IPsec Overview
IPsec is a suite of related protocols for cryptographicallysecuring communications at the IP Packet Layer. IPsec also providesmethods for the manual and automatic negotiation of security associations(SAs) and key distribution, all the attributes for which are gatheredin a domain of interpretation (DOI). The IPsec DOI is a document containingdefinitions for all the security parameters required for the successfulnegotiation of a VPN tunnel—essentially, all the attributesrequired for SA and IKE negotiations. See RFC 2407 and RFC 2408 formore information.
To use IPsec security services, you create SAs between hosts.An SA is a simplex connection that allows two hosts to communicatewith each other securely by means of IPsec. There are two types ofSAs: manual and dynamic.
IPsec supports two modes of security (transport mode and tunnelmode).
Security Associations
A security association (SA) is a unidirectionalagreement between the VPN participants regarding the methods and parametersto use in securing a communication channel. Full bidirectional communicationrequires at least two SAs, one for each direction. Through the SA,an IPsec tunnel can provide the following security functions:
Privacy (through encryption)
Content integrity (through data authentication)
Sender authentication and—if using certificates—nonrepudiation(through data origin authentication)
The security functions you employ depend on yourneeds. If you need only to authenticate the IP packet source and contentintegrity, you can authenticate the packet without applying any encryption.On the other hand, if you are concerned only with preserving privacy,you can encrypt the packet without applying any authentication mechanisms.Optionally, you can both encrypt and authenticate the packet. Mostnetwork security designers choose to encrypt, authenticate, and replay-protecttheir VPN traffic.
An IPsec tunnel consists of a pair of unidirectionalSAs—one SA for each direction of the tunnel—that specifythe security parameter index (SPI), destination IP address, and securityprotocol (Authentication Header [AH] or Encapsulating Security Payload[ESP] employed. An SA groups together the following components forsecuring communications:
Security algorithms and keys.
Protocol mode, either transport or tunnel. Junos OS devicesalways use tunnel mode. (See Packet Processing in TunnelMode.)
Key-management method, either manual key or AutoKey IKE.
SA lifetime.
For inbound traffic, Junos OS looks up the SA byusing the following triplet:
Destination IP address.
Security protocol, either AH or ESP.
Security parameter index (SPI) value.
For outbound VPN traffic, the policy invokes the SA associatedwith the VPN tunnel.
IPsec Key Management
The distribution and management of keysare critical to using VPNs successfully. Junos OS supports IPsec technologyfor creating VPN tunnels with three kinds of key creation mechanisms:
Manual key
AutoKey IKE with a preshared key or a certificate
You can choose your key creation mechanism—also calledauthentication method—during Phase 1 and Phase 2 proposal configuration.See Internet Key Exchange.
This topic includes the following sections:
- Manual Key
- AutoKey IKE
- Diffie-Hellman Exchange
Manual Key
With manual keys, administrators at both ends ofa tunnel configure all the security parameters. This is a viable techniquefor small, static networks where the distribution, maintenance, andtracking of keys are not difficult. However, safely distributing manual-keyconfigurations across great distances poses security issues. Asidefrom passing the keys face-to-face, you cannot be completely surethat the keys have not been compromised while in transit. Also, wheneveryou want to change the key, you are faced with the same security issuesas when you initially distributed it.
AutoKey IKE
When you need to create and manage numerous tunnels,you need a method that does not require you to configure every elementmanually. IPsec supports the automated generation and negotiationof keys and security associations using the Internet Key Exchange(IKE) protocol. Junos OS refers to such automated tunnel negotiationas AutoKey IKE and supports AutoKey IKE with preshared keys and AutoKeyIKE with certificates.
AutoKey IKE with preshared keys—UsingAutoKey IKE with preshared keys to authenticate the participants inan IKE session, each side must configure and securely exchange thepreshared key in advance. In this regard, the issue of secure keydistribution is the same as that with manual keys. However, once distributed,an autokey, unlike a manual key, can automatically change its keysat predetermined intervals using the IKE protocol. Frequently changingkeys greatly improves security, and automatically doing so greatlyreduces key-management responsibilities. However, changing keys increasestraffic overhead; therefore, changing keys too often can reduce datatransmission efficiency.
A preshared key is a key for both encryption anddecryption, which both participants must have before initiating communication.
AutoKey IKE with certificates—Whenusing certificates to authenticate the participants during an AutoKeyIKE negotiation, each side generates a public-private key pair andacquires a certificate.As long as the issuing certificate authority (CA) is trusted by bothsides, the participants can retrieve the peer’s public key andverify the peer's signature. There is no need to keep track of thekeys and SAs; IKE does it automatically.
