There are separate keys used for DATA protection which are derived from SKEYID_d.
Regards, Piotr 2011/6/13 Kingsley Charles <[email protected]> > Hi Piotr > > I agree that are three keys being generated. SKEYID_a and SKEYID_e are used > for encryption and authentication of IKE Phase 1 messages. SKEYID_d is the > keying material used for IPSec. > > So, is SKEYID_d used for encryption and authentication of IPSec messages or > is separate keys derived using SKEYID_d for encryption and authentication? > > > With regards > Kings > > > On Mon, Jun 13, 2011 at 1:45 PM, Piotr Matusiak <[email protected]> wrote: > >> Hi Kings, >> >> There are 3 keys being generated: SKEYID_d, SKEYID_a and SKEYID_e. _a is >> used for authentication, _e is used for encryption. Both are derived from >> _d. >> >> Regards, >> Piotr >> >> >> >> 2011/6/13 Kingsley Charles <[email protected]> >> >>> When we use IPSec transform that does ESP encryption and authentication >>> like ESP-3DES + ESP-SHA, it seems the same key is used for both encryption >>> and authentication. >>> >>> My understanding was that SKEYID_d generated from IKE Phase 1 is used >>> generate separate keys for ESP encryption, ESP authentication and AH >>> authentication. >>> >>> Or is SKEYID_d is directly used for encryption and authentication? >>> >>> >>> ESP-3DES + ESP-SHA + AH-SHA uses two SPIs, one for ESP and other for AH. >>> In that case, it seems two keys are being used. This confirms that SKEYID_d >>> is not used for encryption or authentication rather it is used as a keying >>> material to generate keys for encryption and authentication. >>> >>> Any thoughts? >>> >>> >>> With regards >>> Kings >>> >>> >>> On Sun, Jun 12, 2011 at 9:34 AM, Kingsley Charles < >>> [email protected]> wrote: >>> >>>> Exactly Piotr, that's what I even observed with wireshark capture. The >>>> ESP packet is being authenticated by AH The AH header has next header value >>>> of ESP. >>>> >>>> With regards >>>> Kings >>>> >>>> >>>> On Sat, Jun 11, 2011 at 10:27 PM, Piotr Matusiak <[email protected]>wrote: >>>> >>>>> Hi Kings, >>>>> >>>>> According to my limited knowledge, if both AH and ESP are configured in >>>>> IPSec transform set, the result IPSec packet will be IP protocol 51 as the >>>>> AH will encapsulate ESP. You do not need to configure ESP in the ACL in >>>>> this >>>>> case. >>>>> In addition to that both protocols use separate SPI number, so there >>>>> are two Inbound SA and two Outbound SA created (although there is on >>>>> packet >>>>> on the wire). >>>>> >>>>> >>>>> Regards, >>>>> Piotr >>>>> >>>>> >>>>> >>>>> 2011/6/11 Kingsley Charles <[email protected]> >>>>> >>>>>> I think, the following is the order for this combination: >>>>>> >>>>>> ESP Encryption + ESP Authentication ---- > ESP authenticates ESP >>>>>> encrypted data >>>>>> >>>>>> >>>>>> With regards >>>>>> Kings >>>>>> >>>>>> >>>>>> On Sat, Jun 11, 2011 at 7:15 PM, Vybhav Ramachandran < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Thanks a lot for all the information Kingsley! :) >>>>>>> >>>>>>> Cheers, >>>>>>> TacACK >>>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> For more information regarding industry leading CCIE Lab training, >>>>>> please visit www.ipexpert.com >>>>>> >>>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>>> www.PlatinumPlacement.com >>>>>> >>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
