Manualshelf

3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module
141142143144145146147148149150
10
IPSEC CONFIGURATION
IPsec Overview
IPsec IP Security (IPsec) protocol family is a series of protocols defined based on IETF. It
provides high quality, interoperable and cryptology-based security for IP data
packets. The two sides of communication perform encryption and data source
authentication on IP layer to assure confidentiality, data integrity, data origin
authentication and anti-replay for packets when they are being transmitted on
networks.
n
Confidentiality is to encrypt a client data and then transmit it in cipher text.
Data integrity is to authenticate the received data so as to determine whether the
packet has been modified.
Data origin authentication is to authenticate the data source to make sure that the
data is sent from a real sender.
Anti-replay is to prevent some malicious client from repeatedly sending a data
packet. In other words, the receiver will deny old or repeated data packets.
IPsec implements the above aims via authentication header (AH) security protocol
and encapsulating security payload (ESP) security protocol. Moreover, Internet key
exchange (IKE) provides auto-negotiation key exchange and security association
(SA) setup and maintenance services for IPsec so as to simplify the use and
management of IPsec.
AH mainly provides data source authentication, data integrity authentication
and anti-replay. However, it cannot encrypt the packet.
ESP provides encryption function besides the above functions that AH provides.
However, its data integrity authentication does not include IP header.
n
AH and ESP can be used either independently or corporately. There are two types
of working modes for AH and ESP: transport mode and Tunnel mode, which will
be introduced later.
IKE is to negotiate the cryptographic algorithm applied in AH and ESP and to
put the necessary key in the algorithm to the proper place.
n
IPsec policy and algorithm can also be negotiated manually. So IKE negotiation is
not necessary. The comparison of these two negotiation modes will be introduced
later.