This preview shows page 1. Sign up to view the full content.
Unformatted text preview: nformation in our Security Policy Databases. By
doing this, we will not have to create another SA
when we communicate again. Destination Security Parameters • Encryption and authentication
— Encapsulation Security Payload (ESP)
— Authentication Header (AH) •
VPN Crypto keys
Source and destination IP addresses
Source and destination IDs
IPsec IKE v2 TLS M. Mogollon – 01/08 - 24 • A Security Association (SA) is a proposal for a set of IPsec encryption algorithms, authentication
mechanisms, and key establishment algorithms to be used in IKE, as well as for ESP and/or AH.
• IKE v2 is not bound to any specific cryptographic algorithm, key generation technique, or
security mechanism; the independence from specific security mechanisms and algorithms
provides a forward migration path to better mechanisms and algorithms. When improved
security mechanisms are developed to counter new attacks against current encryption algorithms,
authentication mechanisms and key exchanges are created, IKE v2 will allow the updating of the
algorithms and mechanisms without having to develop a completely new IKE or patch the
• IKEv2 Algorithm Selection –
• The following features are used by IKE and must be negotiated for the IPsec security association:
• Encryption algorithm to protect data: Must implement 3DES and should implement AES-CBC128 and AES-CTR-128 modes.
• Integrity protection algorithms to produce a fingerprint of the data: Must implement HMACSHA1-96, should implement AES-XCBC-96, and may implement HMAC-MD5-96.
• Information about which Diffie-Hellman Modular Exponentiation Group (MODP) to use: Must
implement D-H MODP Group 2 (discrete log 1024 bits), should support D-H Group 14 (2048),
and may support D-H elliptic curves over GF  and over GF .
• Pseudorandom function to use: Must implement PRF-HMAC-SHA1 (RFC2104), should support
PRF-AES-XCBC-PRF-128 (RFC 3664), and may implement PRF-HMAC-MD5 (RFC 2104). 24 VPN, IPSec a...
View Full Document
This note was uploaded on 05/26/2010 for the course TECH 6350 taught by Professor Mogollon during the Spring '10 term at University of Arkansas for Medical Sciences.
- Spring '10