Alcatel-Lucent 6850-48 Guida Di Rete
Configuring IPsec
IPsec Overview
OmniSwitch AOS Release 6 Network Configuration Guide
September 2009
page 27-7
IP Packet protected by ESP
ESP is identified by a value of 50 in the IP header. The ESP header is inserted after the IP header and
before the upper layer protocol header. The Security Parameter Index (SPI) in the ESP header is a 32-bit
value that, combined with the destination address and protocol in the preceding IP header, identifies the
security association (SA) to be used to process the packet. SPI helps distinguish multiple SA’s configured
for the same source and destination combination. The payload data field carries the data that is being
encrypted by ESP. The Authentication digest in the ESP header is used to verify data integrity. Authenti-
cation is always applied after encryption, so a check for validity of the data is done upon receipt of the
packet and before decryption.
before the upper layer protocol header. The Security Parameter Index (SPI) in the ESP header is a 32-bit
value that, combined with the destination address and protocol in the preceding IP header, identifies the
security association (SA) to be used to process the packet. SPI helps distinguish multiple SA’s configured
for the same source and destination combination. The payload data field carries the data that is being
encrypted by ESP. The Authentication digest in the ESP header is used to verify data integrity. Authenti-
cation is always applied after encryption, so a check for validity of the data is done upon receipt of the
packet and before decryption.
Encryption Algorithms
There are several different encryption algorithms that can be used in IPsec. However, the most commonly
used algorithms are “AES” and “3DES”. These algorithms are used for encrypting IP packets.
used algorithms are “AES” and “3DES”. These algorithms are used for encrypting IP packets.
• Advanced Encryption Standard - Cipher Block Chaining - (AES-CBC)
The AES-CBC mode comprises three different key lengths; AES-128, AES-192 and AES-256. Each block
of plaintext is XOR'd with the previous encrypted block before being encrypted again.
of plaintext is XOR'd with the previous encrypted block before being encrypted again.
• Advanced Encryption Standard Counter - (AES-CTR)
The AES-CTR mode comprises three different key lengths; AES-160, AES-224 and AES-288. AES-CTR
creates a stream cipher from the AES block cipher. It encrypts and decrypts by XORing key stream blocks
with plaintext blocks to produce the encrypted data.
creates a stream cipher from the AES block cipher. It encrypts and decrypts by XORing key stream blocks
with plaintext blocks to produce the encrypted data.
• Triple DES (3DES)
A mode of the DES encryption algorithm that encrypts data three times. Three 64-bit keys are used,
instead of one, for an overall key length of 192 bits (the first encryption is encrypted with second key, and
the resulting cipher text is again encrypted with a third key). 3DES is a more powerful version of DES.
instead of one, for an overall key length of 192 bits (the first encryption is encrypted with second key, and
the resulting cipher text is again encrypted with a third key). 3DES is a more powerful version of DES.
• Data Encryption Standard (DES)
DES is a cryptographic block algorithm with a 64-bit key. It is a popular symmetric-key encryption
method. DES uses a 56-bit key and uses the block cipher method, which breaks text into 64-bit blocks and
then encrypts them. DES is deprecated and only provided for backward compatibility.
method. DES uses a 56-bit key and uses the block cipher method, which breaks text into 64-bit blocks and
then encrypts them. DES is deprecated and only provided for backward compatibility.
16
24
32-bit
Security association identifier (SPI)
Sequence Number
Payload data (variable length)
Padding (0-255 bytes)
Pad Length
Next Header
Authentication Data (variable)