6 once that negotiation is complete the spi and sa

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: dex (SPI). 5. The negotiator engine looks up the SA and SPI in its internal database. If an SA has not been negotiated for that specific address, then the Negotiator triggers the creation of an SA by initiating an IKE negotiation with the peer address. 6. Once that negotiation is complete, the SPI and SA are passed to the Unprotected-Protected Engine. Now all packets sent to that address are protected by the Protected Engine with keys negotiated by the Negotiator. Inbound Packet 1. If the incoming packet comes in to the port reserved for the IKE negotiation (port 500 or 4500), and no SA has been negotiated with the incoming address, then the Unprotected-Protected Engine will pass all of the IKE packets on to the Negotiator. 2. If the arriving packet has an SPI (Security Parameter Index) associated with it, the SA (Security Association) associated with that SPI is retrieved from the IPsec databases. If the SPI is not in the database, then the packet can be rejected. 3. If the arriving packet does not have an SPI embedded in it, the unprotected-protected Engine can presume that the packet doesn’t have an SA associated with it. Since there is no SA associated with the packet, it can be rejected. 17 VPN, IPSec and TLS IPsec Document Roadmap IP Security Architecture RFC 4301 AH Protocol RFC 4302 ESP Protocol RFC 4303 IKE v2 RFC 4306 Encryption Algorithms RPC 3602 (AES-CBC (128-Bit) RFC 3686 (AES-CTR) RFC 2451 (Triple DES-CBC) Authentication Algorithms RFC 3566 (AES-XCBC-MAC-96) RFC 2404 (HMAC-SHA1-96) RFC 2403 (HMAC-MD5-96) Key Management RFC 4120 (Kerberos) RFC 2093 (GKMP) RFC 2412 (OAKLEY) VPN • • • • • • • • • • • • • • • • • • • • • • • IPsec IKE v2 TLS M. Mogollon – 01/08 - 18 RFC 1828, IP Authentication using Keyed MD5, P. Metzger & W. Simpson, August 1995. RFC 1829, The ESP DES-CBC Transform, P. Karn, P. Metzger & W. Simpson, August 1995. RFC 1851, The ESP Triple DES Transform, P. Karn, P. Metzger & W. Simpson, September 1995...
View Full Document

This note was uploaded on 05/26/2010 for the course TECH 6350 taught by Professor Mogollon during the Spring '10 term at University of Arkansas for Medical Sciences.

Ask a homework question - tutors are online