Black Box ET0010A User Manual

Policy Concepts

EncrypTight User Guide

183

TIP

Network connectivity problems can prevent new keys from being distributed to the PEPs before the old
keys expire. If you experience problems of this nature, see

“Solving Network Connectivity Problems” on

page 248

for suggested workarounds to prevent interruptions.

Policy Types and Encryption Methods

The type of policy specifies the action applied to packets that match the protocol and networks included
in this policy. You can choose from the following types:

●

Drop - drops all packets matching this policy.

●

Bypass - passes all packets matching this policy in the clear.

●

IPSec - encrypts or decrypts all packets matching this policy. (For Layer 2 Ethernet policies, this
option is Encrypt.)

The following topics describe how traffic is protected in an encryption policy:

●

“Encapsulation” on page 183

●

“Encryption and Authentication Algorithms” on page 184

Encapsulation

To provide encryption and authentication, the PEPs use the EncrypTight Encapsulating Security Payload
protocol (CE-ESP). CE-ESP is Black Box’s packet encapsulation protocol that is based on the IPSec ESP
protocol standards.

Layer 2: Ethernet payload encryption

In Layer 2 policies, the CE-ESP protocol preserves the original Ethernet header information and encrypts
only the Ethernet payload, as shown in

Figure 67

Figure 67

Ethernet frame encryption

Layer 3: IPSec Tunnel mode with original IP header preservation

In Layer 3 IP policies, a copy of the original IP header is used as the outer header and the original header
and payload are encrypted, as show in

Figure 68

Figure 68

IP packet encryption

Layer 4: IPSec Transport mode for Layer 4 payload encryption

ETEP PEPs have an option to encrypt only the Layer 4 payload. The TCP and UDP header information
remains in the clear, as shown in