are all SKEYID's generated from DH ? Date: Mon, 13 Jun 2011 12:57:22 +0200 From: [email protected] To: [email protected] CC: [email protected] Subject: Re: [OSL | CCIE_Security] Encryption after authentication and Authentication after Encryption
There are separate keys used for DATA protection which are derived from SKEYID_d. Regards, Piotr 2011/6/13 Kingsley Charles <[email protected]> Hi Piotr I agree that are three keys being generated. SKEYID_a and SKEYID_e are used for encryption and authentication of IKE Phase 1 messages. SKEYID_d is the keying material used for IPSec. So, is SKEYID_d used for encryption and authentication of IPSec messages or is separate keys derived using SKEYID_d for encryption and authentication? With regards Kings On Mon, Jun 13, 2011 at 1:45 PM, Piotr Matusiak <[email protected]> wrote: Hi Kings, There are 3 keys being generated: SKEYID_d, SKEYID_a and SKEYID_e. _a is used for authentication, _e is used for encryption. Both are derived from _d. Regards, Piotr 2011/6/13 Kingsley Charles <[email protected]> When we use IPSec transform that does ESP encryption and authentication like ESP-3DES + ESP-SHA, it seems the same key is used for both encryption and authentication. My understanding was that SKEYID_d generated from IKE Phase 1 is used generate separate keys for ESP encryption, ESP authentication and AH authentication. Or is SKEYID_d is directly used for encryption and authentication? ESP-3DES + ESP-SHA + AH-SHA uses two SPIs, one for ESP and other for AH. In that case, it seems two keys are being used. This confirms that SKEYID_d is not used for encryption or authentication rather it is used as a keying material to generate keys for encryption and authentication. Any thoughts? With regards Kings On Sun, Jun 12, 2011 at 9:34 AM, Kingsley Charles <[email protected]> wrote: Exactly Piotr, that's what I even observed with wireshark capture. The ESP packet is being authenticated by AH The AH header has next header value of ESP. With regards Kings On Sat, Jun 11, 2011 at 10:27 PM, Piotr Matusiak <[email protected]> wrote: Hi Kings, According to my limited knowledge, if both AH and ESP are configured in IPSec transform set, the result IPSec packet will be IP protocol 51 as the AH will encapsulate ESP. You do not need to configure ESP in the ACL in this case. In addition to that both protocols use separate SPI number, so there are two Inbound SA and two Outbound SA created (although there is on packet on the wire). Regards, Piotr 2011/6/11 Kingsley Charles <[email protected]> I think, the following is the order for this combination: ESP Encryption + ESP Authentication ---- > ESP authenticates ESP encrypted data With regards Kings On Sat, Jun 11, 2011 at 7:15 PM, Vybhav Ramachandran <[email protected]> wrote: Thanks a lot for all the information Kingsley! :) Cheers,TacACK _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
