Policy Concepts
EncrypTight User Guide 185
Key Generation and ETKMSs
With multicast IP policies and Layer 2 Ethernet policies, you choose a single ETKMS to generate and
distribute the keys. With point-to-point, hub and spoke, and mesh IP policies there are two options for
specifying which ETKMSs generate and distribute keys.
●By Network Set - The default ETKMS within each network set generates and distributes the keys to
the PEPs included in those network sets.
●Global ETKMS - A single ETKMS, referred to as a global ETKMS, generates the keys and sends
them to the default ETKMSs in each network set for distribution to all of PEPs included in the policy.
Addressing Mode
When you create network sets in the network sets editor, you specify the IP address the PEPs will use in
the outer header of the encrypted packets. The options include the original IP address of the packets
received at the PEP’s local port (the default setting), the remote port IP address of the PEP, or a virtual IP
address that is configured as part of a network set. The second two options are used when the original
source IP address must be concealed or when traffic must be routed over the internet.
Even when you configure network sets to conceal the original source IP addresses, you might need to
preserve the original IP addresses for other traffic that is routed through the same network sets. For
example, you might need to transmit traffic that must comply with Service Level Agreements.
To handle these situations, you can create additional policies that use the same network sets, but override
the specified network addressing mode. In the policy editor, the network addressing mode can use one of
two options:
●Preserve only the original internal network addresses. The source and destination addresses in the IP
header are sent in the clear. The protocol and port, as well as the payload of the packet are encrypted.
This is referred to as a Layer 3 policy.
●Preserve the original internal network address, protocol, and port. The source and destination
addresses, protocol, and port in the IP header are sent in the clear. With this option, only the payload
of the packet is encrypted. This allows you to send the Layer 4 header information in the clear for
traffic engineering and Service Level Agreement management (for example, Quality of Service
controls or NetFlow statistics monitoring). This is referred to as a Layer 4 policy.
Related topics:
●“Network Addressing for IP Networks” on page 35
●“Adding a Network Set” on page 170
●“Encapsulation” on page 183
Using Encrypt All Policies with Exceptions
You can design your policies many different ways for the same results. If you design your policies based
on chunks of data such as which port or which source or destination address encrypts, drops, or passes in
the clear, a large number of policies can result. With a large number of policies, the policy management
overhead increases and keeping track of the priority of each policy can become difficult. You can
simplify this process by doing the following: