2. Encapsulated Security Payload
(ESP)
• Must encrypt and/or authenticate in each
packet
• Encryption occurs before authentication
• Authentication is applied to data in the
IPSec header as well as the data contained
as payload
5. Authentication Header (AH)
• Authentication is applied to the entire
packet, with the mutable fields in the IP
header zeroed out
• If both ESP and AH are applied to a packet,
AH follows ESP
8. Internet Key Exchange (IKE)
• Phase I
– Establish a secure channel(ISAKMP SA)
– Authenticate computer identity
• Phase II
– Establishes a secure channel between
computers intended for the transmission of data
(IPSec SA)
9. Main Mode
• Main mode negotiates an ISAKMP SA
which will be used to create IPSec Sas
• Three steps
– SA negotiation
– Diffie-Hellman and nonce exchange
– Authentication
10. Main Mode (Kerberos)
Initiator Responder
Header, SA Proposals
Header, Selected SA Proposal
Header, D-H Key Exchange, Noncei,
Kerberos Tokeni Header, D-H Key Exchange, Noncer,
Kerberos Tokenr
Encrypted
Header, Idi, Hashi
Header, Idr, Hashr
11. Main Mode (Certificate)
Initiator Responder
Header, SA Proposals
Header, Selected SA Proposal
Header, D-H Key Exchange, Noncei
Header, D-H Key Exchange,
Noncer,Certificate Request
Encrypted
Header, Idi, Certificatei, Signaturei,
Certificate Request Header, Idr, Certificater,
Signaturer
12. Main Mode (Pre-shared Key)
Initiator Responder
Header, SA Proposals
Header, Selected SA Proposal
Header, D-H Key Exchange, Noncei
Header, D-H Key Exchange, Noncer
Encrypted
Header, Idi, Hashi
Header, Idr, Hashr
13. Quick Mode
• All traffic is encrypted using the ISAKMP
Security Association
• Each quick mode negotiation results in two
IPSec Security Associations (one inbound,
one outbound)
14. Quick Mode Negotiation
Initiator Responder
Encrypted
Header, IPSec Proposed SA
Header, IPSec Selected SA
Header, Hash
Header, Connected Notification