Scribd
Upload
2K views

Combining Security Associations

The document discusses combining multiple security associations (SAs) to provide different IPsec services for a single traffic flow. There are two main ways to combine SAs: transport adjacency applies security protocols directly to packets without tunneling, allowing one level of combination; iterated tunneling uses multiple layers of tunneling to apply security protocols, allowing multiple levels of nesting as packets pass through different IPsec sites. The document also provides examples of different cases where SAs may be combined between endpoints.

Uploaded by

E3 Tech
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
2K views

Combining Security Associations

The document discusses combining multiple security associations (SAs) to provide different IPsec services for a single traffic flow. There are two main ways to combine SAs: transport adjacency applies security protocols directly to packets without tunneling, allowing one level of combination; iterated tunneling uses multiple layers of tunneling to apply security protocols, allowing multiple levels of nesting as packets pass through different IPsec sites. The document also provides examples of different cases where SAs may be combined between endpoints.

Uploaded by

E3 Tech
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 13

Combining Security

Associations
 An individual SA can implement either the AH or ESP protocol but not
both.
 Sometimes a particular traffic flow will call for the services provided by
both AH and ESP.
 Further, a particular traffic flow may require IPsec services between hosts
and, for that same flow, separate services between security gateways,
such as fire- walls.
 In all of these cases, multiple SAs must be employed for the same traffic
flow to achieve the desired IPsec services.
 The term security association bundle refers to a sequence of SAs through
which traffic must be processed to provide a desired set of IPsec services.
 The SAs in a bundle may terminate at different endpoints or at the same
endpoints.
Security associations may be
combined into bundles in
two ways:
•Transport adjacency: Refers to applying more than one security protocol to the
same IP packet without invoking tunneling.
• This approach to scombining AH and ESP allows for only one level of combination;
further nesting yields no added benefit since the processing is performed at one IPsec
instance: the (ultimate) destination.
••

• Iterated tunneling: Refers to the application of multiple layers of security


protocols effected through IP tunneling.
•This approach allows for multiple levels of nesting, since each tunnel can originate or
terminate at a different IPsec site along the path.
Case 1.
All security is provided between end systems that implement
IPsec. For any two end systems to communicate via an SA, they must share the app
ropriate secret keys. Among the possible combinations are
a. AH in transport mode
b. ESP in transport mode
c. ESP followed by AH in transport mode (an ESP SA inside an AH SA)
d. Any one of a, b, or c inside an AH or ESP in tunnel mode
Case 2.

 Security is provided only between gateways (routers,


firewalls, etc.) and no hosts implement IPsec. This case
illustrates simple virtual private network support.
 The security architecture document specifies that only a sin
gle tunnel SA is needed for this case.
 The tunnel could support AH, ESP, or ESP with the authenti-
cation option.
 Nested tunnels are not required, because the IPsec services
apply to the entire inner packet.
Case 3.
 This builds on case 2 by adding end-to-end security.
 The same combinations discussed for cases 1 and 2 are
allowed here.
 The gateway-to-gateway tunnel provides either
authentication, confidentiality, or both for all traffic
between end systems.
 When the gateway-to-gateway tunnel is ESP, it also
provides a limited form of traffic confidentiality.
Individual hosts can implement any additional IPsec ser-
vices required for given applications or given users by
means of end-to-end SAs.
Case 4

 This provides support for a remote host that uses the Intern
et to reach an organization’s firewall and then to gain
access to some server or workstation behind the firewall.
 Only tunnel mode is required between the remote host an
d the firewall.
 As case 1, one or two SAs may be used between the rem
ote host and the local host.

You might also like