Table of Contents
Advertisement
negotiates IPSec security associations, and establishes IPSec keys. For more information on IKE,
see the chapter "Configuring Internet Key Exchange Security Protocol."
The component technologies implemented for IPSec include:
♦ DES—The Data Encryption Standard (DES) is used to encrypt packet data. D-Link router
implements the mandatory 56-bit DES-CBC with IV. Cipher Block Chaining (CBC) requires an
initialization vector (IV) to start encryption.
♦ 3DES——Triple DES (3DES) is a symmetric encrypting algorithm that encrypt the packet data.
D-Link router adopted DES-CBC with 168-bit 3DES is more security than DES.
♦ MD5 (HMAC variant)—MD5 (Message Digest 5) is a hash algorithm. HMAC is a keyed hash
variant used to authenticate data.
♦ SHA (HMAC variant)—SHA (Secure Hash Algorithm) is a hash algorithm. HMAC is a keyed hash
variant used to authenticate data.
Router IPSec supports the following additional standards:
♦ AH—Authentication Header. A security protocol which provides data authentication of data integrity,
data origin authentication and optional anti-replay services. AH is use to protect an upper level
protocol (transmiting mode) and a full IP datagram (channel mode). AH is defined in RFC2402. It
can be used independently or gathered with ESP.
♦ ESP—Encapsulating Security Payload. A security protocol which provides data privacy services
include data confidentiality, data orgin authentication, anti-replay and data integrity services. ESP is
use to protect an upper level protocol (transmiting mode) and a full IP datagram (channel mode).
AH is defined in RFC2406.
2. Terms
♦ Security Parameter Index (SPI)
♦ Security Association
♦ Transform
♦ anti-replay
♦ Perfect Forward Secrecy (PFS)
♦ Data Flow
♦ Data Authentication
3. Restrictions
At this time, IPSec can be applied to unicast IP datagrams only. Because the IPSec Working Group has
not yet addressed the issue of group key distribution, IPSec does not currently work with multicasts or
broadcast IP datagrams.If you use Network Address Translation (NAT), you should configure static NAT
translations so that IPSec will work properly. In general, NAT translation should occur before the router
performs IPSec encapsulation; in other words, IPSec should be working with global addresses.
4. Overview of How IPSec Works
IPSec provides secure tunnels between two peers, such as two routers. You define which packets are
considered sensitive and should be sent through these secure tunnels, and you define the parameters
which should be used to protect these sensitive packets, by specifying characteristics of these tunnels.
Then, when the IPSec peer sees such a sensitive packet, it sets up the appropriate secure tunnel and
sends the packet through the tunnel to the remote peer.
More accurately, these tunnels are sets of security associations that are established between two
IPSec peers. The security associations define which protocols and algorithms should be applied to
sensitive packets, and also specify the keying material to be used by the two peers. Security
associations are unidirectional and are established per security protocol (AH or ESP).
With IPSec you define what traffic should be protected between two IPSec peers by configuring access
lists and applying these access lists to interfaces by way of crypto map sets. Therefore, traffic may be
selected based on source and destination address, and optionally Layer 4 protocol, and port. (The
Model Name
- 359 -
Hide quick links:
Advertisement
Table of Contents
