3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide
144 CHAPTER 10: IPSEC CONFIGURATION
Overview of Encryption
Card
IPsec may use ESP or AH protocol to process packets. For high security purpose,
complicated encryption/decryption/authentication algorithms are often used. The
IPsec on a security gateway uses many CPU resources for encryption/decryption
algorithm, so the overall performance may be degraded. To solve this problem,
you can insert an encryption card for a modularized security gateway, on which
IPsec operations are processed by hardware. This can improve IPsec processing
efficiency, as well as overall performance of a security gateway.
1 Encryption/decryption process on the encryption card: The security gateway sends
data to be encrypted or decrypted to the encryption card. The card runs
encryption/decryption operations and add/delete encryption headers to/from data,
and then sends the processed data back to the security gateway for forwarding.
2 For the IPsec SA implemented by the encryption card, if the card is faulty, backup
function is enabled on the card and the selected encryption/authentication
algorithms for the SA are supported by the IPsec module on Comware platform,
IPsec shall be implemented by the IPsec module on Comware platform. But you
cannot use one encryption card as the backup to another card.
n
The encryption card processes data in the same mechanism as the IPsec module
on the Comware platform. The only difference is that the card uses hardware,
while the IPsec module uses software.
IPsec Basic Concepts Security association
IPsec provides security communication between two ends, which are called as
IPsec peers.
IPsec allows systems, network subscribers or administrators to control granularity
of security services between peers. For instance, IPsec policies of some group
prescribe that data flow from some subnet should be protected over AH and ESP
and be encrypted over Triple Data Encryption Standard (3DES) simultaneously.
Moreover, the policies prescribe that data flow from another site should be
protected over ESP only and be encrypted via DES only. IPsec can provide security
protection in various levels for different data flows based on SA.
SA is essential to IPsec. It is the standard for some elements of communication
peers. For example, it determines which protocol should be applied (AH, ESP or
both) as well as the working mode (transport mode or Tunnel mode), encryption
algorithm (DES and 3DES), shared protecting key in some stream and SA duration.
SA is unidirectional. So at least two SAs are needed to protect data flow from two
directions in a bi-directional communication. Moreover, if both AH and ESP are
applied to protect data flow between peers, still two SAs are needed for AH and
ESP respectively.
SA is identified by a triplet uniquely, including Security Parameter Index (SPI),
destination IP address and security protocol ID (AH or ESP). SPI is a 32-bit number
generated for uniquely identifying SA. It is transmitted in AH/ESP header.
SA has duration. It is calculated as follows:
■ Time-based duration is to update SA at a specific interval;
■ Traffic-based duration is to update SA after certain data (bytes) transmission.