Alcatel-Lucent 6850-48 网络指南
Configuring IPsec
IPsec Overview
OmniSwitch AOS Release 6 Network Configuration Guide
September 2009
page 27-9
IPsec on the OmniSwtich
IPsec allows the following 3 types of actions to be performed on an IP datagram that matches the filters
defined in the security policy:
defined in the security policy:
• The IP datagram can be subjected to IPsec processing, i.e. encrypted, and/or authenticated via ESP and
AH protocols.
• The IP datagram can be discarded.
• The IP datagram can be permitted to pass without being subjected to any IPsec processing.
The system decides which packets are processed and how they are processed by using the combination of
the policy and the SA. The policy is used to specificy which IPsec protocols are used such as AH or ESP
while the SA specifies the algorithms such as AES and HMAC-MD5.
the policy and the SA. The policy is used to specificy which IPsec protocols are used such as AH or ESP
while the SA specifies the algorithms such as AES and HMAC-MD5.
Securing Traffic Using IPsec
Securing traffic using IPsec requires the following main procedures below:
• Master Security Key - Used to encrypt SA keys when stored on the switch.
• Policies - Determines which traffic should be processed using IPsec.
• Policy Rules - Determines whether AH, ESP, or a combination of both should be used.
• Security Associations (SAs) - Determines which algorithms should be used to secure the traffic.
• SA Keys - Determines the keys to be used with the SA to secure the traffic.
Master Security Key
The master security key is used to encrypt and decrypt the configured SA keys that are saved to perma-
nent storage (e.g., boot.cfg file). If no master security key is configured, SA keys are stored unencrypted.
Therefore, configuring a master key is STRONGLY RECOMMENDED. A warning message will be logged if
the config is saved witout a Master Security Key being set.
nent storage (e.g., boot.cfg file). If no master security key is configured, SA keys are stored unencrypted.
Therefore, configuring a master key is STRONGLY RECOMMENDED. A warning message will be logged if
the config is saved witout a Master Security Key being set.
IPsec Policy
IPsec Policies define which traffic requires IPsec processing. The policy requires the source and destina-
tion of the traffic to be specified as IPv6 addresses. The policy may cover all traffic from source to desti-
nation or may further restrict it by specifying an upper-layer protocol, source, and/or destination ports.
Each policy is unidirectional, applying either to inbound or outbound traffic. Therefore, to cover all traffic
between a source and destination, two policies would need to be defined.
tion of the traffic to be specified as IPv6 addresses. The policy may cover all traffic from source to desti-
nation or may further restrict it by specifying an upper-layer protocol, source, and/or destination ports.
Each policy is unidirectional, applying either to inbound or outbound traffic. Therefore, to cover all traffic
between a source and destination, two policies would need to be defined.
IPsec Policy Rules
Rules are created and applied to policies. Rules determine what type of encryption or authentication
should be used for the associated policy. For example, for a security policy where an IPv6 payload should
be protected by an ESP header, which should then be protected by an AH header, two rules would be
applied to the policy, one for ESP and one for AH.
should be used for the associated policy. For example, for a security policy where an IPv6 payload should
be protected by an ESP header, which should then be protected by an AH header, two rules would be
applied to the policy, one for ESP and one for AH.
Security Association (SA)
A Security Association, more commonly referred to as an SA, is a basic building block of IPsec.
It speci-
fies the actual IPsec algorithms to be employed. SA is a unidirectional agreement between the participants
regarding the methods and parameters to use in securing a communication channel. A Security Associa-
regarding the methods and parameters to use in securing a communication channel. A Security Associa-