Enterasys Networks CSX5500, CSX6000, CSX7000 manual Encryption Overview, Network Layer, Link Layer

USER’S GUIDE

ENCRYPTION OVERVIEW

Cabletron’s encryption options provide two popular approaches for encrypting WAN communications, each with distinct advantages in certain applications. These options are: Network Layer Encryption and Link Layer Encryption.

NETWORK LAYER

Cabletron’s Network Layer Encryption is an IP Security-based form of encryption. IP Security (IPSec) can potentially reside in many devices within the network. Since IPSec is specific to IP, data must be contained in an IP datagram in order for encryption to take place. This also implies that an IPSec-compliant switch or router must perform network-layer routing. A device which does not perform network-layer processing (such as a pure bridge) will not be capable of IPSec-based encryption. Non-IP protocols such as IPX and AppleTalk must be encapsulated within IP in order to take advantage of IPSec.

IPSec is primarily aimed at providing secure communications across IP networks such as the Internet. Data can traverse multiple intermediate (untrusted) nodes (such as Internet backbone routers) while still ensuring strong data security. But it can also be applied in point-to-point networks where the layer-3 protocol is IP (for example, IP transported across the WAN using PPP).

Network-layer encryption works as follows:

IP datagrams transmitted from one LAN to another LAN funnel through a CyberSWITCH node where they are encrypted and encapsulated. The destination address on the encapsulated datagram is that of the CyberSWITCH node servicing the other trusted subnet.

When the IP datagram reaches the destination CyberSWITCH node, the Encapsulating Security Payload (ESP) header is removed, the ESP payload is decrypted, and the original IP datagram is forwarded to its original destination.

CyberSWITCH encryption requires additional Security Association information that can be supplied through CFGEDIT. Each security association identifies a range of IP addresses, encryption parameters to be used to encrypt communications to those IP addresses, and the IP address of the peer CyberSWITCH (or other ESP node) responsible for decrypting the communications. The peer will have knowledge of the same security association.

Security associations between peer CyberSWITCH nodes are identified by a Security Parameter Index (SPI), which is a 32-bit number. The SPI is transmitted in the ESP header and is used by the peer CyberSWITCH node to identify the necessary information to decrypt the ESP payload.

IP datagrams to these IP destination addresses are encrypted and encapsulated with an ESP header. The ESP header indicates a destination address of an intermediate CyberSWITCH node which will be responsible for decrypting and decapsulating these packets before sending them on to their intended destination.

LINK LAYER

Link layer encryption occurs at layer 2 of the ISO networking model. In the case of a WAN, PPP acts as a layer 2 protocol. Encryption Control Protocol (ECP) serves to handle encryption of a PPP datagram.

36 CyberSWITCH