Cisco Cisco IOS Software Release 12.4(23)
Appendix A—IPSec Operation
IPSec Standards
50
Security Target For Cisco IOS IPSec
Appendix A—IPSec Operation
IPSec Standards
IPSec combines trusted security technologies into a complete system that provides confidentiality,
integrity, and authenticity of IP packets.
integrity, and authenticity of IP packets.
These technologies include:
Diffie-Hellman key exchange for deriving key material between SA peers
Public key cryptography for signing the Diffie-Hellman exchanges to guarantee the identity of the two
parties and avoid man-in-the-middle attacks
parties and avoid man-in-the-middle attacks
Bulk encryption algorithms, such as 3DES or AES, for encrypting the data
Keyed hash algorithms, such as HMAC, combined with traditional hash algorithms such as MD5 or SHA
for providing packet authentication
for providing packet authentication
Digital certificates signed by a certificate authority to act as digital ID cards
IPSec itself is broken into two parts:
The IP Security Protocol proper, which defines the information to add to an IP packet to enable
confidentiality, integrity, and authenticity controls as well as defining how to encrypt the packet data.
The TOE uses the IPSec Encapsulating Security Payload (ESP) in IPSec Tunnel mode.
confidentiality, integrity, and authenticity controls as well as defining how to encrypt the packet data.
The TOE uses the IPSec Encapsulating Security Payload (ESP) in IPSec Tunnel mode.
Internet Key Exchange (IKE), which negotiates the security association between two entities and
exchanges key material. It is not necessary to use IKE, but manually configuring security associations is
a difficult and manually intensive process. IKE should be used in most real-world applications to enable
large-scale secure communications.
exchanges key material. It is not necessary to use IKE, but manually configuring security associations is
a difficult and manually intensive process. IKE should be used in most real-world applications to enable
large-scale secure communications.
Figure 8
IPSec Tunnel Mode
Trusted
network
IP Sec tunnel
Trusted
network
Untrusted
network
230598