3com 3031 Instruccion De Instalación
832
C
HAPTER
60: IPS
EC
C
ONFIGURATION
IPSec policy and algorithm can also be negotiated manually. So IKE negotiation is
not necessary. The comparison of these two negotiation modes will be introduced
later.
not necessary. The comparison of these two negotiation modes will be introduced
later.
IPSec Basic Concepts
Security association
IPSec provides security communication between two ends, which are called as
IPSec peers.
IPSec peers.
IPSec allows systems, network subscribers or administrators to control granularity
of security services between peers. For instance, IPSec policies of some group
prescribe that data flow from some subnet should be protected over AH and ESP
and be encrypted over Triple Data Encryption Standard (3DES) simultaneously.
Moreover, the policies prescribe that data flow from another site should be
protected over ESP only and be encrypted via DES only. IPSec can provide security
protection in various levels for different data streams based on SA.
of security services between peers. For instance, IPSec policies of some group
prescribe that data flow from some subnet should be protected over AH and ESP
and be encrypted over Triple Data Encryption Standard (3DES) simultaneously.
Moreover, the policies prescribe that data flow from another site should be
protected over ESP only and be encrypted via DES only. IPSec can provide security
protection in various levels for different data streams based on SA.
SA is essential to IPSec. It is the standard for some elements of communication
peers. For example, it determines which protocol should be applied (AH, ESP or
both) as well as the working mode (transport mode or tunnel mode),
cryptographic algorithm (DES and 3DES), shared protecting key in some stream
and its duration.
peers. For example, it determines which protocol should be applied (AH, ESP or
both) as well as the working mode (transport mode or tunnel mode),
cryptographic algorithm (DES and 3DES), shared protecting key in some stream
and its duration.
SA is unidirectional. So at least two SAs are needed to protect data flow from two
directions in a bi-directional communication. Moreover, if both AH and ESP are
applied to protect data flow between peers, still two SAs are needed for AH and
ESP respectively.
directions in a bi-directional communication. Moreover, if both AH and ESP are
applied to protect data flow between peers, still two SAs are needed for AH and
ESP respectively.
SA is identified by a triplet uniquely, including Security Parameter Index (SPI),
destination IP address and security protocol ID (AH or ESP). SPI is a 32-bit number
generated for uniquely identifying SA. It is transmitted in AH/ESP header.
destination IP address and security protocol ID (AH or ESP). SPI is a 32-bit number
generated for uniquely identifying SA. It is transmitted in AH/ESP header.
SA has duration. It is calculated as follows:
■
Time-based duration is to update SA at a specific interval;
■
Traffic-based duration is to update SA after certain data (bytes) transmission.
Working mode of IPSec protocol
IPSec protocol falls into two working modes: transport mode and tunnel mode.
They are specified in SA.
They are specified in SA.
In the transport mode, AH/ESP is inserted after the IP header but before all
transmission layer protocols or all other IPSec protocols. In the tunnel mode,
AH/ESP is inserted before the original IP header but after the new header. The data
encapsulation format for various protocols (taking the transmission protocol TCP
as an example) in the transmission/tunnel mode is shown in the following figure:
transmission layer protocols or all other IPSec protocols. In the tunnel mode,
AH/ESP is inserted before the original IP header but after the new header. The data
encapsulation format for various protocols (taking the transmission protocol TCP
as an example) in the transmission/tunnel mode is shown in the following figure: