session_09_vpn__ipsec__and_tls_101908

The initiator a sends notify n which contains

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: thms and keys negotiated in IKE_SA_INIT and IKE_SA_AUTH. However, to enable stronger guarantees of forward secrecy for the key generated for IKE_SA and for CHILD-SA, the CREATE_CHILD_SA request can use additional Diffie-Hellman exchanges to create new keys. • In CREATE_CHILD_SA, step 5, the Initiator sends the header (HDR), which includes the Initiator’s and the Responder’s Security Parameter Indexes, the IKE version number, and the message identifiers. The notation SK {….} indicates that the payload is encrypted and integrity protected using SK_e and SK_a. The Initiator (a) sends Notify, [N+], which contains additional details for the CHILD_SA (optional step); (b) proposes an SA; (c) sends a nonce in Ni payload; (d) sends a new Diffie-Hellman value, gi, in Kei payload (optional step; and (e) sends the traffic selectors TSi and TSr. The whole message is encrypted and integrity protected using keys computed from SK_d. • In the CREATE_CHILS_SA response, step 6, the responder sends the header (HDR) which includes the Initiator’s and Responder’s Security Parameter Indexes, the IKE version number, and the message identifier. The Responder (a) sends Notify, [N+], which contains additional details for the CHILD_SA (optional step); (b) agrees to the proposed algorithms in an SA payload; (c) sends its nonce in Nr payload; (d) sends a new Diffie-Hellman value, gr, in Kei payload (optional step); and (e) sends the traffic selectors TSi and TSr. The whole message is encrypted and integrity protected using keys computed from SK_d. 27 VPN, IPSec and TLS IKE v2 Header IKE_SA Initiator’s Security Parameters Index (SPI) IKE_SA Responder’s Security Parameter Index (SPI) Next Payload MjVer MjVer Exchange Type Flags Message ID Length • • Initiator’s SPI (8 Octets) – A value selected by the initiator to identify a unique IKE security association. • • • • Next Payload (1 Octet) – the type of payload that follows the header. • • Flags (1 Octet) – Indicates specific optio...
View Full Document

This note was uploaded on 05/26/2010 for the course TECH 6350 taught by Professor Mogollon during the Spring '10 term at University of Arkansas for Medical Sciences.

Ask a homework question - tutors are online