Authentication Algorithms - Juniper JUNOS OS 10.3 - SOFTWARE Manual

Complete Software Guide for Junos
Understanding IPsec Authentication for OSPF Packets on EX Series Switches

Authentication Algorithms

1674
®
OS for EX Series Ethernet Switches, Release 10.3
IP Security (IPsec) provides a secure way to authenticate senders and encrypt IP version
4 (IPv4) traffic between network devices. IPsec offers network administrators for Juniper
Networks EX Series Ethernet Switches and their users the benefits of data confidentiality,
data integrity, sender authentication, and anti-replay services.
IPsec is a framework for ensuring secure private communication over IP networks and is
based on standards developed by the International Engineering Task Force (IETF). IPsec
provides security services at the network layer of the Open Systems Interconnection
(OSI) model by enabling a system to select required security protocols, determine the
algorithms to use for the security services, and implement any cryptographic keys required
to provide the requested services. You can use IPsec to protect one or more paths between
a pair of hosts, between a pair of security gateways (such as switches), or between a
security gateway and a host.
OSPF version 3 (OSPFv3), unlike OSPF version 2 (OSPFv2), does not have a built-in
authentication method and relies on IPsec to provide this functionality. You can secure
specific OSPFv3 interfaces and protect OSPFv3 virtual links.
Authentication Algorithms on page 1674
Encryption Algorithms on page 1675
IPsec Protocols on page 1675
Security Associations on page 1675
IPsec Modes on page 1676
Authentication is the process of verifying the identity of the sender. Authentication
algorithms use a shared key to verify the authenticity of the IPsec devices. The Juniper
Networks Junos operating system (Junos OS) uses the following authentication
algorithms:
Message Digest 5 (MD5) uses a one-way hash function to convert a message of arbitrary
length to a fixed-length message digest of 128 bits. Because of the conversion process,
it is mathematically infeasible to calculate the original message by computing it
backwards from the resulting message digest. Likewise, a change to a single character
in the message will cause it to generate a very different message digest number.
To verify that the message has not been tampered with, Junos OS compares the
calculated message digest against a message digest that is decrypted with a shared
key. Junos OS uses the MD5 hashed message authentication code (HMAC) variant
that provides an additional level of hashing. MD5 can be used with an authentication
header (AH) and Encapsulating Security Payload (ESP).
Secure Hash Algorithm 1 (SHA-1) uses a stronger algorithm than MD5. SHA-1 takes a
message of less than 264 bits in length and produces a 160-bit message digest. The
large message digest ensures that the data has not been changed and that it originates
from the correct source. Junos OS uses the SHA-1 HMAC variant that provides an
Copyright © 2010, Juniper Networks, Inc.