There a few key things we need to describe to you so you can get a better idea of IPSec. Firstly, there are two main protocols in IPSec which namely Authentication Header, in short AH and Encapsulating Security Payload, in short ESP.
The next two key terms for IPSec are Security Policy, in short SP and Security Association, in short SA.
In layman’s term, SP governs how IPSec process different datagrams received by an IPSec device.
Now, on the other hand, Security Associations are sets of security information that describes a particular kind of secure connection between one IPSec device and another.
There are two important concepts of SA. Firstly, SAs are key to IPSec’s authentication and confidentiality mechanisms.
Secondly, SAs are needed to negotiate in the exchanging of the “shared secret” process Now, each host that wants to communicate with each other securely thru IPSec, has to first setup their own security association. And each host over IPSec negotiates a same shared secret to decrypt and encrypt messages. To get shared secret, they must first use IKE and thus I will explain the process [click]
Now that we know what Security Policies and Security Associations are, let’s us first understand how IPSec shares its shared secret before we move on to the Authentication Header and Encapsulating Security Payload protocols of the IPSec.
IPSec, like many secure networking protocol sets, is based on the concept of a “ shared secret ”.
Before AH or ESP can be used, any two devices must exchange the “secret” that the AH or ESP themselves will use.
So how does this happen?
The primary support protocol used for this “secret” exchange in IPSec is called Internet Key Exchange (IKE) . And during this exchange, s ymmetric encryption is used on the data(Which is must faster as data can be large) but asymmetric encryption is used to encrypt the key in transit, because a key is small in size and asymmetric encryption is more secure.
IKE allows IPSec-capable devices to exchange security associations (SAs) and populate their security association databases (SADs).
After setting up the Security Associations, these established SAs are then being used for the actual exchange of secured datagrams with the AH and ESP protocols. Right now, let me briefly explain how sharing of the secret works in IPSec. [Click]
-Alice, using a data application on Computer A [click], sends an application IP packet to Bob on [Click] Computer B. -The IPSec driver [click] on Computer A checks its outbound IP filter lists and determines that the packets should be secured. -The action is to negotiate security, so the IPSec driver [click] notifies IKE to begin negotiations. The IKE service on Computer A completes [click] a policy lookup and [click] the policy determines that Computer A proposes to Computer B. Computer A then sends the first IKE SA message to B. -Computer B receives A’s IKE SA requesting for secure negotiation. B then [click] looks up it’s own policy database to determine which security settings (which is the SA) to agree to. Since Computer B has a policy match, B replies to begin [click] negotiation of IKE SA. -Computer A and Computer B now negotiate parameters such options, exchange identities, verify authentication methods [click], and generate a shared master key. They have now established an IKE SA and had so established a mutual trust for the exchange of future secured datagrams either with the AH or ESP IPSec protocol.
The next core protocol of IPSec is the ESP
An encryption algorithm combines the data in the datagram with a key to transform it into an encrypted form. This is then repackaged using a special format and transmitted to the destination, which decrypts it using the same algorithm. And this key as known by the source and destination had already been negotiated fore front by IKE which we had covered earlier on.
ESP in transport mode does not sign the entire packet.
The signed portion of the packet indicates where the packet has been signed for integrity and authentication and the encrypted portion of the packet indicates what information is protected with confidentiality. Now you realized that the ESP Authentication Data appears separately because it is used to authenticate the rest of the encrypted datagram after encryption . This means it cannot appear in the ESP Header or ESP Trailer.