This preview shows page 1. Sign up to view the full content.
Unformatted text preview: tection to the connection. To secure typical, bidirectional communication between two hosts, or between two security gateways, two Security
Associations (one in each direction) are required. Both ESP and AH security protocols support
two modes of operation: transport or tunnel mode.
• The IP Authentication Header (AH) provides connectionless integrity, data origin authentication,
and an optional anti-replay service. The Encapsulating Security Payload (ESP) protocol may
provide confidentiality (encryption), and limited traffic flow confidentiality. It also may provide
connectionless integrity, data origin authentication, and an anti-replay service. Both AH and ESP
are vehicles for access control, based on the distribution of cryptographic keys and the
management of traffic flows relative to these security protocols. 16 VPN, IPSec and TLS IPsec Negotiation Applications
(SAD, PAD) 5 Applications Negotiator
Engine IPsec Databases
(SAD, PAD) 1 6 4 TCP/IP SA Attributes
Database UnprotectProtect Engine 2
SPI UnprotectProtect Engine Security Policy
Database 1 Outbound IPsec Packet VPN Inbound IPsec Packet IPsec IKE v2 TLS M. Mogollon – 01/08 - 17 Outbound Packet
1. The application calls the TCP/IP stack. 2. The TCP/IP packet is captured by the unprotected-protected engine. 3. After checking it out in the Security Policy Database (SPD), the Unprotected-Protected Engine determines whether
traffic going to a specific address needs to be protected or allowed to bypass IPsec. In general, packets are selected
for one of three processing modes based on IP address and transport layer header information matched against
entries in the database (SPD). Each packet is either protected using IPsec services, discarded, or allowed to bypass
IPsec protection. 4. If the packet needs to be protected, the Unprotected-Protected Engine passes the address on to the Negotiator who
checks the address in the Security Association (SA) and the Security Parameter In...
View Full Document
- Spring '10