IPSec (2nd Edition)

In this section, let us try and walk through the steps one has to follow to set up the policy for IPSec.

The first step is to set up the policy for phase I of IKE negotiation. The policy can either be global (i.e., the same IKE phase I policy is used for all the hosts) or it can be host or network prefix-specific, or it can be domain-specific. The following attributes have to be set up for Phase I:

• Phase I mode: main or aggressive

• Protection suite(s)

Once the phase I policy is set up, IKE is ready for phase II, where it can negotiate the security services afforded to an IP packet. The following attributes can be defined:

• The selectors that identify the flow. The granularity can range from being very coarse to being very fine-grained. The spectrum may range from one policy for all packets to a different policy for each flow belonging to a particular identity.

• The security attributes for each flow. This includes the protocols, their modes, the transforms they should be using, and various attributes of these transforms such as lifetime and replay windows.

• Action (secure, drop, or pass) to be taken for each flow.

The phase I and the phase II policies govern the security services afforded to the IP packets originating or destined to the network/domain/host. IPSec provides a very rich set of options. One drawback of providing a rich set of options is that it makes the process of setting and negotiating complicated. If two entities have to negotiate a set of options or choose from a set of options, they need to talk the same language, that is, they should have the same understanding for values passed in the protocol headers. The values that two entities should use to negotiate security parameters are described in the IPSec DOI (see Chapter 7). The IPSec DOI consolidates the various options and values for Phase II negotiation. Any policy system should support all the options described in this document.