Ipsec Overview; Chapter 7 Ipsec Configuration - 3Com 3C13636 Configuration Manual

3Com Router 3000 Ethernet Family
Configuration Guide

Chapter 7 IPSec Configuration

7.1 IPSec Overview

7.1.1 IPSec
IP Security (IPSec) protocol family is a series of protocols defined by IETF. It provides
high quality, interoperable and cryptology-based security for IP data packets. The two
sides of communication perform encryption and data source authentication on IP layer
to assure confidentiality, data integrity, data origin authentication and anti-replay for
packets when they are being transmitted on networks.
Note:
Confidentiality is to encrypt a client data and then transmit it in cipher text.
Data integrity is to authenticate the received data so as to determine whether the
packet has been modified.
Data origin authentication is to authenticate the data source to make sure that the data
is sent from a real sender.
Anti-replay is to prevent some malicious client from repeatedly sending a data packet.
In other words, the receiver will deny old or repeated data packets.
IPSec implements the above aims via Authentication Header (AH) security protocol
and Encapsulating Security Payload (ESP) security protocol. Moreover, Internet Key
Exchange (IKE) provides auto-negotiation key exchange and Security Association (SA)
setup and maintenance services for IPSec so as to simplify the use and management
of IPSec.
AH mainly provides data source authentication, data integrity authentication and
anti-replay. However, it cannot encrypt the packet.
ESP provides encryption function besides the above functions that AH provides.
However, its data integrity authentication does not include IP header.
Note:
AH and ESP can be used either independently or corporately. There are two types of
working modes for AH and ESP: transport mode and tunnel mode, which will be
introduced later.
3Com Corporation
7-1
Chapter 7 IPSec Configuration