Overview Of Encryption Card - 3Com 3C13636 Configuration Manual

3Com Router 3000 Ethernet Family
Configuration Guide
DES(Data Encryption Standard): Encrypt a 64-bit clear text via a 56-bit key.
3DES(Triple DES): Encrypt a clear text via three 56-bit keys (168 bits key).
AES (Advanced Encryption Standard): 128-bit/192-bit/256-bit AES algorithm can
be implemented on V 2.41.
IV. Negotiation mode
There are two negotiation modes to establish SA: manual mode (manual) and IKE
auto-negotiation mode (isakmp). The former is a bit complex because all information
about SA has to be configured manually. Moreover, it does not support some advanced
features of IPSec, such as key update timer. However, its advantage is that it can
implement IPSec independent of IKE. The latter one is much easier because SA can be
established and maintained by IKE auto-negotiation as long as security policies of IKE
negotiation are configured.
Manual mode is feasible in the case of few peer devices or in a small-sized static
environment. For medium/big-sized dynamic environment, IKE auto-negotiation mode
is recommended.

7.1.3 Overview of Encryption Card

IPSec may use ESP or AH protocol to process packets. For high security purpose,
complicated encryption/decryption/authentication algorithms are often used. The
IPSec on a router uses many CPU resources for encryption/decryption algorithm, so
the overall performance may be degraded. To solve this problem, you can insert an
encryption card for a modularized router, on which IPSec operations are processed by
hardware. This can improve IPSec processing efficiency, as well as overall
performance of a router.
1) Encryption/decryption process on the encryption card: The router sends data to be
encrypted
encryption/decryption operations and add/delete encryption headers to/from data,
and then sends the processed data back to the router for forwarding.
2) The encryption card processes data flows: A modularized router can support up to
four encryption cards for concurrent data processing. The host software
distributes data with different security requirements to the encryption cards, which
are specified in the SA proposal, for processing. The same card can process data
flows defined with different security policies, but the data flows of a type only can
be processed by the same card.
3) For the IPSec SA implemented by the encryption card, if the card is faulty, backup
function is enabled on the card and the selected encryption/authentication
algorithms for the SA are supported by the IPSec module on V 2.41 platform,
IPSec shall be implemented by the IPSec module on V 2.41 platform. But you
cannot use one encryption card as the backup to another card.
or decrypted to
3Com Corporation
7-4
Chapter 7 IPSec Configuration
the encryption card. The card runs