10.0 Vpn; Ipsec - Apollo VioNet 3000 series User Manual And Instruction Manual

10.0 VPN

10.1

IPSec

10.1.1 Introduction
IPSec is a security platform at the network level developed by the IETF IPSec Working Group. This
provides the ability to accommodate new encryption and authentication algorithms in a flexible and robust
way.
IPSec focuses on the following security problems:

Authentication of data sources: verifies that the received data has been sent by the person who
says they have sent it.

Data integrity: verifies that the received data has not been modified en route.

The term data authentication is usually used to indicate both the integrity of the data as well as
source authentication.

Data Confidentiality: conceals the data using an encryption algorithm.

Protection Anti-Replay: prevents an intruder from re-sending one of your messages and you are
unable to detect it.

Automatic cryptography keys management.
In order to resolve these aspects, IPSec defines two distinct security services:

ESP "Encapsulating Security Payload": Provides confidentiality, address source authentication in each

AH "Authentication Header":
10.1.2 IPSec Tunnels
The IPSec platform permits two operation modes. You can use either of the two security services, ESP or
AH, in each of them:
1. Transport Mode: Permits secure communications, normally established between the two hosts
(e.g. communication between a workstation and a server or between two servers). However, in
neither case does this mask the source or destination address of the packet to be sent. In
transport mode, IPSec only acts over the IP packet internal data, without modifying the packet
header. E.g. over a TCP or UDP segment or an ICMP packet.
2. Tunnel Mode: Encapsulates the whole of the original IP packet in a new IP packet, thus hiding all
the original content. In this way the information is routed through a 'tunnel' from one point in the
network to another without anyone being able to examine the content. This mode is the most
appropriate one to be used in communications between a router and an external host or between
two routers.
10.1.3 IPSec Architecture
10.1.3.1 Security Policy Database (SPD)
The IPSec platform must know which security policies to apply to the IP packet, depending on the
header fields, also known as selectors. The security policies decide which encryption and
authentication algorithms should be used in the secure connection.
The Security Policy Database (SPD) stores the entries that contain the selectors and the
associated security policies.
After checking the security policies database, within the policies applicable to an IP packet, three
Page 144
IP packet, integrity and protection from copies being made.
Provides address source authentication in each IP packet,
integrity and protection against copies being made, however
this does not offer data confidentiality.
appropriate in cases where you only need to affirm the origin of
the data.
Apollo Video Technology
th
Avenue Southeast – Bothell, WA 98021-8990
24000-35
Toll Free: 888-AVT-USA1; Tel: 425.483.7100; Fax: 425.483.7200
www.apollovideo.com
This service is