session_09_vpn__ipsec__and_tls_101908

The ip authentication header ah provides

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: tection to the connection. To secure typical, bidirectional communication between two hosts, or between two security gateways, two Security Associations (one in each direction) are required. Both ESP and AH security protocols support two modes of operation: transport or tunnel mode. • The IP Authentication Header (AH) provides connectionless integrity, data origin authentication, and an optional anti-replay service. The Encapsulating Security Payload (ESP) protocol may provide confidentiality (encryption), and limited traffic flow confidentiality. It also may provide connectionless integrity, data origin authentication, and an anti-replay service. Both AH and ESP are vehicles for access control, based on the distribution of cryptographic keys and the management of traffic flows relative to these security protocols. 16 VPN, IPSec and TLS IPsec Negotiation Applications IPsec Databases (SAD, PAD) 5 Applications Negotiator Engine Negotiator Engine IPsec Databases (SAD, PAD) 1 6 4 TCP/IP SA Attributes TCP/IP 2 3 Security Policy Database UnprotectProtect Engine 2 SPI UnprotectProtect Engine Security Policy Database 1 Outbound IPsec Packet VPN Inbound IPsec Packet IPsec IKE v2 TLS M. Mogollon – 01/08 - 17 Outbound Packet 1. The application calls the TCP/IP stack. 2. The TCP/IP packet is captured by the unprotected-protected engine. 3. After checking it out in the Security Policy Database (SPD), the Unprotected-Protected Engine determines whether traffic going to a specific address needs to be protected or allowed to bypass IPsec. In general, packets are selected for one of three processing modes based on IP address and transport layer header information matched against entries in the database (SPD). Each packet is either protected using IPsec services, discarded, or allowed to bypass IPsec protection. 4. If the packet needs to be protected, the Unprotected-Protected Engine passes the address on to the Negotiator who checks the address in the Security Association (SA) and the Security Parameter In...
View Full Document

Ask a homework question - tutors are online