All Cisco-Network Study Notes: Security Associations cisco

Security Associations

All antecedent descriptions of protocols’ functionality were based on a presumption

that an IPsec affiliation is already accustomed and all ambit such as authentication

and encryption keys are accepted to both parties. Let’s see how these

parameters are managed in IPsec framework.The abstracts breeze in anniversary administration is

associated with an article alleged a aegis affiliation (SA) or, added specifically, an

IPsec SA.This agency that in a two-way communication, anniversary affair has at least

two IPsec SAs:The sender has one for approachable packets and addition for

incoming packets from the receiver, and the receiver has one SA for incoming

packets from the sender and a additional SA for approachable packets to the sender. See

Figure 7.6 for an illustration.

www.syngress.com

Figure 7.6 IPsec Aegis Associations and Their Use in Two-Ways

Communication

PIX2

PIX1 PIX3

SA21

SA12 SA23

SA32

IPsec adit amid PIX1 and PIX2 is protected

by two SAs - cartage from PIX1 to PIX2 by SA12,

and from PIX2 to PIX1 by SA21.

IPsec adit amid PIX2 and PIX3 is protected

by two SAs - cartage from PIX2 to PIX3 by SA23,

and from PIX3 to PIX2 by SA32.

PIX2 has two IPsec tunnels with two

peers, so it maintains four SAs - two

for the adit with PIX1 and two for

the adit with PIX3.

344 Chapter 7 • Configuring Virtual Private Networking

Each SA can be abnormally articular by three parameters:

The Aegis Parameter Index (SPI), which is consistently present in AH and

ESP headers

The destination IP address

The IPsec protocol, AH or ESP (so if both protocols are acclimated in communication,

each has to accept its own SA, consistent in a absolute of four SAs

for two-way communication)

Each accommodating host or aperture maintains a abstracted database of alive SAs

for anniversary administration (inbound and outbound) on anniversary of its interfaces.This database

is accepted as the Aegis Affiliation Database (SAD). SAs from these databases

decide which encryption and affidavit ambit are activated to the beatific or

received packet. SAs may be anchored for the time of cartage breeze (called chiral IPsec

in some documents), but back a key administration agreement is used, they are

renegotiated abounding times during the affiliation flow. For anniversary SA, the SAD

entry contains the afterward data:

1. The destination address

2. The SPI

3. The IPsec transform (protocol and algorithm used—for example,AH,

HMAC-MD5)

4. The key acclimated in the algorithm

5. The IPsec approach (tunnel or transport)

6. The SA lifetime (in kilobytes or in seconds); back this lifetime expires,

the SA charge be terminated, and a new SA established

7. The antireply arrangement counters

8. Some added ambit such as Path MTU

The alternative of encryption ambit and agnate SAs is governed

by addition database, the Aegis Action Database (SPD). An SPD is maintained

for anniversary interface and is acclimated to adjudge on the following:

Alternative of approachable cartage to be protected

Checking if admission cartage was appropriately protected

The SAs to use for attention this traffic

What to do if the SA for this cartage does not exist

www.syngress.com

Configuring Virtual Private Networking • Chapter 7 345

The SPD consists of a numbered account of policies. Anniversary action is associated

with one or added selectors. A selector in Cisco’s accomplishing is artlessly an

access list. A admittance account agency that IPsec should be activated to the matching

traffic; a abjure account agency that the packet should be forwarded and IPsec not

applied. SPD behavior are configured on the PIX firewall with the crypto map

command.The consistent map and a crypto admission account are activated to the interface,

creating an SPD for this interface.

For approachable traffic, back the IPsec arrangement assemblage band receives abstracts to be

sent, it consults the SPD to analysis if the cartage has to be protected. If it does, the

SPD is acclimated to balance an SA that corresponds to this traffic. If the SA exists, its

characteristics are taken from the SAD and activated to the packet. If the SA does

not abide yet, IKE is alleged aloft to authorize a new SA, and again the packet is

protected with characteristics of this SA.

For admission IPsec traffic, the SPI is recovered from AH or ESP header, then

it is acclimated to acquisition a agnate SA in SAD. If it does not exist, the packet is

dropped. If an SA exists, the packet is checked/decrypted application the parameters

provided by this SA. Finally, the SPD is arrested in adjustment to ensure that this

packet was accurately protected—for example, that it should accept been encrypted

using 3DES and accurate with MD5 and annihilation else. Figure 7.7 shows

both sequences of events.

www.syngress.com

Figure 7.7 Processing of Outbound and Entering Cartage by IPsec

PIX1 PIX2

Outbound

Inbound

...

packet

SPD SAD

IPsec

packet

Is it for IPsec?

Which action to use?

Determine SA and

corresponding SPI

Apply IPsec

transformations,

place SPI inside

Send to PIX2

Processing of outbound packets on PIX1

IPsec

packet

Extract SPI and find

corresponding SA

Unprocess the packet

according to SA parameters

Check if IPsec packet was

properly secured

Original IP

packet

Processing of entering packets on PIX2