HP 635n Practical IPsec Deployment for Printing and Imaging Devices - Page 37

Mode, one for each data flow direction, and puts them in the SADB.

Get HP 635n - JetDirect IPv6/IPsec Print Server PDF manuals and user guides
UPC - 882780301016
View all HP 635n manuals
Add to My Manuals
Save this manual to your list of manuals

Page 37 highlights

• IKE establishes an SA for itself by negotiating security parameters, exchanging secret key material, and mutually authenticating both endpoints (via Pre-Shared Key) • Using the SA negotiated by IKE between the initiator and responder, IKE then can safely negotiate two IPsec SAs (IKE Phase 2 also referred to as IKE Quick Mode), one for each data flow direction, and puts them in the SADB. NOTE: IKE populates the SADB on both the initiator and responder. • IPsec uses these entries to provide IPsec protection to the packet and sends the packet out on the network • The printer receives the IPsec protected packet and checks the SADB for a matching entry based upon the IP addresses and Security Parameters Index (SPI) • IPsec decrypts the packet and then checks the Security Policy to make sure the proper protection was used for the packet • IPsec strips off the IPsec headers and puts the packet back to normal • IPsec forwards the normal packet to the higher layers as if IPsec processing never occurred. IKE Phase 2/Quick Mode is fairly straight forward. It uses the secure channel setup by IKE Phase 1 to negotiate the actual keys and parameters (i.e., Security Associations) that IPsec will use to protect the actual data. Here are some important items: • ESP • ESP Confidentiality Algorithm • ESP Authentication Algorithm • Transport Mode • IPsec SA Lifetimes • Perfect Forward Secrecy (i.e., DH Groups being specified) These items are specific to IKE Phase 2 and were not negotiated during IKE Phase 1. For the purpose of this whitepaper, IKE Phase 2 is very straightforward since we are using IPsec in a very specific configuration of ESP with authentication and confidentiality, transport mode, and recommending only certain cryptographic algorithms. Sometimes the differences between IKE Phase 1 and IKE phase 2 can be confusing. Let's go through a question and answer session so that we can fully understand these concepts before moving on. I selected cryptographic algorithms for IKE Phase 1, why do I have to select them again for IKE Phase 2? The reason is that each phase has its own cryptographic parameters that are required to establish the SA for that phase. These parameters are mutually exclusive. It makes the most sense from a configuration perspective to keep them the same. It would be silly to setup IKE Phase 1 to use DES/MD-5 and IKE Phase 2 to use AES256/AES-XCBC. This would be like spending so much money on an alarm system for your home that you no longer have enough money to buy a front door and instead just have an empty doorway where anyone can walk in. Tunnel Mode and Transport Mode are configuration parameters for IKE Phase 2, but I cannot select them for IKE Phase 1. Why? Remember, IKE Phase 1 cannot use IPsec to protect its communication because of the chicken-egg problem. Tunnel Mode and Transport Mode are specific to IPsec and therefore specific to IKE Phase 2. Why are two IPsec SAs setup and only one IKE SA? Good Question! We'll get back to you on that one. For all practical purposes, you can logically think of the two IPsec SAs as just one IPsec SA. The two IPsec SAs will more than likely be identical, 37

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
37
IKE establishes an SA for itself by negotiating security parameters, exchanging secret key
material, and mutually authenticating both endpoints (via Pre-Shared Key)
Using the SA negotiated by IKE between the initiator and responder, IKE then
can safely negotiate two IPsec SAs (IKE Phase 2 also referred to as IKE Quick
Mode), one for each data flow direction, and puts them in the SADB.
NOTE:
IKE populates the SADB on both the initiator and responder.
IPsec uses these entries to provide IPsec protection to the packet and sends the packet out on
the network
The printer receives the IPsec protected packet and checks the SADB for a matching entry
based upon the IP addresses and Security Parameters Index (SPI)
IPsec decrypts the packet and then checks the Security Policy to make sure the proper
protection was used for the packet
IPsec strips off the IPsec headers and puts the packet back to normal
IPsec forwards the normal packet to the higher layers as if IPsec processing never occurred.
IKE Phase 2/Quick Mode is fairly straight forward.
It uses the secure channel setup by IKE Phase 1 to
negotiate the actual keys and parameters (i.e., Security Associations) that IPsec will use to protect the
actual data.
Here are some important items:
ESP
ESP Confidentiality Algorithm
ESP Authentication Algorithm
Transport Mode
IPsec SA Lifetimes
Perfect Forward Secrecy (i.e., DH Groups being specified)
These items are specific to IKE Phase 2 and were not negotiated during IKE Phase 1.
For the purpose
of this whitepaper, IKE Phase 2 is very straightforward since we are using IPsec in a very specific
configuration of ESP with authentication and confidentiality, transport mode, and recommending only
certain cryptographic algorithms.
Sometimes the differences between IKE Phase 1 and IKE phase 2 can be confusing.
Let’s go through
a question and answer session so that we can fully understand these concepts before moving on.
I selected cryptographic algorithms for IKE Phase 1, why do I have to select them again for IKE Phase
2?
The reason is that each phase has its own cryptographic parameters that are required to establish the
SA for that phase.
These parameters are mutually exclusive.
It makes the most sense from a
configuration perspective to keep them the same. It would be silly to setup IKE Phase 1 to use
DES/MD-5 and IKE Phase 2 to use AES256/AES-XCBC. This would be like spending so much money
on an alarm system for your home that you no longer have enough money to buy a front door and
instead just have an empty doorway where anyone can walk in.
Tunnel Mode and Transport Mode are configuration parameters for IKE Phase 2, but I cannot select
them for IKE Phase 1.
Why?
Remember, IKE Phase 1 cannot use IPsec to protect its communication because of the chicken-egg
problem.
Tunnel Mode and Transport Mode are specific to IPsec and therefore specific to IKE Phase
2.
Why are two IPsec SAs setup and only one IKE SA?
Good Question!
We’ll get back to you on that one.
For all practical purposes, you can logically
think of the two IPsec SAs as just one IPsec SA.
The two IPsec SAs will more than likely be identical,