In a secure connection, such as a connection in a virtual private network (VPN), transmitted packets are secured by a set of security parameters. One standard used to secure packets in a secure connection is Internet Protocol Security (IPsec), developed by the Internet Engineering Task Force (IETF). IPsec is a suite of protocols that supports the secure exchange of packets at the Internet Protocol network layer (Layer 3 of the Open Systems Interconnection (OSI) network model).
IPsec secures data in a connection through the use of security associations (SAs). An SA is a combination of a policy and keys used to establish a simplex (i.e., one-way) secure connection that provides security services to the packets carried on the secure connection. Typically, two SAs are negotiated for an IPsec connection between two computing devices, one for inbound communications and one for outbound communications. Each SA includes values such as a destination address, data exchange policies, security keys for encryption of IPsec packets, and additional attributes such as SA lifespan. Each SA further includes a security parameters index (SPI) which is a unique, identifying value carried by each SA and is used to distinguish multiple SAs that may coexist at a computing device.
To build an IPsec connection between the two computing devices, the IETF has established a standard method of security association and key exchange resolution, which combines the Internet Security Association and Key Management Protocol (ISAKMP) and the Oakley key generation protocol. ISAKMP centralizes security association management, reducing connection time. Oakley generates and manages authenticated keys used to secure the information.
To ensure successful, secure communication, the ISAKMP/Oakley method involves a two-phase operation. The first phase is a first key exchange phase during which the two computing devices establish a secure exchange of first policies and first keys for exchanging SA data securely in the second phase. The second phase is a data protection phase during which the SA policies and SA keys are exchanged using the secure exchange established during the first phase. In the second phase, a pair of SAs are negotiated, one SA for each data transmission direction. The security negotiation process during the second phase includes policy negotiation which determines the IPsec protocol (e.g., Authentication Header protocol (AH) or Encapsulation Security Protocol (ESP)), an integrity algorithm (e.g., Message Digest algorithm (MD5), or Secure Hash algorithm (SHA)), and an encryption algorithm (e.g., Data Encryption Standard (DES), Triple Data Encryption Standard (3DES), or 40-bit Data Encryption Standard (40 bitDES)). In sum, each SA includes a number of policies and keys governing the transmission of packets over the secure connection. The two computing devices come to a common agreement about the policies and keys and, thus, establish the SAs for an IPsec connection.
Each SA has a lifespan, that is, a time period after which the two computing devices need to renegotiate the SA. The renegotiation involves renegotiating policies and keys. The computing device typically deletes old SA policies and keys after negotiating new SAs.
Packets sent through a VPN tunnel created by an IPsec connection are typically forwarded through an intermediate device which partially decrypts the packet in order to determine a packet destination. The intermediate device also typically validates the packet. Packets failing to validate are typically dropped with no further processing and, accordingly, provide little data for later analysis of the network condition that produced the failed packets.