3com 3031 Instruccion De Instalación
IPSec Overview
833
Figure 199 Data encapsulation format for security protocols
The tunnel mode is safer than the transport mode. It can authenticate and encrypt
original IP data packets completely. Moreover, it can hide the client IP address via
the IPSec peer IP address. On the other hand, the tunnel mode occupies more
bandwidth than the transport mode because it has an extra IP header. Therefore,
you can select a proper mode according to the practical need on security or
performance.
original IP data packets completely. Moreover, it can hide the client IP address via
the IPSec peer IP address. On the other hand, the tunnel mode occupies more
bandwidth than the transport mode because it has an extra IP header. Therefore,
you can select a proper mode according to the practical need on security or
performance.
Authentication algorithm and encryption algorithm
■
Authentication algorithm
Both AH and ESP can authenticate integrity for an IP packet so as to determine
whether the packet is modified. The authentication algorithm is implemented
via hybrid function. The hybrid function is a kind of algorithm that does not
limit the length of inputting messages and outputs messages in a certain
length. The output message is called as message summary. IPSec peers
calculate the packet via the hybrid function respectively. If they get identical
summaries, the packet is integrated and not modified.
whether the packet is modified. The authentication algorithm is implemented
via hybrid function. The hybrid function is a kind of algorithm that does not
limit the length of inputting messages and outputs messages in a certain
length. The output message is called as message summary. IPSec peers
calculate the packet via the hybrid function respectively. If they get identical
summaries, the packet is integrated and not modified.
Generally speaking, there are two types of IPSec authentication algorithms.
■
MD5: Input a message in any length and generate a 128-bit message
summary.
summary.
■
SHA-1: Input a message less than 2
64
-bit and generate a 160-bit message
summary.
Because the SHA-1 summary is longer than that of MD5, SHA-1 is safer than
MD5.
MD5.
■
Encryption algorithm
ESP can encrypt IP packets so that the contents of the packets will not let out
during the transmission. Encryption algorithm is implemented by encrypting or
decrypting data with identical key via symmetric key system. Generally, IPSec
uses two types of encryption algorithm.
during the transmission. Encryption algorithm is implemented by encrypting or
decrypting data with identical key via symmetric key system. Generally, IPSec
uses two types of encryption algorithm.
■
DES: Encrypt a 64-bit clear text via a 56-bit key.
■
3DES: Encrypt a clear text via three 56-bit keys (168 bits key).
Obviously, 3DES is much safer than DES. However, its encryption speed is a bit
slower accordingly.
slower accordingly.
Negotiation mode
There are two negotiation modes to establish SA: manual mode (
manual
) and IKE
auto-negotiation mode (
isakmp
). The former is a bit complex because all
information about SA has to be configured manually. Moreover, it does not
Mode
Protocol
transport
tunnel
AH
ESP
AH-ESP
ESP
data ESP
Tail
IP
Header
ESP
Auth data
TCP
Header
IP
Header AH
data
TCP
Header
ESP
data ESP
Tail
IP
Header
ESP
Auth data
TCP
Header
AH
AH
data
new IP
Header
raw IP
Header
TCP
Header
ESP
data ESP
Tail
new IP
Header
ESP
Auth data
TCP
Header
raw IP
Header
ESP
data ESP
Tail
new IP
Header
ESP
Auth data
TCP
Header
raw IP
Header
AH
Mode
Protocol
transport
tunnel
AH
ESP
AH-ESP
ESP
data ESP
Tail
IP
Header
ESP
Auth data
TCP
Header
IP
Header AH
data
TCP
Header
ESP
data ESP
Tail
IP
Header
ESP
Auth data
TCP
Header
AH
AH
data
new IP
Header
raw IP
Header
TCP
Header
ESP
data ESP
Tail
new IP
Header
ESP
Auth data
TCP
Header
raw IP
Header
ESP
data ESP
Tail
new IP
Header
ESP
Auth data
TCP
Header
raw IP
Header
AH