Main Components of IPSec - IKE, ESP and AH
Following are the three main components of IPSec.
1) Internet Key Exchange (IKE) Protocol: Internet Key Exchange (IKE) is a network security Protocol designed to allow two devices to dynamically exchange Encryption Keys and negotiate Security Associations (SA). Internet Key Exchange (IKE) Security Associations (SA) can be established dynamically and removed at a negotiated time period. Internet Key Exchange is a hybrid protocol made from the combination of Oakley, SKEME (A Versatile Secure Key Exchange Mechanism for Internet) and ISAKMP (Internet Security Association and Key Management Protocol) protocols.
• Internet Security Association and Key Management Protocol (ISAKMP) provide a framework for authentication and key exchange.
• The Oakley Protocol is a Key Agreement protocol that allows the authenticated devices to exchange keys using the Diffie-Hellman key exchange algorithm. Oakley supports Perfect Forward Secrecy (PFS).
• SKEME is a key exchange mechanism suggested by Hugo Krawczyk (IBM T.J.Watson Research Center). SKEME provides anonymity, and allows repudiation of communication by avoiding the use of digital signatures and quick Key refreshment. SKEME uses cookie against Denial-of-Service (DoS) attacks
RFC 2409 describes the IKE protocol using Oakley, SKEME with ISAKMP to obtain authenticated keying material.
Click the following link to learn more about Internet Key Exchange (IKE) protocol.
2) Encapsulating Security Payload (ESP): IPSec uses ESP (Encapsulating Security Payload) to provide Data Integrity, Encryption, Authentication, and Anti-Replay functions for IPSec VPN. Cisco IPSec implementations uses DES, 3DES and AES for Data Encryption. ESP authenticates the data within the VPN, ensuring Data Integrity and that it coming from the correct source.
3) Authentication Header (AH): IPSec uses Authentication Header (AH) to provide Data Integrity, Authentication, and Anti-Replay functions for IPSec VPN. Authentication Header (AH) DOES NOT provide any Data Encryption. Authentication Header (AH) can be used to provide Data Integrity services to ensure that Data is not tampered during its journey.
Note: ESP is more widely deployed than AH, because ESP provides all the benefits of IPSec, that is, Confidentiality, Integrity, Authentication and Re-Play attack protection.