Understand the Internet Security Protocol IPSec in 5 minutes

There are thousands of networks, but security is the most important. As the scale and complexity of networks increase, the transmission security of the underlying network becomes very important. Both parties in communication need a method that truly provides security at the IP layer to ensure that the data sent and received is secure. IPSec (Internet Protocol Security) does this.

[[432422]]

IPSec is a collection of protocols and services that provide complete security for IP networks, and can provide transparent security services for upper-layer protocols and applications. The so-called transparency means that users cannot perceive the entire IPSec working process. This is very nice, as it ensures user data security without causing any trouble to users.

Having said so much, what protocols and services does IPSec include? What are their functions?

IPSec is a collection of IP security protocols and an architecture consisting of AH and ESP protocols, encryption and authentication algorithms, key management, and security negotiation.

IPSec provides a secure channel for devices at both ends of the communication. The devices can be hosts, routers, or firewalls.

AH Protocol

AH (Authentication Header) refers to a message authentication code that has been calculated before sending the IP packet. The sender calculates AH with an encryption key, and the receiver verifies it with the same or another key.

AH has two working modes: transport mode and tunnel mode.

• In transport mode, AH is located after the IP packet header and before the upper layer protocol header (such as TCP).
• In tunnel mode, a new IP header needs to be generated, and the AH and the entire original IP packet are placed in the payload of the new IP packet.

ESP Protocol

ESP provides confidentiality and optional authentication services, encrypting user data that needs to be kept confidential and then encapsulating it into a new IP packet.

ESP has two modes: transport mode and tunnel mode.

• In transport mode, ESP is located after the IP header and before the upper layer protocol header.
• In tunnel mode, the position of ESP relative to the outer IP header, that is, the new IP header, is the same as in transport mode.

Encryption and authentication algorithms

Data confidentiality is the primary requirement for any virtual private network. Current encryption and authentication algorithms fall into two categories: symmetric and asymmetric.

Symmetric algorithms are based on the fact that the sender and receiver of data have the same key. The sender uses the key to encrypt the data, and the receiver uses the same key to decrypt the data.

Asymmetric algorithms are also called public key algorithms. Different keys are used for encryption and decryption. The encryption key is called the public key and can be made public. The encrypted data can only be decrypted with the private key, which is kept secret. Anyone with the recipient's public key can encrypt data, but the data can only be decrypted with the recipient's private key.

Secure negotiation and key management

Before using AH or ESP, a logical connection at the network layer must be established between hosts. This logical connection is called security negotiation, or SA (SECURITY ASSOCIATION). Security negotiation SA can be established manually or using the IKE protocol. SA is a one-way connection. If two-way secure communication is required, two SAs need to be established.

There are two types of SA: IKE (Internet Key Exchange, Automatic Key Management Protocol)/ISAKMP SA and IPSec SA.

• IKE or ISAKMP SA serves to control traffic, such as exchanging information for the IKE protocol and negotiating encryption and authentication algorithms.
• IPSec SA negotiates encryption algorithms for the actual data traffic that needs to be protected. The specific data that needs to be protected is determined by relevant policies.

The default automatic key management protocol for IPSec is IKE. The main task of the IKE protocol is to establish and maintain ISAKMP SA and IPSec SA.

The IKE protocol uses two phases to establish ISAKMP SA and IPSec SA respectively.

• Phase 1: The communicating parties establish an authenticated and secure channel with each other, that is, an ISAKMP SA.
• Phase 2: Used on the secure tunnel established in Phase 1 to negotiate security services for IPSec, that is, to negotiate specific SAs for IPSec and establish IPSec SAs for the ultimate secure transmission of IP data.

Now everyone should have mastered it!