Table of Contents
Advertisement
Configuring IPsec
Authentication Algorithms
•
HMAC-MD5 - An algorithm that produces a 128-bit hash (also called a digital signature or message
digest) from a message of arbitrary length and a 16-byte key. The resulting hash is used, like a
fingerprint of the input, to verify content and source authenticity and integrity.
•
HMAC-SHA1 - An algorithm that produces a 160-bit hash from a message of arbitrary length and a
20-byte key. It is generally regarded as more secure than MD5 because of the larger hashes it produces.
•
AES-XCBC-MAC-96 - An algorithm that uses AES [AES] in CBC mode [MODES] with a set of
extensions [XCBC-MAC-1] to overcome the limitations of the classic CBC-MAC algorithm. It uses
the AES block cipher with an increased block size and key length (128 bits) which enables it to
withstand continuing advances in crypto-analytic techniques and computational capability. Its goal is
to ensure that the datagram is authentic and cannot be modified in transit.
Unlike ESP, AH does not encrypt the data. Therefore, it has a much simpler header than ESP. The figure
below shows an AH-protected IPv6 packet.
Next Header(8 bits)
AH is identified by a value of 51 in the IPv6 header. The Next header field indicates the value of the upper
layer protocol being protected (for example, UDP or TCP) in the transport mode. The payload length field
in the AH header indicates the length of the header. The SPI, in combination with the source and
destination addresses, helps distinguish multiple SAs configured for the same source and destination
combination. The AH header provides a means to verify data integrity. It is similar to the integrity check
provided by the ESP header with one key difference. The ESP integrity check only verifies the contents of
the ESP payload. AH's integrity check also includes portions of the packet header as well.
IPsec on the OmniSwtich
IPsec allows the following 3 types of actions to be performed on an IPv6 datagram that matches the filters
defined in the security policy:
•
The IPv6 datagram can be subjected to IPsec processing, i.e. encrypted, and/or authenticated via ESP
and AH protocols.
•
The IPv6 datagram can be discarded.
•
The IPv6 datagram can be permitted to pass without being subjected to any IPsec processing.
The system decides which packets are processed and how they are processed by using the combination of
the policy and the SA. The policy is used to specificy which IPsec protocols are used such as AH or ESP
while the SA specifies the algorithms such as AES and HMAC-MD5.
OmniSwitch AOS Release 8 Network Configuration Guide
Payload Length(8 bits)
Security association identifier (SPI) (32 bits)
Sequence Number (32 bits)
Authentication Data (Variable)
(Integrity Check Value)
IP Packet protected by AH
Reserved (16 bits)
December 2017
IPsec Overview
page 18-7
- Quick Links:
- Ethernet Port Defaults
Hide quick links:
Advertisement
Table of Contents
