Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software
Information About Implementing IKE Security Protocol Configurations for IPSec Networks
SC-21
Cisco IOS XR System Security Configuration Guide
• Call Admission Control, page SC-30
• Information About IP Security VPN Monitoring, page SC-31
Supported Standards
Cisco implements the following standards:
• IKE—Internet Key Exchange. A hybrid protocol that implements Oakley and Skeme key exchanges
inside the ISAKMP framework. IKE can be used with other protocols, but its initial implementation
is with the IPSec protocol. IKE provides authentication of the IPSec peers, negotiates IPSec keys,
and negotiates IPSec security associations (SAs).
IKE is implemented following RFC 2409, The Internet Key Exchange.
• IPSec—IP Security Protocol. IPSec is a framework of open standards that provides data
confidentiality, data integrity, and data authentication between participating peers. IPSec provides
these security services at the IP layer; it uses IKE to handle negotiation of protocols and algorithms
based on local policy and to generate the encryption and authentication keys to be used by IPSec.
IPSec is used to protect one or more data flows between a pair of hosts, a pair of security gateways,
or a security gateway and a host.
For more information on IPSec, see the Implementing IPSec Network Security on Cisco IOS XR
Software module of the Cisco IOS XR System Security Configuration Guide.
• ISAKMP—Internet Security Association and Key Management Protocol. A protocol framework
that defines payload formats, the mechanics of implementing a key exchange protocol, and the
negotiation of a security association.
ISAKMP is implemented following the latest version of the Internet Security Association and Key
Management Protocol (ISAKMP) Internet Draft (RFC 2408).
• Oakley—A key exchange protocol that defines how to derive authenticated keying material.
• Skeme—A key exchange protocol that defines how to derive authenticated keying material, with
rapid key refreshment.
The component technologies implemented for use by IKE include the following:
• DES—Data Encryption Standard. An algorithm that is used to encrypt packet data. IKE implements
the 56-bit DES-CBC with Explicit IV standard. Cipher Block Chaining (CBC) requires an
initialization vector (IV) to start encryption. The IV is explicitly given in the IPSec packet.
Cisco IOS XR software also implements Triple DES (168-bit) encryption, depending on the
software versions available for a specific platform. Triple DES (3DES) is a strong form of
encryption that allows sensitive information to be sent over untrusted networks. It enables
customers, particularly in the finance industry, to use network-layer encryption.
• AES—Advanced Encryption Standard. 128-bit, 192-bit, and 256-bit AESs are supported.
Note Cisco IOS XR images that have strong encryption (including, but not limited to, 56-bit data
encryption feature sets) are subject to U.S. government export controls, and have a limited
distribution. Images that are to be installed outside the United States require an export
license. Customer orders might be denied or subject to delay because of U.S. government
regulations. Contact your sales representative or distributor for more information, or send
e-mail to export@cisco.com.
To Next Page
Loading...
Need help?
General
