Ipsec Protocols - Lenovo Flex System Fabric CN4093 Application Manual

IPsec Protocols

376
CN4093 Application Guide for N/OS 8.2
The Lenovo N/OS implementation of IPsec supports the following protocols:
 Authentication Header (AH)
AHs provide connectionless integrity outand data origin authentication for IP
packets, and provide protection against replay attacks. In IPv6, the AH protects
the AH itself, the Destination Options extension header after the AH, and the IP
payload. It also protects the fixed IPv6 header and all extension headers before
the AH, except for the mutable fields DSCP, ECN, Flow Label, and Hop Limit.
AH is defined in RFC 4302.
 Encapsulating Security Payload (ESP)
ESPs provide confidentiality, data origin authentication, integrity, an anti‐replay
service (a form of partial sequence integrity), and some traffic flow
confidentiality. ESPs may be applied alone or in combination with an AH. ESP is
defined in RFC 4303.
 Internet Key Exchange Version 2 (IKEv2)
IKEv2 is used for mutual authentication between two network elements. An IKE
establishes a security association (SA) that includes shared secret information to
efficiently establish SAs for ESPs and AHs, and a set of cryptographic
algorithms to be used by the SAs to protect the associated traffic. IKEv2 is
defined in RFC 4306.
Using IKEv2 as the foundation, IPsec supports ESP for encryption and/or
authentication, and/or AH for authentication of the remote partner.
Both ESP and AH rely on security associations. A security association (SA) is the
bundle of algorithms and parameters (such as keys) that encrypt and authenticate
a particular flow in one direction.