot use IPsec to protect its communication because of the chicken-egg problem. Tunnel Mode and Transport Mode are specific to IPsec and therefore specific to IKE Phase 2. Why are two IPsec SAs setup and only one IKE SA? Good Question! We'll get back to you on that one. For all practical purposes, you can logically think of the two IPsec SAs as just one IPsec SA. The two IPsec SAs will more than likely be identical, 37