Encryption; Table 225 Comparing Encryption And Authentication Methods - Nortel BCM 3.7 Manual

766 IPSec

Encryption

All of the following encryption methods ensure that the packets have come from the original
source at the secure end of the tunnel. Note that some of the encryption types will not appear on
some non-US models that are restricted by US Domestic export laws.
The following table shows a comparison of the security provided by the available encryption and
authentication methods.

Table 225 Comparing Encryption and Authentication Methods

Method
(strongest to weakest)
ESP Triple DES SHA1
ESP Triple DES MD5
ESP 56-bit DES SHA1
ESP 56-bit DES MD5
ESP 40-bit DES SHA1
ESP 40-bit DES MD5
AH HMAC SHA1
AH HMAC MD5
Note: Using higher-level encryption, such as Triple DES, requires more system resources
and increases packet latency. You need to consider this when designing your overall
network.
Note: If two devices have different encryption settings, the two devices will negotiate
downward until they agree on a compatible encryption capability. For example, if Switch
A attempts to negotiate Triple DES encryption with Switch B that is using 56-bit DES,
then the Switch B will reject Triple DES encryption in favor of the 56-bit DES.
Each of the systems must have at least one encryption setting in common. If they do not, a
tunnel will not be negotiated. In the example above, both systems must have 56-bit DES
enabled.
The encryption level you choose is made of three components:
• the protocol
• the encryption method
• the authentication method
N0008589 3.3
Encryption of IP Authentication of
Packet Payload IP Packet Payload
Yes Yes
Yes Yes
Yes Yes
Yes Yes
Yes Yes
Yes Yes
No No
No No
Authentication of
Entire IP Packet
No
No
No
No
No
No
Yes
Yes