2. Encapsulated Security Payload
(ESP)
• Must encrypt and/or authenticate in each
packet
• Encryption occurs before authentication
• Authentication is applied to data in the
IPSec header as well as the data contained
as payload
5. Authentication Header (AH)
• Authentication is applied to the entire
packet, with the mutable fields in the IP
header zeroed out
• If both ESP and AH are applied to a packet,
AH follows ESP
8. Internet Key Exchange (IKE)
• Phase I
– Establish a secure channel(ISAKMP SA)
– Authenticate computer identity
• Phase II
– Establishes a secure channel between
computers intended for the transmission of data
(IPSec SA)
9. Main Mode
• Main mode negotiates an ISAKMP SA
which will be used to create IPSec Sas
• Three steps
– SA negotiation
– Diffie-Hellman and nonce exchange
– Authentication
10. Main Mode (Kerberos)
Initiator Responder
Header, SA Proposals
Header, Selected SA Proposal
Header, D-H Key Exchange, Noncei,
Kerberos Tokeni Header, D-H Key Exchange, Noncer,
Kerberos Tokenr
Header, Idi, Hashi
Header, Idr, Hashr
Encrypted
11. Main Mode (Certificate)
Initiator Responder
Header, D-H Key Exchange, Noncei
Header, Idi, Certificatei, Signaturei,
Certificate Request
Header, D-H Key Exchange,
Noncer,Certificate Request
Header, Idr, Certificater,
Signaturer
Encrypted
Header, SA Proposals
Header, Selected SA Proposal
12. Main Mode (Pre-shared Key)
Initiator Responder
Header, D-H Key Exchange, Noncei
Header, Idi, Hashi
Header, D-H Key Exchange, Noncer
Header, Idr, Hashr
Encrypted
Header, SA Proposals
Header, Selected SA Proposal
13. Quick Mode
• All traffic is encrypted using the ISAKMP
Security Association
• Each quick mode negotiation results in two
IPSec Security Associations (one inbound,
one outbound)
14. Quick Mode Negotiation
Header, Hash
Header, Connected Notification
Encrypted
Initiator Responder
Header, IPSec Selected SA
Header, IPSec Proposed SA