Questions tagged [ipsec]
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.
223
questions
1
vote
1
answer
90
views
Why does IPsec has a "partial" replay protection? If we drop all packets outside the moving window, then where is the threat?
IPsec is said to have "partial" replay protection because if a packet arrives outside the window, we can't track it, so we have to make a choice: do we risk and accept it, or do we drop it?
...
0
votes
1
answer
37
views
Is there a difference between data origin authentication and sender authentication?
Here the author writes "sender authentication". Does he mean data origin authentication? Or is sender authentication something different?
Wikipedia says that "data origin authentication ...
2
votes
0
answers
77
views
Why is IPsec transport mode "vulnerable" for not having integrity of variable fields? Why is this so important?
With IPsec transport mode we CAN'T have integrity of variable fields (eg TTL and checksum).
Why is it a problem? Is it? What could be the attack?
I think TTL expire or checksum modification (so both ...
0
votes
0
answers
44
views
What attacks can be performed by changing header of IP packet if I apply only ESPv2 of IPsec(so not providing intergrity for the IP header)
For ESPv2 I'm referring to this: https://datatracker.ietf.org/doc/html/rfc2406 so the version which supports of course confidentiality, but also authentication ONLY FOR THE PAYLOAD, NOT of the IP ...
0
votes
1
answer
55
views
IPSec in tunnel model with AH&ESP: position of original IP header?
I am studying IPSec in tunnel mode when first applying ESP and then AH and am wondering about the position of the original IP header. I see two options:
IP header (crypto), AH header, ESP header, IP ...
0
votes
0
answers
86
views
Why does IPsec use tunnel-mode for an external laptop? Could transport-mode be used? Why can't a gateway control access in transport-mode?
In an IPsec Secure gateway setup, why is tunnel-mode used when an external laptop wants to access an internal service protected by a firewall? Is tunnel-mode necessary or could transport-mode be used ...
1
vote
1
answer
140
views
What if in IPsec I have confidentiality BUT NOT integrity? What are the dangers?
ESP in IPsec v2 only provides integrity of the payload, not of the header. So my question is about that. The possible dangers in not having integrity of header, while having ESP active for payload.
...
0
votes
0
answers
106
views
W-Firewall blocks Port 135 if using IPsec Kerberos V5 User Authentication
i am about to implement IPsec to achive a zero trust environment, in order to do so i am using the Windows Firewall with IPsec Rules (Allow the Connection if it is secure).
Everything works fine, but ...
0
votes
1
answer
255
views
Shouldn't IPsec be an application layer protocol since it is "over UDP"?
I am reading about IPsec and am confused of what exactly is "IPsec", is it a network layer protocol, or is it a technology that uses involves multiple protocols? All web searches tell me ...
0
votes
1
answer
238
views
Since IPSec works on Layer 3 (Network), does that mean it also provides protection for all the higher layers?
From my understanding, data moves from OSI Layer 7 down to Layer 1 when its being prepared to get sent. On each layer, data gets encapsulated within the data of the layer below it. Ex: A Layer 3 IP ...
1
vote
1
answer
160
views
Do IKEv2 ESP proposals really require a unquie SPI per proposal?
When one peer is trying to negotiate an ESP SA, it sends a security association (SA) payload to the other peer. This SA payload must contain at least one proposal, suggesting at least one encryption ...
0
votes
0
answers
459
views
In IPSec, what block cipher mode of operation is "AES-256"?
Multiple IPSec implementations I've run across support "AES-256" as an encryption algorithm. (pfSense has this, Checkpoint has this.)
What block cipher mode of operation is this?
0
votes
1
answer
705
views
Where should private key(s) reside in IPsec VPN tunnel
I setup an IKE VPN server for road warriors. I actually have this working (YAY!) but took some shortcuts that are leaving me with a working yet not-right/secure setup. My setup is as follows:
My ...
0
votes
1
answer
168
views
Trying to understand transport-mode IPSec and VPNs
Disclaimer: My understanding of the types of VPNs and IPSec is limited.
What I am struggling to understand is the fact that the IP header is not encrypted in transport-mode IPSec.
My understanding of ...
1
vote
1
answer
222
views
What is the role of a CA server in a PKI?
I'm confused how the CA server helps with the digital signature and the PKI workflow. Here's an example topology:
A and B are the 2 devices using PKI to authenticate each other for VPN, and then there ...