Industrial Strength Security for an
• Companies, research institutions, and government
organizations have long maintained private networks
between central offices and branch offices.
• Employees/contractors want to work from home or
external offices. Road warriors, all the way from
salesmen to CEO’s, want to be mobile and connect to
the home office for whatever purpose.
• There are fast, cheap, and plentiful connections to the
Internet to be had in locations as varied as libraries,
airports, and Starbucks.
• How do you go about securing what is basically an
• VPNs (Virtual Private Networks) provide secure
tunneling of communications over insecure
• Where physical private networks existed, VPNs
are becoming commonplace not only among
road warriors, branch offices, and central offices
but also business-to-business partners
exchanging data through a secure tunnel
wrapped around the communications traffic.
VPN Tunneling Technologies
– IKE Internet Key Exchange
– ESP Encapsulated Security Payload
– AH Authentication Header
IPSec Modes – An Overview
• IPSec protocol consists of several parts that
define two security protocols, AH and ESP.
– ISAKMP is a framework for management of keys and
other vital information such as security associations.
– IKE provides the cryptographic algorithm negotiation
and key distribution utilized by AH and ESP,
– ESP provides data origin authentication,
connectionless integrity, anti-replay service, and data
– AH provides data origin authentication,
connectionless integrity, and anti-replay service.
• Both AH and ESP rely on security
associations (SAs) negotiating the
properties of a secure connection using
• The SA holds the information negotiated
between the two VPN participants.
ISAMP and IKE
• ISAKMP (IPSec Key Exchange and
Management Protocol) is part of the IPSec suite
that defines procedures for negotiation,
establishment, modification, and deletion of SAs.
• IKE (Internet Key Exchange) is based on the
• IKE consists of two different mode or phases.
– Phase 1 is used to establish a secure channel later
used to protect all negotiations in Phase 2.
– Phase 2 is used to negotiate the IPSec SAs to set up
the IPSec tunnel to protect the communications traffic.
• ESP provides for encapsulation of the
unprotected IP packet, its encryption, and
• Some newer IPSec implementations use
stronger algorithms such AES, Blowfish,
• AH allows you to check the authenticity of
the data and the header of the IP packet
sent to you. It does not provide a
mechanism for data encryption but does
provide a hash that code that allows you to
check whether the packet was tampered
with along the way.
• As you might guess, all this extra security
comes at the price of extra encapsulation
of the IP packet.
• This translates into decreased throughput.
IPSec seeks to overcome this problem
with a built-in IP compression protocol.
• IPSec VPNs provide strong security for business-to-
business and person-to-business needs. IPSec has two
protocols, AH and ESP, that give confidentiality, integrity,
• IPSec also has protocols and frameworks for key
negotiation and data compression.
• FreeS/WAN used to be the only IPSec game in town as
far as Linux was concerned.
• With the advent of the 2.6 kernel series, there is now
integrated support for IPSec in the kernel in addition to
the survivor of FreeS/WAN, OpenSWAN.