Table of Contents
Advertisement
Ubee Interactive
4.4.6
Internet protocol Security (IPSec) is a standard based VPN that offers flexible
solutions for secure data communications across a public network like the Internet.
IPSec is built around a number of standardized cryptographic techniques to provide
confidentiality, data integrity, and authentication at the IP layer. A VPN tunnel is
usually established in two phases. Each phase establishes a security association
(SA), a contract indicating what security parameters the cable modem and the remote
IPSec router will use.
The first phase establishes an Internet Key Exchange (IKE) SA between the cable
modem and the remote IPSec router.
The second phase uses the IKE SA to securely establish an IPSec SA through
which the cable modem and the remote IPSec router can send data between
computers on the local and remote network.
Before IPSec VPN configuration, you may need to understand the following terms:
IPSec Algorithms—The ESP and AH protocols are necessary to create a Security
Association (SA), the foundation of an IPSec VPN. An SA is built from the
authentication provided by the AH and ESP protocols. The primary function of key
management is to establish and maintain the SA between systems. Once the SA is
established, the transport of data may commence.
AH (Authentication Header) Protocol—AH protocol (RFC 2402) was designed
for integrity, authentication, sequence integrity (replay resistance), and non-
repudiation but not for confidentiality, for which the ESP was designed. In
applications where confidentiality is not required or not sanctioned by government
encryption restrictions, an AH can be employed to ensure integrity. This type of
implementation does not protect the information from dissemination but will allow
for verification of the integrity of the information and authentication of the
originator.
ESP (Encapsulating Security Payload) Protocol—The ESP protocol (RFC 2406)
provides encryption as well as the services offered by AH. ESP authenticating
properties are limited compared to the AH due to the non-inclusion of the IP
header information during the authentication process. However, ESP is sufficient if
only the upper layer protocols need to be authenticated. An added feature of the
ESP is payload padding, which further protects communications by concealing the
size of the packet being transmitted.
DDW2600 Wireless & DDC2700 Commercial Cable Modem/Router Subscriber User Guide • May, 2010
Additional information - VPN Overview
4.4.6 Additional information - VPN Overview
69
Hide quick links:
Advertisement
Table of Contents
