9Installing and Configuring Data Encryption Offloads
Configuring IPSec in Windows 2003, Windows XP, and Windows 2000
The 3CR990B NIC accelerates IP security (IPSec) data encryption from supported operating systems that provide this offload capability. This feature is currently available in the Windows 2003, Windows XP, and Windows 2000 operating systems.
IPSec primarily consists of two parts:
•encryption/decryption
•authentication
To send or receive encrypted data with a 3CR990B NIC installed, you must first create a security policy, and then enable encryption on the NIC. The security policy establishes and defines how encrypted network traffic between your computer and a specified server occurs.
Authentication enables the receiver to verify the sender of a packet by adding key fields to a packet without altering the packet data content.
The following table shows the available levels of encryption:
Encryption | Encryption |
|
Type | Level | Description |
|
|
|
AH | Medium | Authentication only |
ESP | High | Authentication and encryption |
Custom | Varies | Provides encryption and an extra authentication that includes |
|
| the IP header. |
|
| Custom allows you to select options for both AH and ESP, such |
|
| as |
|
| which new keys are negotiated. |
|
| Microsoft uses IKE key exchange to renew keys every x seconds |
|
| or y bytes. However, this practice is computationally very high |
|
| in overhead. Some users may set these values low and have |
|
| frequent key updates. Users more concerned with |
|
| performance will set these values higher. |
|
| For more information, refer to the Microsoft documentation |
|
| about creating IPSec flows. |
|
|
|
The process you use to create and enable a security policy depends on your network environment requirements. The following is an example of one approach to creating a security policy.
NOTE: You must complete all of the sequences in this section to establish and enable a security policy for transmitting and receiving encrypted data over the network.
24