Enterasys csx5500 用户指南
USER’S GUIDE
238 CyberSWITCH
On the CyberSWITCH, AH is added to a packet after ESP application. When a remote node receives
the encrypted packet, it first processes the authentication information in the AH. If the AH
information is valid, the node proceeds to decrypt the packet. If authentication fails, the packet is
dropped.
the encrypted packet, it first processes the authentication information in the AH. If the AH
information is valid, the node proceeds to decrypt the packet. If authentication fails, the packet is
dropped.
L
INK
L
AYER
E
NCRYPTION
Link layer encryption is available for WAN services using PPP (data-link layer) protocol. It
accommodates network layer protocols such as IP, IPX and AppleTalk protocols, and can also be
used for bridged data. Link layer encryption may use the DES algorithm along with configured
encryption keys, or it may use an automated key exchange. Link layer encryption (using either the
manual keys or the automated key exchange) is set up on a per-device basis. Device-level
authentication is required when using Link Layer encryption.
accommodates network layer protocols such as IP, IPX and AppleTalk protocols, and can also be
used for bridged data. Link layer encryption may use the DES algorithm along with configured
encryption keys, or it may use an automated key exchange. Link layer encryption (using either the
manual keys or the automated key exchange) is set up on a per-device basis. Device-level
authentication is required when using Link Layer encryption.
L
INK
L
AYER
E
NCRYPTION
: M
ANUALLY
-C
ONFIGURED
K
EYS
When using manually-configured keys, each device needs to have two keys - one for encrypting
outgoing data, and one for decrypting incoming data. These manually-configured keys need to
match the keys configured on the remote node. That is, the CyberSWITCH’s encryption key needs
to match the remote node’s decryption key, and vice versa.
outgoing data, and one for decrypting incoming data. These manually-configured keys need to
match the keys configured on the remote node. That is, the CyberSWITCH’s encryption key needs
to match the remote node’s decryption key, and vice versa.
The following graphic illustrates a CyberSWITCH encryption network using manually-configured
keys. The nodes are communicating via Point-to-Point Protocol over various types of WAN links:
•
keys. The nodes are communicating via Point-to-Point Protocol over various types of WAN links:
•
dedicated lines
•
ISDN
•
Frame Relay
The CyberSWITCH will provide privacy for all communications across each of the WAN links by
encrypting data using DES. Communications on the LAN will be in the clear.
encrypting data using DES. Communications on the LAN will be in the clear.
Frame Relay
ISDN
CSX5500
CSX5500
CSX5500
CSX100
PRI
DDS, SW56, T1, or FT1
BRI's
CSU
CSU
NT1
NT1
CSU
CSU
NT1
Bandwidth-on-Demand
Routing
Routing
Back-Up &
Overflow
Overflow
"Larry"
"Moe"
"Curly"
"Corp"
Corp Encrypt Key: 001122334455667788
Decrypt Key: 1212ABCD2121DCBA
Decrypt Key: 1212ABCD2121DCBA
Corp Encrypt Key: ABCDEFABCDEFABCD
Decrypt Key: 2222222222222222
Decrypt Key: 2222222222222222
Corp Encrypt Key: 4321432143214321
Decrypt Key: 1234567890987654
Decrypt Key: 1234567890987654
Device Table Menu
Larry: Encrypt Key: 1212ABCD2121DCBA
Decrypt Key: 001122334455667788
Moe: Encrypt Key: 2222222222222222
Decrypt Key: ABCDEFABCDEFABCD
Curly: Encrypt Key: 1234567890987654
Decrypt Key: 4321432143214321
Larry: Encrypt Key: 1212ABCD2121DCBA
Decrypt Key: 001122334455667788
Moe: Encrypt Key: 2222222222222222
Decrypt Key: ABCDEFABCDEFABCD
Curly: Encrypt Key: 1234567890987654
Decrypt Key: 4321432143214321
C A B L E T R O N S Y S T E M S