session_09_vpn__ipsec__and_tls_101908

Mogollon 0108 24 a security association sa is a

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: nformation in our Security Policy Databases. By doing this, we will not have to create another SA when we communicate again. Destination Security Parameters • Encryption and authentication algorithms — Encapsulation Security Payload (ESP) — Authentication Header (AH) • • • • • • VPN Crypto keys Initialization values Protocol mode Source and destination IP addresses Source and destination IDs Key lifetimes IPsec IKE v2 TLS M. Mogollon – 01/08 - 24 • A Security Association (SA) is a proposal for a set of IPsec encryption algorithms, authentication mechanisms, and key establishment algorithms to be used in IKE, as well as for ESP and/or AH. • IKE v2 is not bound to any specific cryptographic algorithm, key generation technique, or security mechanism; the independence from specific security mechanisms and algorithms provides a forward migration path to better mechanisms and algorithms. When improved security mechanisms are developed to counter new attacks against current encryption algorithms, authentication mechanisms and key exchanges are created, IKE v2 will allow the updating of the algorithms and mechanisms without having to develop a completely new IKE or patch the current one. • IKEv2 Algorithm Selection – • The following features are used by IKE and must be negotiated for the IPsec security association: • Encryption algorithm to protect data: Must implement 3DES and should implement AES-CBC128 and AES-CTR-128 modes. • Integrity protection algorithms to produce a fingerprint of the data: Must implement HMACSHA1-96, should implement AES-XCBC-96, and may implement HMAC-MD5-96. • Information about which Diffie-Hellman Modular Exponentiation Group (MODP) to use: Must implement D-H MODP Group 2 (discrete log 1024 bits), should support D-H Group 14 (2048), and may support D-H elliptic curves over GF [2155] and over GF [2185]. • Pseudorandom function to use: Must implement PRF-HMAC-SHA1 (RFC2104), should support PRF-AES-XCBC-PRF-128 (RFC 3664), and may implement PRF-HMAC-MD5 (RFC 2104). 24 VPN, IPSec a...
View Full Document

This note was uploaded on 05/26/2010 for the course TECH 6350 taught by Professor Mogollon during the Spring '10 term at University of Arkansas for Medical Sciences.

Ask a homework question - tutors are online