- Make sure that routing or a routing advertisement came from an authorized router.
- An redirect message came from the original router where the initial request was sent.
- Make sure that routing update was not forged.
1. Tunnel Mode
Encrypts the entier IP packet and authenticates the entire IP packet.Original IP header should be replaced by the new IP header which has the next hop router address. Slow and good for VPN's and gateway to gateway security
2. Transport Mode
Encrypts and authenticates the payload of the IP packet. The original IP packet stay intact. Faster than Tunnel mode and is used for traffic analysis purpose.
Benifts of IPSec over SSL/TSL
- Encrypts entire IP packet
- Independent of IP address
- No impact on security gateway to security gateway communications
- Protocol Independent
Pitfalls with IPSec
- Many way to configure and can be complex at times
- Can be configured in a wrong way
- Client security is an issue
- Use SHA1 over SHA and MD5
- Use 3DES AES or blowfish
- Never use DES
- Tunnel mode
- Encrypt entire packet
- Use certificates for key exchange
Extracted from the lecture slides of Dr. Kasun De Zoysa. Department of Communication and media technologies, Department of Computer Science, University of Colombo School of Computing(UCSC) Sri Lanka(LK)