Encryption Algorithms; Ipsec Protocols; Security Associations - Juniper JUNOS OS 10.3 - SOFTWARE Manual

Encryption Algorithms

IPsec Protocols

Security Associations

Copyright © 2010, Juniper Networks, Inc.
additional level of hashing. SHA-1 can be used with AH, ESP, and Internet Key Exchange
(IKE).
SHA-256, SHA-384, and SHA-512 (sometimes grouped under the name SHA-2) are
variants of SHA-1 and use longer message digests. Junos OS supports the SHA-256
version of SHA-2, which can process all versions of Advanced Encryption Standard
(AES), Data Encryption Standard (DES), and Triple DES (3DES) encryption.
Encryption encodes data into a secure format so that it cannot be deciphered by
unauthorized users. As with authentication algorithms, a shared key is used with encryption
algorithms to verify the authenticity of IPsec devices. Junos OS uses the following
encryption algorithms:
Data Encryption Standard cipher-block chaining (DES-CBC) is a symmetric secret-key
block algorithm. DES uses a key size of 64 bits, where 8 bits are used for error detection
and the remaining 56 bits provide encryption. DES performs a series of simple logical
operations on the shared key, including permutations and substitutions. CBC takes the
first block of 64 bits of output from DES, combines this block with the second block,
feeds this back into the DES algorithm, and repeats this process for all subsequent
blocks.
Triple DES-CBC (3DES-CBC) is an encryption algorithm that is similar to DES-CBC but
provides a much stronger encryption result because it uses three keys for 168-bit (3 x
56-bit) encryption. 3DES works by using the first key to encrypt the blocks, the second
key to decrypt the blocks, and the third key to reencrypt the blocks.
IPsec protocols determine the type of authentication and encryption applied to packets
that are secured by the switch. Junos OS supports the following IPsec protocols:
AH—Defined in RFC 2402, AH provides connectionless integrity and data origin
authentication for IPv4. It also provides protection against replays. AH authenticates
as much of the IP header as possible, as well as the upper-level protocol data. However,
some IP header fields might change in transit. Because the value of these fields might
not be predictable by the sender, they cannot be protected by AH. In an IP header, AH
can be identified with a value of 51 in the Protocol field of an IPv4 packet.
ESP—Defined in RFC 2406, ESP can provide encryption and limited traffic flow
confidentiality or connectionless integrity, data origin authentication, and an anti-replay
service. In an IP header, ESP can be identified with a value of 50 in the Protocol field
of an IPv4 packet.
An IPsec consideration is the type of security association (SA) that you wish to implement.
An SA is a set of IPsec specifications that are negotiated between devices that are
establishing an IPsec relationship. These specifications include preferences for the type
of authentication, encryption, and IPsec protocol to be used when establishing the IPsec
connection. An SA can be either unidirectional or bidirectional, depending on the choices
Chapter 70: Layer 3 Protocols—Overview
1675