Enterasys csx5500 用户指南
USER’S GUIDE
36 CyberSWITCH
E
NCRYPTION
O
VERVIEW
Cabletron’s encryption options provide two popular approaches for encrypting WAN
communications, each with distinct advantages in certain applications. These options are: Network
Layer Encryption and Link Layer Encryption.
communications, each with distinct advantages in certain applications. These options are: Network
Layer Encryption and Link Layer Encryption.
N
ETWORK
L
AYER
Cabletron’s Network Layer Encryption is an IP Security-based form of encryption. IP Security
(IPSec) can potentially reside in many devices within the network. Since IPSec is specific to IP, data
must be contained in an IP datagram in order for encryption to take place. This also implies that an
IPSec-compliant switch or router must perform network-layer routing. A device which does not
perform network-layer processing (such as a pure bridge) will not be capable of IPSec-based
encryption. Non-IP protocols such as IPX and AppleTalk must be encapsulated within IP in order
to take advantage of IPSec.
(IPSec) can potentially reside in many devices within the network. Since IPSec is specific to IP, data
must be contained in an IP datagram in order for encryption to take place. This also implies that an
IPSec-compliant switch or router must perform network-layer routing. A device which does not
perform network-layer processing (such as a pure bridge) will not be capable of IPSec-based
encryption. Non-IP protocols such as IPX and AppleTalk must be encapsulated within IP in order
to take advantage of IPSec.
IPSec is primarily aimed at providing secure communications across IP networks such as the
Internet. Data can traverse multiple intermediate (untrusted) nodes (such as Internet backbone
routers) while still ensuring strong data security. But it can also be applied in point-to-point
networks where the layer-3 protocol is IP (for example, IP transported across the WAN using PPP).
Internet. Data can traverse multiple intermediate (untrusted) nodes (such as Internet backbone
routers) while still ensuring strong data security. But it can also be applied in point-to-point
networks where the layer-3 protocol is IP (for example, IP transported across the WAN using PPP).
Network-layer encryption works as follows:
IP datagrams transmitted from one LAN to another LAN funnel through a CyberSWITCH node
where they are encrypted and encapsulated. The destination address on the encapsulated
datagram is that of the CyberSWITCH node servicing the other trusted subnet.
IP datagrams transmitted from one LAN to another LAN funnel through a CyberSWITCH node
where they are encrypted and encapsulated. The destination address on the encapsulated
datagram is that of the CyberSWITCH node servicing the other trusted subnet.
When the IP datagram reaches the destination CyberSWITCH node, the Encapsulating Security
Payload (ESP) header is removed, the ESP payload is decrypted, and the original IP datagram is
forwarded to its original destination.
Payload (ESP) header is removed, the ESP payload is decrypted, and the original IP datagram is
forwarded to its original destination.
CyberSWITCH encryption requires additional Security Association information that can be supplied
through CFGEDIT. Each security association identifies a range of IP addresses, encryption
parameters to be used to encrypt communications to those IP addresses, and the IP address of the
peer CyberSWITCH (or other ESP node) responsible for decrypting the communications. The peer
will have knowledge of the same security association.
through CFGEDIT. Each security association identifies a range of IP addresses, encryption
parameters to be used to encrypt communications to those IP addresses, and the IP address of the
peer CyberSWITCH (or other ESP node) responsible for decrypting the communications. The peer
will have knowledge of the same security association.
Security associations between peer CyberSWITCH nodes are identified by a Security Parameter
Index (SPI), which is a 32-bit number. The SPI is transmitted in the ESP header and is used by the
peer CyberSWITCH node to identify the necessary information to decrypt the ESP payload.
Index (SPI), which is a 32-bit number. The SPI is transmitted in the ESP header and is used by the
peer CyberSWITCH node to identify the necessary information to decrypt the ESP payload.
IP datagrams to these IP destination addresses are encrypted and encapsulated with an ESP header.
The ESP header indicates a destination address of an intermediate CyberSWITCH node which will
be responsible for decrypting and decapsulating these packets before sending them on to their
intended destination.
The ESP header indicates a destination address of an intermediate CyberSWITCH node which will
be responsible for decrypting and decapsulating these packets before sending them on to their
intended destination.
L
INK
L
AYER
Link layer encryption occurs at layer 2 of the ISO networking model. In the case of a WAN, PPP
acts as a layer 2 protocol. Encryption Control Protocol (ECP) serves to handle encryption of a PPP
datagram.
acts as a layer 2 protocol. Encryption Control Protocol (ECP) serves to handle encryption of a PPP
datagram.