Encryption Card; Protocols And Standards; Ipsec Configuration Task List - 3Com MSR 50 Series Configuration Manual

1880 C 100: IPS
HAPTER EC

Encryption Card

Protocols and Standards

IPSec Configuration
Task List
C
ONFIGURATION
AES: Advanced encryption standard, Encrypts a plain text with a 128-bit,
■
192-bit, or 256-bit key.
AES, 3DES, and DES are in descending order in terms of security. Higher security
means more complex implementation and lower speed. DES is enough to meet
general requirements.
Negotiation modes
There are two negotiation modes for setting up an SA:
Manual mode: This mode requires that all information that an SA needs to
■
operate be configured manually. In this mode, the configuration is relatively
complex and some advanced features like periodical key update are not
supported. However, this mode implements IPSec independently of IKE.
IKE negotiation mode (ISAKMP): In this mode, the configuration is much easier
■
because SAs can be set up and maintained through IKE negotiation as long as
the information for IKE negotiation is configured properly.
Manual mode applies to scenarios with a small number of peer devices and little
changes. For medium- to large-sized environments, IKE auto-negotiation mode is
recommended.
IPSec tunnel
An IPSec tunnel is a bidirectional channel created between two peers. An IPSec
tunnel consists of one or more sets of SAs.
IPSec can either be implemented through software or an encryption card. When
implemented through software, encryption/decryption and authentication
algorithms consume large amounts of CPU resources due to their complexity,
degrading the overall operation efficiency of the device. With an encryption card,
complicated algorithms are completed on the hardware, and therefore the
processing efficiency of the device is improved.
With an encryption card, a device sends data IPSec protected or to be IPSec
protected to the encryption card. Upon the receipt of the data, the card gives the
corresponding treatment and sends it back to the device for forwarding.
These protocols and standards are relevant to IPSec:
RFC2401: Security Architecture for the Internet Protocol
■
RFC2402: IP Authentication Header
■
RFC2406: IP Encapsulating Security Payload
■
At present, the device implements all the IPSec features mentioned above. The
idea behind the implementation is as follows:
1 Provide different security services (authentication, encryption, or both) for different
data flows, which are discriminated by ACLs;
2 Specify the security protocol, authentication and encryption algorithms, and
encapsulation mode for security protection by configuring an IPSec proposal.