How IPsec Works 57

IPsec works with the existing Internet infrastructure using encapsulation. It secures a packet of data by encrypting it before sending it over the Internet. On the receiving end, an IPsec-compliant device decrypts the data.

On each end of the link (systems at both ends comprise a security association), IPsec is configured with the same key set and manual key information. The key set allows each system in the security association to encrypt, decrypt, or authenticate each other’s data.

The security protection can be selectively applied to various types of data traffic based on protocols, IP addresses, network addresses, applications (via TCP/UDP port addresses), and network interfaces. System-originated IP traffic (Telnet, OSPF, RIP for example) can be protected by IPSEC directly. SNA traffic can be protected by IPSEC through the DLSw tunnel. Other multiprotocol traffic (IPX, AppleTalk, DECnet for example) and forwarded IP traffic are protected by IPSEC through the PPTP tunnel. See Chapter 12 for more information about PPTP/L2TP tunneling.

Policies IPsec policies allow you to protect various types of traffic based on protocols, IP addresses, network addresses, network interfaces, and applications (via port addresses).

Encapsulation Security ESP is used to provide data confidentiality via encryption using the DES-CBC crypto Payload (ESP) algorithm. For outbound traffic, it encrypts the IP payload and inserts an ESP

header between the IP header and the payload. For inbound traffic, it decrypts the IP payload and removes the ESP header.

DES and RC5 encryption algorithms are supported in the xE packages. 3DES2key is supported only in xS packages.

DES is the Cipher Block Chaining (CBC) mode of the US Data Encryption Standard (DES). It requires an 8-byte key and operates on an 8-byte data block where the output of each block is fed into the next block to avoid repeating the same cipher output for those blocks with the same cleartext data.

RC5 is a cipher block chain encryption algorithm that may provide slightly faster performance than DES. RC5 requires a minimum of 5 bytes for the encryption key. The key may be as long as 7 bytes in xE packages, and as long as 16 bytes in xS packages.

3DES2key is a three-stage block cipher encryption algorithm that uses an encrypt-decrypt-encrypt sequence for greater security than standard DES encryption. The operation is similar to the 3DES encryption algorithm except that instead of using unique keying information for each stage, 3DES2key uses the same keying information for both encryption stages. 3DES2key requires a 16-byte encryption key to be entered. It uses the first 8 bytes for both encryption phases, and the second 8 bytes for the decrypt phase.

Key lengths are enforced when they are entered. Warning or error messages inform you when the entered key does not meet the requirements.

Entered keys longer than the supported maximum length for the chosen crypto algorithm and the package are truncated as necessary.

Page 55
Image 55
3Com 11.1 manual How IPsec Works