Security

  • Article

IPSec has many intricate components and options that are worthy of detailed study but at a high level the process operates in this manner:

  • An application on Computer A generates outbound packets to send to Computer B across the network.

  • Inside TCP/IP, the IPSec driver compares the outbound packets against IPSec filters, checking to see if the packets need to be secured. The filters are associated with a filter action in IPSec security rules. Many IPSec security rules can be inside one IPSec policy that is assigned to a computer.

  • If a matched filter has to negotiate security action, Computer A begins security negotiations with Computer B, using a protocol called the Internet Key Exchange (IKE). The two computers exchange identity credentials according to the authentication method specified in the security rule. Authentication methods can be Kerberos authentication, public key certificates, or a preshared key value (much like a password). The IKE negotiation establishes two types of agreements, called security associations , between the two computers. One type (called the phase I IKE SA ) specifies how the two computers trust each other and protects their negotiation. The other type is an agreement on how to protect a particular type of application communication. This consists of two SAs (called phase II IPSec SAs ) that specify security methods and keys for each direction of communication. IKE automatically creates and refreshes a shared, secret key for each SA. The secret key is created independently at both ends without being transmitted across the network.

  • The IPSec driver on Computer A signs the outgoing packets for integrity, and optionally encrypts them for confidentially using the methods agreed upon during the negotiation. It transmits the secured packets to Computer B.
    note-icon
    Note
    Firewalls, routers, and servers along the network path from Computer A to Computer B do not require IPSec. They simply pass along the packets in the usual manner.

  • The IPSec driver on Computer B checks the packets for integrity and decrypts their content if necessary. It then transfers the packets to the receiving application.

IPSec provides security against data manipulation, data interception, and replay attacks.

IPSec is important to strategies of data confidentiality, data integrity, and nonrepudiation.