IPsec is a set of protocols and technologies designed to secure internet communication. It is also known as Internet protocol security. IPsec is useful in providing security and authentication to the data sent over the internet.
IP packets when sent, do not have any added security to them, and an attacker can easily access the data contained in the IP Packet.
How to secure data using IPsec?
With the help of IPsec, we can secure the data in the following ways: –
IPsec encrypts the data, so it becomes unreadable to anyone without the proper decryption key. Hence, it is only readable by the sender and receiver. This makes it difficult for cybercriminals to intercept the data.
IPsec also employs authentication mechanisms to confirm the identities of the communicating parties. It ensures that the data is transmitted between the authenticated sender and receiver, which helps to avoid man-in-the-middle attacks.
IPsec establishes security associations (SAs) between two communicating devices. These SAs define the rules and parameters for secure communication, such as the encryption and authentication methods to be used.
IPsec can create a secure tunnel, known as a VPN (Virtual Private Network), between two devices or networks. This tunnel encapsulates the data, adding an extra layer of security.
What is IKE?
IKE, also known as Internet Key Exchange, is a protocol used in IPsec which helps establish a secure communication tunnel between devices. It is responsible for exchanging the necessary cryptographic keys and security parameters required for tunnel creation and establishing secure communications.
It helps in negotiating between both parties to agree on how to secure the communication and enables the creation of security associations (SAs) for encrypted and authenticated communications.
How many IKE phases are there?
IKE has two phases, namely:-
IKE Phase 1
The primary goal of Phase 1 is to establish a secure and authenticated channel for further negotiation. This phase focuses on setting up a secure initial connection between the sender and receiver. Phase 1 is used to create a secure tunnel which we can use in Phase 2.
IKE Phase 2
Phase 2 builds upon the secure channel established in Phase 1 and focuses on negotiating the parameters and keys for securing the actual data traffic.
What functions does IKE Phase 1 perform?
The following functions are performed in IKE Phase 1: –
The parties authenticate each other’s identities using methods like pre-shared keys (PSK), digital certificates, or other authentication mechanisms.
Phase 1 can involve the use of encryption to protect the negotiation process itself.
Diffie-Hellman Key Exchange
A secure method for the sender and receiver to agree on shared secret keys is established through the Diffie-Hellman key exchange.
Lifetime and Refreshing
Phase 1 also defines parameters like the lifetime of the negotiation and methods for refreshing keys.
When Phase 1 is completed, both parties have established a secure communication channel and have derived a shared secret key, known as the IKE Phase 1 key. This key is used in Phase 2 to secure the actual data traffic.
What functions does IKE Phase 2 perform?
The following functions are performed in IKE Phase 2: –
Selection of Security Policies
The sender and receiver negotiate the specific security policies, including encryption and authentication algorithms, to be used for data traffic. Either AH or ESP IPsec protocol can be used.
Creation of Security Associations (SAs)
One or more SAs are created for each unique combination of source and destination, defining how data should be protected.
In phase 2, the encapsulation mode is negotiated. The mode can either be tunnel mode or transport mode.
When Phase 2 is completed, the devices or networks involved have established one or more SAs that define how data will be encrypted, authenticated, and transmitted between them. These SAs govern the secure communication for data packets.
Internet Key Exchange is useful to make a secure tunnel but does not encrypt or authenticate the data.
For this purpose, we use the following two protocols: –
Authentication Header (AH)
AH is a protocol within IPsec that provides data integrity, authentication, and anti-replay protection for IP packets. It does not provide encryption but ensures that the data has not been tampered with during transmission.
Encapsulating Security Payload (ESP)
ESP is another IPsec protocol that provides encryption, data integrity, and optional authentication. It encrypts the entire IP packet, including the payload (data), making it secure. ESP is often used in combination with AH or alone to provide encryption and authentication.
Both these protocols use two modes: –
- Tunnel Mode
- Transport Mode
What is the difference between tunnel mode and transport mode?
The difference between tunnel mode and transport mode is as follows-
In transport mode, only the payload (data) of the original IP packet is encrypted and/or authenticated. The original IP header remains intact. This mode is commonly used for securing point-to-point communication between devices.
In tunnel mode, the complete IP packet, including the IP header and the payload (data), is encapsulated within a new IP packet. This means that the original packet is entirely protected and secured as it travels over the network. Tunnel mode is often used to create Virtual Private Networks (VPNs) between network gateways or between a remote client and a gateway.