Answer To: 1. Why does IPSec need a security association? 2. How does IPSec create a set of security...
David answered on Dec 24 2021
1. Why does IPSec need a security association?
Answer: —to provide authentication and/or encryption for packets at the IP level.
Security aspects, particularly privacy and message authentication, can be applied to the
network, transport, and application layers of the Internet model. We briefly show how the
IPSec protocol can add authentication and confidentiality to the IP protocol, how SSL (or
TLS) can do the same for the TCP protocol, and how PGP can do it for the SMTP
protocol (e-mail). In all these protocols, there are some common issues that we need to
consider. First, we need to create a MAC. Then we need to encrypt the message and,
probably, the MAC. This means, that with some minor variations, the three protocols
discussed in this chapter take a packet from the appropriate layer and create a new packet
which is authenticated and encrypted.
Figure 32.1 shows this general idea. Note that the header or the trailer of the security
protocol may or may not be included in the encryption process. Note also that some
protocols may need more information in the secured packet; the figure shows only the
general idea. One common issue in all these protocols is security parameters. Even the
simplified structure in Figure 32.1 suggests that Alice and Bob need to know several
pieces of information, security parameters, before they can send secured data to each
other. In particular, they need to know which algorithms to use for authentication and
encryption/decryption. Figure 32.1 Common structure of three security protocols
Encrypted Header of security protocol Trailer of security protocol MAC Payload (from
IP, TCP, or SMTP) Alice Data flow Bob Forouzan: Data Communications and
Networking, Fourth Edition VII. Security 32. Security in the Internet: IPSec, SSL/TLS,
PGP, VPN, and Firewalls © The McGraw−Hill Companies, 2007 996 CHAPTER 32
SECURITY IN THE INTERNET: IPSec, SSL/TLS, PGP, VPN, AND FIREWALLS
Even if these algorithms can be predetermined for everyone in the world, which they are
not as we will see, Bob and Alice still need at least two keys: one for the MAC and one
for encryption/decryption. In other words, the complexity of these protocols lies not in
the way the MAC data are calculated or the way encryption is performed; it lies in the
fact that before calculating the MAC and performing encryption, we need to create a set
of security parameters between Alice and Bob. At first glance, it looks as if the use of any
of these protocols must involve an infi- nite number of steps. To send secured data, we
need a set of security parameters. The secure exchange of security parameters needs a
second set of security parameters. The secure exchange of the second set of security
parameters needs a third set of security parameters. And so on ad infinitum. To limit the
steps, we can use public-key cryptography if each person has a private and public key
pair. The number of steps can be reduced to one or two. In the one-step version, we can
use session keys to create the MAC and encrypt both data and MAC. The session keys
and the list of algorithms can be sent with the packet but encrypted by using public-key
ciphers. In the...