3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

141

142

143

144

145

146

147

148

149

150

IPsec Overview 145

Working mode of IPsec protocol

IPsec protocol falls into two working modes: transport mode and Tunnel mode.

They are specified in SA.

In the transport mode, AH/ESP is inserted after the IP header but before all

transmission layer protocols or all other IPsec protocols. In the Tunnel mode,

AH/ESP is inserted before the original IP header but after the new header. The data

encapsulation format for various protocols (taking the transmission protocol TCP

as an example) in the transmission/Tunnel mode is shown in the following figure:

Figure 37 Data encapsulation format for security protocols

The Tunnel mode is safer than the transport mode. It can authenticate and encrypt

original IP data packets completely. Moreover, it can hide the client IP address via

the IPsec peer IP address. On the other hand, the Tunnel mode occupies more

bandwidth than the transport mode because it has an extra IP header. Therefore,

you can select a proper mode according to the practical need on security or

performance.

Authentication algorithm and encryption algorithm

1 Authentication algorithm

Both AH and ESP can authenticate integrity for an IP packet so as to determine

whether the packet is modified. The authentication algorithm is implemented via

hybrid function. The hybrid function is a kind of algorithm that does not limit the

length of inputting messages and outputs messages in a certain length. The

output message is called as message summary. IPsec peers calculate the packet via

the hybrid function respectively. If they get identical summaries, the packet is

integrated and not modified.

Generally speaking, there are two types of IPsec authentication algorithms.

■ MD5: Input a message in any length and generate a 128-bit message summary.

■ SHA-1: Input a message less than 2

-bit and generate a 160-bit message

summary.

Because the SHA-1 summary is longer than that of MD5, SHA-1 is safer than MD5.

2 Encryption algorithm

ESP can encrypt IP packets so that the contents of the packets will not let out

during the transmission. Encryption algorithm is implemented by encrypting or

Mode

Protocol

transport

tunnel

ESP

AH-ESP

ES P

data

ESP

Tail

Header

ESP

Auth data

TCP

Header

data

TCP

Header

ES P

data

ESP

Tail

Header

ESP

Auth data

TCP

Header

data

new IP

Header

raw IP

Header

TCP

Header

ES P

data

ESP

Tail

new IP

Header

ESP

Auth data

TCP

Header

raw IP

Header

ES P

data

ESP

Tail

new IP

Header

ESP

Auth data

TCP

Header

raw IP

Header

Mode

Protocol

transport

tunnel

ESP

AH-ESP

ES P

data

ESP

Tail

Header

ESP

Auth data

TCP

Header

data

TCP

Header

ES P

data

ESP

Tail

Header

ESP

Auth data

TCP

Header

data

new IP

Header

raw IP

Header

TCP

Header

ES P

data

ESP

Tail

new IP

Header

ESP

Auth data

TCP

Header

raw IP

Header

ES P

data

ESP

Tail

new IP

Header

ESP

Auth data

TCP

Header

raw IP

Header