Ipsec Protocols - Lenovo RackSwitch G8264CS Application Manual

IPsec Protocols

390
G8264CS Application Guide for ENOS 8.4
The Enterprise NOS implementation of IPsec supports the following protocols:
 Authentication Header (AH)
AHs provide connectionless integrity out and data origin authentication for IP
packets. They also provide protection against replay attacks. In IPv6, the AH
protects the AH itself, the Destination Options extension header after the AH,
and the IP payload. It also protects the fixed IPv6 header and all extension
headers before the AH, except for the mutable fields DSCP, ECN, Flow Label,
and Hop Limit. AH is defined in RFC 4302.
 Encapsulating Security Payload (ESP)
ESPs provide confidentiality, data origin authentication, integrity, an anti‐replay
service (a form of partial sequence integrity), and some traffic flow
confidentiality. ESPs may be applied alone or in combination with an AH. ESP is
defined in RFC 4303.
 Internet Key Exchange Version 2 (IKEv2)
IKEv2 is used for mutual authentication between two network elements. An IKE
establishes a security association (SA) that includes shared secret information to
efficiently establish SAs for ESPs and AHs, and a set of cryptographic
algorithms to be used by the SAs to protect the associated traffic. IKEv2 is
defined in RFC 4306.
Using IKEv2 as the foundation, IPsec supports ESP for encryption and/or
authentication, and/or AH for authentication of the remote partner.
Both ESP and AH rely on security associations. A security association (SA) is the
bundle of algorithms and parameters (such as keys) that encrypt and authenticate
a particular flow in one direction.