Alcatel-Lucent 6850-48 网络指南
IPsec Overview
Configuring IPsec
page 27-6
OmniSwitch AOS Release 6 Network Configuration Guide
September 2009
IPsec Overview
IPsec provides protection to IP traffic. To achieve this, IPsec provides security services for IP packets at
the network layer. These services include access control, data integrity, authentication, protection against
replay, and data confidentiality. IPsec enables a system to select the security protocols, encryption and
authentication algorithms, and use any cryptographic keys as required. IPsec uses the following two proto-
cols to provide security for an IP datagram:
the network layer. These services include access control, data integrity, authentication, protection against
replay, and data confidentiality. IPsec enables a system to select the security protocols, encryption and
authentication algorithms, and use any cryptographic keys as required. IPsec uses the following two proto-
cols to provide security for an IP datagram:
• Encapsulating Security Payload (ESP) to provide confidentiality, data origin authentication and
connectionless integrity.
• Authentication Header (AH) to provide connectionless integrity and data origin authentication for IP
datagrams and to provide optional protection against replay attacks. Unlike ESP, AH does not provide
confidentiality.
confidentiality.
IPsec on an OmniSwitch operates in Transport mode. In transport mode only the payload of the IP packet
is encapsulated, and an IPsec header (AH or ESP) is inserted between the original IP header and the upper-
layer protocol header. The figure below shows an IP packet protected by IPsec in transport mode.
is encapsulated, and an IPsec header (AH or ESP) is inserted between the original IP header and the upper-
layer protocol header. The figure below shows an IP packet protected by IPsec in transport mode.
IP Packet in IPsec Transport Mode
Note. The OmniSwitch currently supports the Transport Mode of operation.
Encapsulating Security Payload (ESP)
The ESP protocol provides a means to ensure privacy (encryption), source authentication, and content
integrity (authentication). It helps provide enhanced security of the data packet and protects it against
eavesdropping during transit.
integrity (authentication). It helps provide enhanced security of the data packet and protects it against
eavesdropping during transit.
Unlike AH which only authenticates the data, ESP encrypts data and also optionally authenticates it. It
provides these services by encrypting the original payload and encapsulating the packet between a header
and a trailer, as shown in the figure below.
provides these services by encrypting the original payload and encapsulating the packet between a header
and a trailer, as shown in the figure below.