USER’S GUIDE

SECURITY PARAMETER INDEX (SPI)

A 32-bit number (eight hexadecimal digits) used to identify the security associations between CyberSWITCH nodes. The SPI must be greater than or equal to 00000100hex. The SPI is transmitted in the Encapsulating Security Payload (ESP) header and used by the peer CyberSWITCH node to identify the necessary information to decrypt the ESP payload.

The following element applies to Link Layer Encryption only:

PROPRIETARY KEY EXCHANGE

When using Link Layer encryption, this feature supports an automated key exchange (for Cabletron products only). If you enable this feature, you do not need to manually specify encryption/decryption keys.

ENCRYPTION/DECRYPTION KEY

This key is used for PPP devices only, and must be 16 digits in length. You may use any combination of hexadecimal digits in the key. The encryption key you configure on one side of the connection (site “A”) must match the decryption key you configure on the other side of the connection (site “B”).

ENCRYPTION BACKGROUND INFORMATION

IP NETWORK LAYER ENCRYPTION

IP Network Layer Encryption consists of:

an Encapsulating Security Payload (ESP) implementation

Authentication Headers (AH)

The CyberSWITCH provides IP Security by using either ESP or AH, or a combination of the two.

ESP IMPLEMENTATION

The IP Encryption feature provides a connection between two or more trusted subnets through the Internet or any other IP network. IP datagrams transmitted from one trusted subnet to another trusted subnet funnel through a CyberSWITCH node where they are encrypted and encapsulated. The destination address on the encapsulated datagram is that of the CyberSWITCH node servicing the other trusted subnet.

IP datagrams to these IP destination addresses are encrypted and encapsulated with an Encapsulating Security Payload (ESP) header. The ESP header indicates a destination address of an intermediate CyberSWITCH node which is responsible for decrypting and decapsulating these packets before sending them on to their intended destination.

When the IP datagram reaches the destination CyberSWITCH node, the ESP header is removed, the ESP payload is decrypted, and the original IP datagram is forwarded to its original destination.

The CyberSWITCH requires Security Associations to identify:

range of IP addresses (i.e., one for source subnet and one for destination subnet)

encryption parameters to be used to encrypt communications to those IP addresses

IP address of the peer CyberSWITCH responsible for decrypting the communications

236 CyberSWITCH

Page 235 Page 237
Page 236
Image 236
Enterasys Networks CSX7000, CSX5500, CSX6000 manual Encryption Background Information, IP Network Layer Encryption
Page 235 Page 237
Top Page Image Contents