Section 10.8. Summary

10.8. Summary

In this chapter, we looked at the architecture of IPsec, its constituent parts, and how they interoperate to provide security at the network layer. IPsec can be thought of as three protocols: AH and ESP, which provide security for individual datagrams, and IKE, which negotiates VPN parameters between the VPN's endpoints. We saw that AH and ESP can operate in either transport or tunnel mode, and that each has advantages and disadvantages. We noted that tunnel mode could be thought of as a special case of transport mode applied to an IP-in-IP tunnel, or that transport mode could be thought of as tunnel mode optimized for the special case in which the VPN endpoints are the final destinations.

We examined the concept of security association, and noted how it is central to, and perhaps identical to, an IPsec VPN. Security associations are held in a security association database, where they can be retrieved to process datagrams passing through a VPN. SAs are simplex, so full-duplex communication between VPN endpoints requires a pair of SAs at each endpoint. We noted that a complex VPN may require more than one SA to implement it and that the set of related SAs are gathered into an SA bundle for easy handling during processing.

Next, we looked at the notion of security policies and how they are implemented through the security policy database. The SPD is used to locate a policy to apply to a datagram; that policy, in turn, points to the appropriate SA or SA bundle that implements that policy.

Finally, we looked at how IPsec processes inbound and outbound datagrams. A datagram's selectors are used to find the matching policy to apply to outbound datagrams; we saw how that policy is mapped to an SA or SA bundle and how the SA is applied to the datagram. Similarly, we saw how IPsec uses an inbound datagram's destination address, SPI, and IPsec protocol to locate the SA that applies to it. After the processing specified by the SA takes place, the datagram is checked against the policy database to ensure that the proper SAs in the proper order were applied.