Nortel Networks 620 User Manual
Chapter 1
IPSec: Concept for secure IP connections
E-DOC-CTC-20051017-0169 v1.0
12
1.1 IPSec Concepts
Red and Black Network
Following nomenclature will be used throughout this document:
The SpeedTouch™
The IPSec capable DSL router
The IPSec capable DSL router
The Red network
Private or trusted side of the SpeedTouch™.
Private or trusted side of the SpeedTouch™.
The Black network
Public or non-trusted side of the SpeedTouch™. The black network is
frequently referred to as the WAN side, being the connection towards the
Internet.
Public or non-trusted side of the SpeedTouch™. The black network is
frequently referred to as the WAN side, being the connection towards the
Internet.
Authentication Header
The Authentication Header (AH) protocol allows to check the integrity of a data
packet. A digital signature (=hash) is computed over the entire packet, with the
exception of the mutable fields (fields that change during the transmission of the
packet - e.g. TTL counter).
packet. A digital signature (=hash) is computed over the entire packet, with the
exception of the mutable fields (fields that change during the transmission of the
packet - e.g. TTL counter).
Encapsulated Security
Payload
The Encapsulated Security Payload (ESP) protocol provides data confidentiality and
ensures data integrity (message authentication). ESP supports various encryption
algorithms, thus making the data unreadable for an eavesdropper. A Security
Association (SA) consists of a set of parameters, negotiated between two peers:
ensures data integrity (message authentication). ESP supports various encryption
algorithms, thus making the data unreadable for an eavesdropper. A Security
Association (SA) consists of a set of parameters, negotiated between two peers:
authentication type
compression, hashing or encryption algorithms
key size
key lifetime
...
Red network
node
SpeedTouch 620 [1]
Red network
node
SpeedTouch 620 [2]
Red LAN
Trusted network side
Red LAN
Trusted network side
Black network
Non-trusted network side
As the use of the Authentication Header is deprecated, the SpeedTouch™
from Release onwards only supports the ESP protocol. Authentication
without encryption can be achieved by selecting ESP with NULL encryption.
from Release onwards only supports the ESP protocol. Authentication
without encryption can be achieved by selecting ESP with NULL encryption.