Table 11-1 Ah And Esp; Key Management; Transport Mode - ZyXEL Communications Vantage CNM 2.0 User Manual

Centralized network management

Hide thumbs Also See for Vantage CNM 2.0:

Quick start manual (40 pages)

User manual (346 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

page of 253

/ 253
Contents
Table of Contents
Bookmarks

Table of Contents

Vantage CNM 2.0

In applications where confidentiality is not required or not sanctioned by government encryption restrictions, an

AH can be employed to ensure integrity. This type of implementation does not protect the information from

dissemination but will allow for verification of the integrity of the information and authentication of the

originator.

ESP (Encapsulating Security Payload) Protocol

The ESP protocol (RFC 2406) provides encryption as well as some of the services offered by AH. ESP

authenticating properties are limited compared to the AH due to the non-inclusion of the IP header information

during the authentication process. However, ESP is sufficient if only the upper layer protocols need to be

authenticated.

An added feature of the ESP is payload padding, which further protects communications by concealing the size

of the packet being transmitted.

DES (default)

Data Encryption Standard (DES) is a widely used method

of data encryption using a secret key. DES applies a 56-bit

key to each 64-bit block of data.

3DES

Triple DES (3DES) is a variant of DES, which iterates

three times with three separate keys (3 x 56 = 168 bits),

effectively doubling the strength of DES.

AES

Advanced Encryption Standard is a newer method of data

encryption that also uses a secret key. This

implementation of AES applies a 128-bit key to 128-bit

blocks of data. AES is faster than 3DES.

Select DES for minimal security and 3DES or AES for

maximum. Select NULL to set up a tunnel without

encryption.

11.1.8 Key Management

Key management allows you to determine whether to use IKE (ISAKMP) or manual key configuration in order

to set up a VPN.

11.1.9 Encapsulation

The two modes of operation for IPSec VPNs are Transport mode and Tunnel mode.

Transport Mode

Transport mode is used to protect upper layer protocols and only affects the data in the IP packet. In Transport

mode, the IP packet contains the security protocol (AH or ESP) located after the original IP header and options,

but before any upper layer protocols contained in the packet (such as TCP and UDP).

With ESP, protection is applied only to the upper layer protocols contained in the packet. The IP header

information and options are not used in the authentication process. Therefore, the originating IP address cannot

be verified for integrity against the data.

With the use of AH as the security protocol, protection is extended forward into the IP header to verify the

integrity of the entire packet by use of portions of the original IP header in the hashing process.

11-2