Справочник Пользователя для Ulterius Technologies LLC FDN40
Configuration User Manual
141
© Ulterius Technologies, LLC 2016. Confidential & Proprietary.
Chapter
7
IPSec
7.1 Protocol Description
IPSec provides security services at the IP layer. The security services include
access control, connectionless integrity, data origin authentication, rejection
of replayed packets, confidentiality and limited traffic flow confidentiality.
Since these services are provided at the IP layer, any higher layer protocol
above IP (for example, TCP (Transmission Control Protocol), UDP (User
Datagram Protocol) and the like) can make use of the offered security
services.
access control, connectionless integrity, data origin authentication, rejection
of replayed packets, confidentiality and limited traffic flow confidentiality.
Since these services are provided at the IP layer, any higher layer protocol
above IP (for example, TCP (Transmission Control Protocol), UDP (User
Datagram Protocol) and the like) can make use of the offered security
services.
The protection offered is based on the requirements defined by a SPD
(Security Policy Database). The packets are selected on the IP layer header
information that is matched against entries in the selectors database. Each
incoming and outgoing packet is secured, discarded or bypassed based on
the policy identified by the selectors. IPSec performs a SAD (Security
Association Database) lookup for both inbound and outbound datagram.
(Security Policy Database). The packets are selected on the IP layer header
information that is matched against entries in the selectors database. Each
incoming and outgoing packet is secured, discarded or bypassed based on
the policy identified by the selectors. IPSec performs a SAD (Security
Association Database) lookup for both inbound and outbound datagram.
A SAD contains parameters that identify the SA to be used for a particular
destination. SA identifies the statement of agreement between two peers. SA
defines the mode of operation (Tunnel), security protocol and its associated
transforms for a particular peer. The type of the traffic to be protected or
filtered is identified by the selectors, which have protocol and interface
specific information. The decision to apply or bypass security is based on the
configured policy for a particular set of traffic.
destination. SA identifies the statement of agreement between two peers. SA
defines the mode of operation (Tunnel), security protocol and its associated
transforms for a particular peer. The type of the traffic to be protected or
filtered is identified by the selectors, which have protocol and interface
specific information. The decision to apply or bypass security is based on the
configured policy for a particular set of traffic.
IPSec provides the above mentioned security services with the help of the
following infrastructure protocol.
following infrastructure protocol.
The ESP: Provides confidentiality, integrity, data origin authentication and
anti-replay service.
Security services are applied to traffic through ESP. Traffic is secured
between two hosts or between a host and a security gateway or between two
security gateways using two modes namely Tunnel mode or Transport mode.
between two hosts or between a host and a security gateway or between two
security gateways using two modes namely Tunnel mode or Transport mode.