Manualshelf

R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution
461462463464465466467468469470
66
Figure 152 Registration process
As shown in Figure 152,
1. The GM and KS perform IKE negotiation.
2. The GM sends its group ID to the KS.
3. The KS sends an IPsec policy to the GM according to the group ID.
4. The GM verifies the IPsec policy. If the IPsec policy settings are acceptable, for example, the
security protocols and encryption algorithms are supported, the GM sends an acknowledge
message to the KS.
5. After the KS receives the acknowledge message, it sends KEK and TEK messages to the GM.
The GM uses the obtained IPsec policy and keys to encrypt and de-encrypt data.
A GM starts a GDOI registration timer when it initiates a registration to the KS. If the GM does not
successfully register with the KS before the timer expires, the current registration fails and the GM
re-registers to the KS. This timer is not configurable. After the registration succeeds, the GM updates the
timer according to the received rekey SA and IP sec SA lifetime.
Data protection
After registering to the KS, a GM uses the IPsec SAs to protect data that matches the IPsec policy. GMs
can protect unicast data and multicast data.
Group domain VPN supports two encapsulation modes: tunnel mode and transport mode. The KS
determines the encapsulation mode to be used and assigns it the GMs.
Tunnel mode—Adds a security protocol header (AH or ESP header) before the original IP packet,
and then adds an IP header (the same as the original IP header) before the security protocol header.
Currently, group domain VPN does not support AH. Figure 153 sh
ows the format of an
ESP-encapsulated IP packet.
Figure 153 Tunnel mode encapsulation of group domain VPN
Transport mode—Inserts a security protocol header between the original IP header and the
payload data. No change is made to the original IP header.
Group domain VPN also supports protection of MPLS L3VPN data. For more information about MPLS
L3VPN, see MPLS Configuration Guide.
GM KS
2) Group ID
3) SA policy
4) Acknowledgement
5) TEK and KEK
1) IKE negotiation