562 CHAPTER 40: CONFIGURING IPSEC
state by polling. Thus, crypto cards can synchronously process user data, which
improves the speed of data encryption and decryption.
For the IPSec applied at the crypto card side, the crypto cards will be unable to
implement the IPSec processing if all the crypto cards on the router are in
abnormal state. In this case, given that the host has been enabled to backup the
crypto cards, the IPSec module of the operating system will replace the crypto
cards to implement the IPSec processing, if the IPSec module supports the
encryption/authentication algorithm used by the crypto cards. Thus, the software
IPSec module fulfills the backup of crypto cards.
The processing mechanism of the crypto cards and that of the software IPSec
module is almost the same. The only difference is that the former implements the
encryption/decryption processing through the software and the latter through the
the main operating system.
IPSec Message
Processing IPSec can process messages as follows (with AH protocol as an example):
■Add authentication header to messages: IP messages sent by the module block
from IPSec queue are read, and an AH header is added according to the
configured protocol mode (transport or tunnel mode), then forward it by IP
layer.
■Cancel the authentication header after messages are authenticated: The IP
message received at the IP layer is analyzed as a local host address with
protocol number 51, then the corresponding protocol switch table item is
searched and the corresponding input processing function is called. This
processing function authenticates the message to make a comparison with the
original authentication value. If the values are the same, the added AH is
canceled, and the original IP message is restored. Then IP input flow is recalled
for processing. Otherwise, this message is discarded.
IPSec Related Terms
The following terms are important to an understanding of IPSec:
■Data stream: A combination of a group of traffic, which is prescribed by
source address/mask, destination address/mask, encapsulation upper-level
protocol number of IP message, source port number, destination port number,
etc. Generally, a data stream is defined by an access list, and all messages
permitted by access list are called a data stream logically. A data stream can be
a TCP connection between the endpoints, or all the data stream transferred
between two subnets. IPSec can implement different security protections for
different data streams. For example, it can use different security protocols for
different data flow, algorithm and ciphering.
■Security policy: The policy, which is configured manually by the user to define
what security measure to take for what data stream. The data stream is defined
by configuring multiple rules in an access list, and in security policy this access
list is quoted to determine to protect the data flow. Name and Sequence
number define a security policy uniquely.
■Security policy group: The set of the security policies with the same name. A
security policy group can be applied or cancelled on an interface, applying
multiple security polices in the same security policy group to this interface, to
implement different security protection for different data streams. The security