Cisco Cisco IOS Software Release 12.4(23)

Descargar
Página de 54
 
Appendix A—IPSec Operation
  IPSec Standards
50
Security Target For Cisco IOS IPSec
Appendix A—IPSec Operation
IPSec Standards
IPSec combines trusted security technologies into a complete system that provides confidentiality, 
integrity, and authenticity of IP packets. 
These technologies include: 
Diffie-Hellman key exchange for deriving key material between SA peers 
Public key cryptography for signing the Diffie-Hellman exchanges to guarantee the identity of the two 
parties and avoid man-in-the-middle attacks 
Bulk encryption algorithms, such as 3DES or AES, for encrypting the data 
Keyed hash algorithms, such as HMAC, combined with traditional hash algorithms such as MD5 or SHA 
for providing packet authentication
Digital certificates signed by a certificate authority to act as digital ID cards
IPSec itself is broken into two parts:
The IP Security Protocol proper, which defines the information to add to an IP packet to enable 
confidentiality, integrity, and authenticity controls as well as defining how to encrypt the packet data. 
The TOE uses the IPSec Encapsulating Security Payload (ESP) in IPSec Tunnel mode.
Internet Key Exchange (IKE), which negotiates the security association between two entities and 
exchanges key material. It is not necessary to use IKE, but manually configuring security associations is 
a difficult and manually intensive process. IKE should be used in most real-world applications to enable 
large-scale secure communications.
Figure 8
IPSec Tunnel Mode
Trusted
network
IP Sec tunnel
Trusted
network
Untrusted
network
230598