IKE phases
Hello everyone, I am a little confused on what happens at each stage, if some could clarify for me, i would very much appreciate it.
From my standpoint this is what i got so far.
At Phase 1, there are two modes to be picked from, aggressive and main.. But in general, phase 1 is resonible for setting up the agreements and Security Associations. by exhaning policies, paramets, and diffie-helman keys. Also authetication of the peers happen at phase 1.
at phase 2, a secure channel has already been made, and the paramets have already been agreed upon, at phase 2 the peers encrypt their shared secret keys, and send them over the link. That way the communication can be encrypted by the symmetric keys ranging from 64-256 bits, instead of the Diffie-helman/RSA keys which can range from 512-15000 bits.
at phase 1.5, an additional layer of authenication can be performed here, by using Xauth, which authenitcates clients before they use the VPN secure channel.
IKE also can do many other features such as NAT transveral which adds another UDP header infront of the encrpyted ip header, and behind the visible new ip header.
It can also automatically detect dead links, with a hello time of 10 secs.
do i have all the above correct ?
where my confusion comes into play is that, in Main mode, IKE sends the policies first, then the responder accepts one of the policies, then the Diffie-helman keys are exchanged (private/public)
but if the keys are sent after the policies are sent, does the leave the policies open and unprotected. Couldnt an attacker use this to gain viable information. (I know sounds a little odd and impossible, but it could happen)
I guess it can be perfectly secure. huh ? I figure IKE would exchange keys first, then send the policies encrypted and have the other side decrypt it, but it would add alot of overhead, especially using the diffie-helman keys.
From my standpoint this is what i got so far.
At Phase 1, there are two modes to be picked from, aggressive and main.. But in general, phase 1 is resonible for setting up the agreements and Security Associations. by exhaning policies, paramets, and diffie-helman keys. Also authetication of the peers happen at phase 1.
at phase 2, a secure channel has already been made, and the paramets have already been agreed upon, at phase 2 the peers encrypt their shared secret keys, and send them over the link. That way the communication can be encrypted by the symmetric keys ranging from 64-256 bits, instead of the Diffie-helman/RSA keys which can range from 512-15000 bits.
at phase 1.5, an additional layer of authenication can be performed here, by using Xauth, which authenitcates clients before they use the VPN secure channel.
IKE also can do many other features such as NAT transveral which adds another UDP header infront of the encrpyted ip header, and behind the visible new ip header.
It can also automatically detect dead links, with a hello time of 10 secs.
do i have all the above correct ?
where my confusion comes into play is that, in Main mode, IKE sends the policies first, then the responder accepts one of the policies, then the Diffie-helman keys are exchanged (private/public)
but if the keys are sent after the policies are sent, does the leave the policies open and unprotected. Couldnt an attacker use this to gain viable information. (I know sounds a little odd and impossible, but it could happen)
I guess it can be perfectly secure. huh ? I figure IKE would exchange keys first, then send the policies encrypted and have the other side decrypt it, but it would add alot of overhead, especially using the diffie-helman keys.
NHSCA National All-American Wrestler 135lb
Comments
When the policies are exchanged there is no sensitive traffic sent so there is no security treat. How would the receiving end know how to decrypt the policies if they did not first agree upon an SA?
At least that's my understanding.
CCNP Progress
ONT, ISCW, BCMSN - DONE
BSCI - In Progress
http://www.redwarriornet.com/ <--My Cisco Blog
Yeah i see it now.. thanks!!
Next chapter = chapter 14... configuration of site-site vpns.
So far i like the ISCW... has been fun, with many new terms and technologies.
When we are talkin about encrpytion, the larger the key bit ( 128 bit, 256bit) the stronger it is, and more of an output.
however, when talkin about Hashing algorithms, its not the same ? !
Is it safe to say that the larger the bit, the more accurate the results are.. ex: Sha-1 will have a better chance to find out if the packet has been tampered with, better than md-5, becuase sha-1 fixes it at 160bit, while md5 only fixes at 128bit ?
http://csrc.nist.gov/publications/nistpubs/800-77/sp800-77.pdf