Table of Contents
Advertisement
3Com Router 3000 Ethernet Family
Configuration Guide
In the transport mode, AH/ESP is inserted after the IP header but before all
transmission layer protocols or all other IPSec protocols. In the tunnel mode, AH/ESP is
inserted before the original IP header but after the new header. The data encapsulation
format for various protocols (taking the transmission protocol TCP as an example) in
the transmission/tunnel mode is shown in the following figure:
Mode
Mode
Protocol
Protocol
AH
AH
Header AH
Header AH
ESP
ESP
Header
Header
AH-ESP
AH-ESP
Header
Header
Figure 7-1 Data encapsulation format for security protocols
The tunnel mode is safer than the transport mode. It can authenticate and encrypt
original IP data packets completely. Moreover, it can hide the client IP address via the
IPSec peer IP address. On the other hand, the tunnel mode occupies more bandwidth
than the transport mode because it has an extra IP header. Therefore, you can select a
proper mode according to the practical need on security or performance.
III. Authentication algorithm and encryption algorithm
1)
Authentication algorithm
Both AH and ESP can authenticate integrity for an IP packet so as to determine
whether the packet is modified. The authentication algorithm is implemented via hybrid
function. The hybrid function is a kind of algorithm that does not limit the length of
inputting messages and outputs messages in a certain length. The output message is
called as message summary. IPSec peers calculate the packet via the hybrid function
respectively. If they get identical summaries, the packet is integrated and not modified.
Generally speaking, there are two types of IPSec authentication algorithms.
MD5: Input a message in any length and generate a 128-bit message summary.
SHA-1: Input a message less than 2
summary.
Because the SHA-1 summary is longer than that of MD5, SHA-1 is safer than MD5.
2)
Encryption algorithm
ESP can encrypt IP packets so that the contents of the packets will not let out during the
transmission. Encryption algorithm is implemented by encrypting or decrypting data
with identical key via symmetric key system. V 2.41 implements three types of
encryption algorithm.
transport
transport
IP
IP
TCP
TCP
data
data
Header
Header
IP
IP
TCP
TCP
data ESP
data ESP
ESP
ESP
Tail
Tail
Header
Header
IP
IP
TCP
TCP
data ESP
data ESP
AH
AH
ESP
ESP
Tail
Tail
Header
Header
3Com Corporation
new IP
new IP
raw I P
raw I P
AH
AH
Header
Header
Header
Header
ESP
ESP
raw I P
raw I P
new IP
new IP
ESP
ESP
Auth data
Auth data
Header
Header
Header
Header
ESP
ESP
new IP
new IP
AH
AH
ESP
ESP
Auth data
Auth data
Header
Header
Header
Header
64
-bit and generate a 160-bit message
7-3
Chapter 7 IPSec Configuration
tunnel
tunnel
TCP
TCP
data
data
Header
Header
TCP
TCP
ESP
ESP
data ESP
data ESP
Header
Header
Auth data
Auth data
Tail
Tail
raw I P
raw I P
TCP
TCP
ESP
ESP
data ESP
data ESP
Header
Header
Auth data
Auth data
Tail
Tail
Advertisement
Chapters
Table of Contents
Troubleshooting
