Table of Contents
Advertisement
Configuring IPsec
Unlike AH which only authenticates the data, ESP encrypts data and also optionally authenticates it. It
provides these services by encrypting the original payload and encapsulating the packet between a header
and a trailer, as shown in the figure below.
ESP is identified by a value of 50 in the IPv6 header. The ESP header is inserted after the IPv6 header and
before the upper layer protocol header. The Security Parameter Index (SPI) in the ESP header is a 32-bit
value that, combined with the destination address and protocol in the preceding IPv6 header, identifies the
security association (SA) to be used to process the packet. SPI helps distinguish multiple SA's configured
for the same source and destination combination. The payload data field carries the data that is being
encrypted by ESP. The Authentication digest in the ESP header is used to verify data integrity.
Authentication is always applied after encryption, so a check for validity of the data is done upon receipt
of the packet and before decryption.
Encryption Algorithms
There are several different encryption algorithms that can be used in IPsec. However, the most commonly
used algorithms are "AES" and "3DES". These algorithms are used for encrypting IPv6 packets.
•
Advanced Encryption Standard - Cipher Block Chaining - (AES-CBC)
The AES-CBC mode comprises three different key lengths; AES-128, AES-192 and AES-256. Each block
of plaintext is XOR'd with the previous encrypted block before being encrypted again.
•
Triple DES (3DES)
A mode of the DES encryption algorithm that encrypts data three times. Three 64-bit keys are used,
instead of one, for an overall key length of 192 bits (the first encryption is encrypted with second key, and
the resulting cipher text is again encrypted with a third key). 3DES is a more powerful version of DES.
Authentication Header (AH)
An Authentication Header (AH) provides connectionless integrity and data origin authentication. This
protocol permits communicating parties to verify that data was not modified in transit and that it was
genuinely transmitted from the apparent source. AH helps verify the authenticity/integrity of the content
and origin of a packet. It can optionally protect against replay attacks by using the sliding window
technique and discarding old packets. It authenticates the packet by calculating the checksum via hash-
based message authentication code (HMAC) using a secret key and either HMAC-MD-5 or HMAC-SHA1
hash functions.
OmniSwitch AOS Release 8 Network Configuration Guide
16
Security association identifier (SPI)
Sequence Number
Payload data (variable length)
Padding (0-255 bytes)
Authentication Data (variable)
IP Packet protected by ESP
24
Pad Length
December 2017
IPsec Overview
32-bit
Next Header
page 18-6
- Quick Links:
- Ethernet Port Defaults
Hide quick links:
Advertisement
Table of Contents
