IPSec architecture

Tunnelling Mode
The application sends the data to network sub system of the computer.
It wraps the data in a TCP header identifying the application it is heading for.
Then an IP header is placed around it.
Next an IPSec header is placed around that which could include encryption or
authenticity and integrity.
Finally another Outer IP header wraps around everything.

At the beginning IKE builds security associations. We are not really building tunnels
through the Internet we are building SAs which is an agreement on how to do encryption.
The encryption can be either AH or ESP. AH is almost obsolete. Although it does
encapsulation for authentication it doesnt do encryption. So it can do integrity check
through hashing or authenticity.
ESP will give us the encryption and also the integrity.
AH provides an Integrity check for the outer IP header which ESP doesnt.
ESP has an integrity check after the IP header so the IP header can be changed. But thats
okay because maybe NAT occurs its okay but its not okay for AH.
IKE Internet Security Exchange
Its job is to build security associations.
IKE associations and IPSec associations (UDP port 500)
How does it work?
A user sends some interesting data from the branch office to the headquarters. The router
thinks okay this is something Im going to need to encrypt.

So a VPN tunnels needs to be set up from the branch office to the main headquarters. The
first step is to run:
Phase 1: to be able to create an ISAKMP association. Over UDP an ISKAMP association is
established using a policy set. It defines how to secure the management session.
Phase 2: to create an IPSec security association. A transform set is used to describe how to
secure end user data. Its phase 2 that protects the user data.
There will be 1 ISEKAMP association and 2 IPSec associations. So there will be 3 security
associations.
1 management
1 outward bound data
1 inbound data
All we are building is security associations which is an agreement on how to do encryption.
Security perimeter index 32bit random number is used to check how to decrypt so it all
fits together.
PHASE 1
I see interesting traffic
I talk to the other router using ISAKAM on UDP 500
And say lets build a VPN
First thing we need is a management session. Once established we have an ISAKAMP SA.
We need to check our policies match if it doesnt work.
Negotiating IPSecs IKE phase 1
Identifying the 5 things negotiated = H.A.G.L.E
HAGLE
Hashing for data integrity
Authentication (who are you) certificates of pre-shared keys
Group, (DH) secret keys to encrypt and decrypt data
Lifetime, how long should the tunnel be active? Shorter the more secure because evertyhitng
will need to be renewed.
Encryption, AES256
PHASE 2
We need to build our IPSec data SAs.
We have to have matching transform sets on both sides on how to protect the data.
Options AES256 or SHA2.
If it matches on both sides we get a tunnel.
IPSec is a great way of building a VPN tunnel.

PKI Public Key Infrastructure

I want to send a secure message to Alice

Alice has a key pair. A public key and a private key. Public key can only encrypt
information and the private key can only decrypt the information.
You request Alices public key. Its public so anybody can use this key.
You use the public key to encrypt your email to Alice.
Anything encrypted with the public key cannot be decrypted with the same key. It has
to be decrypted with the pair key (the private key) that Alice has.
So the message is safe because nobody can intercept the message and decrypt it.
How is it authenticated?
Thats where digital certificates come into to play.
They associate a public key with an individual or company.
Symmetric encryption is fast.
Asymmetric encryption is slow.
Symmetric key uses the same key to encrypt and decrypt data. This causes problems. First the
key needs to be stored. If the attacker gets the key he could encrypt the key and access any
data.
A secure channel needs to be made to exchange the key.