Internet Key Exchange - Architecture

Architecture

Most IPsec implementations consist of an IKE daemon that runs in user space and an IPsec stack in the kernel that processes the actual IP packets.

User-space daemons have easy access to mass storage containing configuration information, such as the IPsec endpoint addresses, keys and certificates, as required. Kernel modules, on the other hand, can process packets efficiently and with minimum overhead—which is important for performance reasons.

The IKE protocol uses UDP packets, usually on port 500, and generally requires 4-6 packets with 2-3 turn-around times to create an SA on both sides. The negotiated key material is then given to the IPsec stack. For instance, this could be an AES key, information identifying the IP endpoints and ports that are to be protected, as well as what type of IPsec tunnel has been created. The IPsec stack, in turn, intercepts the relevant IP packets if and where appropriate and performs encryption/decryption as required. Implementations vary on how the interception of the packets is done—for example, some use virtual devices, others take a slice out of the firewall, etc.

Read more about this topic:  Internet Key Exchange

Famous quotes containing the word architecture:

    They can do without architecture who have no olives nor wines in the cellar.
    Henry David Thoreau (1817–1862)

    Polarized light showed the secret architecture of bodies; and when the second-sight of the mind is opened, now one color or form or gesture, and now another, has a pungency, as if a more interior ray had been emitted, disclosing its deep holdings in the frame of things.
    Ralph Waldo Emerson (1803–1882)

    All architecture is great architecture after sunset; perhaps architecture is really a nocturnal art, like the art of fireworks.
    Gilbert Keith Chesterton (1874–1936)