Diffie-Hellman Exchange
A Diffie-Hellman (DH) exchange allows participants to produce a shared secret value. The strength of the technique is that it allows participants to create the secret value over an unsecured medium without passing the secret value through the wire. The size of the prime modulus used in each group's calculation differs as shown in the below table. Diffie Hellman (DH) exchange operations can be performed either in software or in hardware. The following Table 1 lists different Diffie Hellman (DH) groups and specifies whether the operation performed for that group is in the hardware or in software.
| Diffie-Hellman (DH) Group | Prime Module Size |
|---|---|
| DH Group 1 | 768-bit |
| DH Group 2 | 102-bit |
| DH Group 5 | 1536-bit |
| DH Group 14 | 2048-bit |
| DH Group 15 | 3072-bit |
| DH Group 16 | 4096-bit |
| DH Group 19 | 256-bit elliptic curve |
| DH Group 20 | 384-bit elliptic curve |
| DH Group 21 | 521-bit elliptic curve |
| DH Group 24 | 2048-bit with 256-bit prime order subgroup |
Starting in Junos OS Release 19.1R1, SRX Series Firewalls (except SRX300, SRX320, SRX340, SRX345, SRX380, SRX550HM Series Firewalls) support DH groups 15, 16, and 21.
Starting in Junos OS Release 20.3R1, vSRX Virtual Firewall (vSRX 3.0) instances with junos-ike package installed support DH groups 15, 16, and 21.
We do not recommend the use of DH groups 1, 2, and 5.
Because the modulus for each DH group is a different size, the participants must agree to use the same group.
IPsec Security Protocols
IPsec uses two protocols to secure communicationsat the IP layer:
Authentication Header (AH)—A security protocol forauthenticating the source of an IP packet and verifying the integrityof its content
Encapsulating Security Payload (ESP)—A securityprotocol for encrypting the entire IP packet (and authenticating itscontent)
You can choose your security protocols—also called authentication and encryption algorithms—duringPhase 2 proposal configuration. See InternetKey Exchange.
For each VPN tunnel, both AH and ESP tunnel sessions are installedon Services Processing Units (SPUs) and the control plane. Tunnelsessions are updated with the negotiated protocol after negotiationis completed. For SRX5400, SRX5600, and SRX5800 devices, tunnel sessionson anchor SPUs are updated with the negotiated protocol while non-anchorSPUs retain ESP and AH tunnel sessions. ESP and AH tunnel sessionsare displayed in the outputs for the show security flow session and show security flow cp-session operational mode commands.
This topic includes the following sections:
- IPsec Authentication Algorithms (AH Protocol)
- IPsec Encryption Algorithms (ESP Protocol)
IPsec Authentication Algorithms (AH Protocol)
The Authentication Header (AH) protocol providesa means to verify the authenticity and integrity of the content andorigin of a packet. You can authenticate the packet by the checksumcalculated through a Hash Message Authentication Code (HMAC) usinga secret key and either MD5 or SHA hash functions.
Message Digest 5 (MD5)—An algorithm that producesa 128-bit hash (also called a digital signature or message digest) from a message of arbitrarylength and a 16-byte key. The resulting hash is used, like a fingerprintof the input, to verify content and source authenticity and integrity.
Secure Hash Algorithm (SHA)—An algorithm that producesa 160-bit hash from a message of arbitrary length and a 20-byte key.It is generally regarded as more secure than MD5 because of the largerhashes it produces. Because the computational processing is done inthe ASIC, the performance cost is negligible.
For more information on MD5 hashing algorithms,see RFC 1321 and RFC 2403. For more information on SHA hashing algorithms,see RFC 2404. For more information on HMAC, see RFC 2104.
IPsec Encryption Algorithms (ESP Protocol)
The Encapsulating Security Payload (ESP) protocolprovides a means to ensure privacy (encryption) and source authenticationand content integrity (authentication). ESP in tunnel mode encapsulatesthe entire IP packet (header and payload) and then appends a new IPheader to the now-encrypted packet. This new IP header contains thedestination address needed to route the protected data through thenetwork. (See Packet Processing in TunnelMode.)
With ESP, you can both encrypt and authenticate,encrypt only, or authenticate only. For encryption, you can chooseone of the following encryption algorithms:
-
Data Encryption Standard (DES)—A cryptographic block algorithm with a 56-bit key.
-
Triple DES (3DES)—A more powerful version of DES in which the original DES algorithm is applied in three rounds, using a 168-bit key. DES provides significant performance savings but is considered unacceptable for many classified or sensitive material transfers.
-
Advanced Encryption Standard (AES)—An encryption standard which offers greater interoperability with other devices. Junos OS supports AES with 128-bit, 192-bit, and 256-bit keys.
-
ChaCha20-Poly1305 Authenticated Encryption with Associated Data—ChaCha20 stream cipher which supports Authenticated Encryption with Associated Data (AEAD) using Poly1305 authenticator.
For authentication, you can use either MD5 or SHAalgorithms.
Even though it is possible to select NULL for encryption,it has been demonstrated that IPsec might be vulnerable to attackunder such circ*mstances. Therefore, we suggest that you choose anencryption algorithm for maximum security.
IPsec Tunnel Negotiation
The following two different modes that determine howthe traffic is exchanged in the VPN.
