Sunday, July 29, 2012

IPSEC - VPN Notes






IPSEC is a framework for security that operates at the Network Layer by extending the IP packet header (using additional protocol numbers, not options). This gives it the ability to encrypt any higher layer protocol, including arbitrary TCP and UDP sessions, so it offers the greatest flexibility of all the existing TCP/IP cryptosystems. Flexibility, however, often comes at the price of complexity, and IPSEC is not an exception. Configuring which addresses and ports to encrypt using which IPSEC options often begins to look like configuring packet filtering, then add in the additional complexities of key management. While conceptually simple, setting up IPSEC is much more complex that installing SSH, for example.

What IPsec Does
IPsec provides security services at the IP layer by enabling a system to select required security protocols, determine the algorithm(s) to use for the service(s), and put in place any cryptographic keys required to provide the requested services. IPsec can be used to protect one or more "paths" between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.  (The term "security gateway" is used throughout the IPsec documents to refer to an intermediate system that implements IPsec protocols.  For example, a router or a firewall implementing IPsec is a security gateway.)
The set of security services that IPsec can provide includes access control, connectionless integrity, data origin authentication, rejection of replayed packets (a form of partial sequence integrity), confidentiality (encryption), and limited traffic flow confidentiality.  Because these services are provided at the IP layer, they can be used by any higher layer protocol, e.g., TCP, UDP, ICMP, BGP, etc.

How IPsec Works
IPsec uses two protocols to provide traffic security -- Authentication Header (AH) and Encapsulating Security Payload (ESP).
The IP Authentication Header (AH) [KA98a] provides connectionless integrity, data origin authentication, and an optional anti-replay service.
The Encapsulating Security Payload (ESP) protocol [KA98b] may provide confidentiality (encryption), and limited traffic flow confidentiality.  It also may provide connectionless

Domain of Interpretation (DOI), a term in the IPSec ISAKMP/IKE, defines payload formats, exchange types, and conventions for naming security-relevant information such as security policies or cryptographic algorithms and modes.


 



Posted by at

1 comment:

  1. alfred03whiteJuly 10, 2017 at 4:46 AM

    Very useful information on vpn and grateful you shared this with us. Couple of months ago, I got to know about some good vpn providers through different tech review sites. They provided really good services with good speed.

    ReplyDelete

Subscribe to: Post Comments (Atom)