Ipsec Basic Concepts - 3Com 3C13636 Configuration Manual

3Com Router 3000 Ethernet Family
Configuration Guide
IKE is to negotiate the cryptographic algorithm applied in AH and ESP and to put
the necessary key in the algorithm to the proper place.
Note:
IPSec policy and algorithm can also be negotiated manually. So IKE negotiation is not
necessary. The comparison of these two negotiation modes will be introduced later.

7.1.2 IPSec Basic Concepts

I. Security association
IPSec provides security communication between two ends, which are called as IPSec
peers.
IPSec allows systems, network subscribers or administrators to control granularity of
security services between peers. For instance, IPSec policies of some group prescribe
that data flow from some subnet should be protected over AH and ESP and be
encrypted over Triple Data Encryption Standard (3DES) simultaneously. Moreover, the
policies prescribe that data flow from another site should be protected over ESP only
and be encrypted via DES only. IPSec can provide security protection in various levels
for different data flows based on SA.
SA is essential to IPSec. It is the standard for some elements of communication peers.
For example, it determines which protocol should be applied (AH, ESP or both) as well
as the working mode (transport mode or tunnel mode), encryption algorithm (DES and
3DES), shared protecting key in some stream, and SA lifetime.
As SAs are unidirectional, at least two SAs are needed to protect data flow from two
directions in a bi-directional communication. Moreover, if both AH and ESP are applied
to protect data flow between peers, still two SAs are needed for AH and ESP
respectively.
SA is identified by a triplet uniquely, including Security Parameter Index (SPI),
destination IP address and security protocol ID (AH or ESP). SPI is a 32-bit number
generated for uniquely identifying SA. It is transmitted in AH/ESP header.
SA has duration. It is calculated as follows:
Time-based duration is to update SA at a specific interval;
Traffic-based duration is to update SA after certain data (bytes) transmission.
II. Working mode of IPSec protocol
IPSec protocol falls into two working modes: transport mode and tunnel mode. They
are specified in SA.
3Com Corporation
7-2
Chapter 7 IPSec Configuration