Tunnel mode—Protect traffic by encapsulating theoriginal IP packet within another packet in the VPN tunnel. This modeuses preshared keys with IKE to authenticate peers or digital certificateswith IKE to authenticate peers. This is most commonly used when hostswithin separate private networks want to communicate over a publicnetwork. This mode can be used by both VPN clients and VPN gateways,and protects communications that come from or go to non-IPsec systems.
Transport mode—Protect traffic by sending the packetdirectly between the two hosts that have established the IPsec tunnel.That is, when the communication endpoint and cryptographic endpointare the same. The data portion of the IP packet is encrypted, butthe IP header is not. VPN gateways that provide encryption and decryptionservices for protected hosts cannot use transport mode for protectedVPN communications. The IP addresses of the source or destinationcan be modified if the packet is intercepted. Because of its construction,transport mode can be used only when the communication endpoint andcryptographic endpoint are the same.
Supported IPsec and IKE Standards
On routers equipped with one or more MS-MPCs, MS-MICs, orDPCs, the Canada and U.S. version of Junos OS substantially supportsthe following RFCs, which define standards for IP Security (IPsec)and Internet Key Exchange (IKE).
-
RFC2085, HMAC-MD5 IP Authentication with Replay Prevention
-
RFC2401, Security Architecture for the Internet Protocol (obsoleted by RFC 4301)
-
RFC2402, IP Authentication Header (obsoleted by RFC 4302)
-
RFC2403, The Use of HMAC-MD5-96 within ESP and AH
-
RFC2404, The Use of HMAC-SHA-1-96 within ESP and AH (obsoleted by RFC 4305)
-
RFC2405, The ESP DES-CBC Cipher Algorithm With Explicit IV
-
RFC2406, IP Encapsulating Security Payload (ESP) (obsoleted by RFC 4303 and RFC 4305)
-
RFC2407, The Internet IP Security Domain of Interpretation for ISAKMP (obsoleted by RFC 4306)
-
RFC2408, Internet Security Association and Key Management Protocol (ISAKMP) (obsoleted by RFC 4306)
-
RFC2409, The Internet Key Exchange (IKE) (obsoleted by RFC 4306)
-
RFC2410, The NULL Encryption Algorithm and Its Use With IPsec
-
RFC 2451, The ESP CBC-Mode Cipher Algorithms
-
RFC 2560, X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP
-
RFC 3193, Securing L2TP using IPsec
-
RFC 3280, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
-
RFC3602, The AES-CBC Cipher Algorithm and Its Use with IPsec
-
RFC3948, UDP Encapsulation of IPsec ESP Packets
-
RFC4106, The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)
-
RFC 4210, Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP)
-
RFC 4211, Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF)
-
RFC4301, Security Architecture for the Internet Protocol
-
RFC4302, IP Authentication Header
-
RFC4303, IP Encapsulating Security Payload (ESP)
-
RFC 4305, Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH)
-
RFC 4306, Internet Key Exchange (IKEv2) Protocol
-
RFC 4307, Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2)
-
RFC 4308, Cryptographic Suites for IPsec
Only Suite VPN-A is supported in Junos OS.
-
RFC4754, IKE and IKEv2 Authentication Using the Elliptic Curve Digital Signature Algorithm (ECDSA)
-
RFC 4835, Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH)
-
RFC 5996, Internet Key Exchange Protocol Version 2 (IKEv2) (obsoleted by RFC 7296)
-
RFC 7296, Internet Key Exchange Protocol Version 2 (IKEv2)
-
RFC8200, Internet Protocol, Version6 (IPv6) Specification
-
RFC 7634, ChaCha20, Poly1305, and Their Use in the Internet Key Exchange Protocol (IKE) and IPsec
Junos OS partially supports the following RFCs for IPsec andIKE:
RFC 3526, More ModularExponential (MODP) Diffie-Hellman groups for Internet Key Exchange(IKE)
RFC 5114, Additional Diffie-Hellman Groupsfor Use with IETF Standards
RFC 5903, Elliptic Curve Groups modulo a Prime(ECP Groups) for IKE and IKEv2
The following RFCs and Internet draft do not define standards,but provide information about IPsec, IKE, and related technologies.The IETF classifies them as “Informational.”
RFC2104, HMAC: Keyed-Hashing for Message Authentication
RFC2412, The OAKLEY Key Determination Protocol
RFC3706, A Traffic-Based Method of DetectingDead Internet Key Exchange (IKE) Peers
Internet draft draft-eastlake-sha2-02.txt, US Secure HashAlgorithms (SHA and HMAC-SHA) (expires July 2006)
See Also
Services Interfaces Overviewfor Routing Devices
MX Series 5G Universal RoutingPlatform Interface Module Reference
Accessing Standards Documentson the Internet
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.
Release
Description
24.2R1
Support for ChaCha20-Poly1305 algorithm added to SRX1600, SRX2300, SRX4300, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX 3.0 in Junos OS Release 24.2R1.
19.1R1
Starting in Junos OS Release 19.1R1, SRX Series Firewalls support DH groups 15, 16, and 21.
