Switches - Dell PowerConnect J-EX4200-24T Software Manual

Dell PowerConnect J-Series Ethernet Switch Complete Software Guide for Junos OS
Understanding IPsec Authentication for OSPF Packets on J-EX Series Switches
Authentication Algorithms
1428
IP Security (IPsec) provides a secure way to authenticate senders and encrypt IP version
4 (IPv4) traffic between network devices. IPsec offers network administrators for J-EX
Series Ethernet Switches and their users the benefits of data confidentiality, data integrity,
sender authentication, and anti-replay services.
IPsec is a framework for ensuring secure private communication over IP networks and is
based on standards developed by the International Engineering Task Force (IETF). IPsec
provides security services at the network layer of the Open Systems Interconnection
(OSI) model by enabling a system to select required security protocols, determine the
algorithms to use for the security services, and implement any cryptographic keys required
to provide the requested services. You can use IPsec to protect one or more paths between
a pair of hosts, between a pair of security gateways (such as switches), or between a
security gateway and a host.
OSPF version 3 (OSPFv3), unlike OSPF version 2 (OSPFv2), does not have a built-in
authentication method and relies on IPsec to provide this functionality. You can secure
specific OSPFv3 interfaces and protect OSPFv3 virtual links.
Authentication Algorithms on page 1428
Encryption Algorithms on page 1429
IPsec Protocols on page 1429
Security Associations on page 1429
IPsec Modes on page 1430
Authentication is the process of verifying the identity of the sender. Authentication
algorithms use a shared key to verify the authenticity of the IPsec devices. The Junos
operating system (Junos OS) uses the following authentication algorithms:
Message Digest 5 (MD5) uses a one-way hash function to convert a message of arbitrary
length to a fixed-length message digest of 128 bits. Because of the conversion process,
it is mathematically infeasible to calculate the original message by computing it
backwards from the resulting message digest. Likewise, a change to a single character
in the message will cause it to generate a very different message digest number.
To verify that the message has not been tampered with, Junos OS compares the
calculated message digest against a message digest that is decrypted with a shared
key. Junos OS uses the MD5 hashed message authentication code (HMAC) variant
that provides an additional level of hashing. MD5 can be used with an authentication
header (AH) and Encapsulating Security Payload (ESP).
Secure Hash Algorithm 1 (SHA-1) uses a stronger algorithm than MD5. SHA-1 takes a
message of less than 264 bits in length and produces a 160-bit message digest. The
large message digest ensures that the data has not been changed and that it originates
from the correct source. Junos OS uses the SHA-1 HMAC variant that provides an
additional level of hashing. SHA-1 can be used with AH, ESP, and Internet Key Exchange
(IKE).