5.1 IPSec Overview
The IP Security (IPSec) protocol family is a series of protocols defined by the Internet
Engineering Task Force (IETF). This protocol family provides high quality, interoperable, and
cryptology-based security for IP packets. Communicating parties encrypt data and authenticate
the data source at the IP layer to ensure data confidentiality and integrity and prevent replay of
data packets.
IPSec uses two security protocols: Authentication Header (AH) protocol and Encapsulating
Security Payload (ESP). Key exchange and SA establishment in IPSec is implemented by the
Internet Key Exchange (IKE) protocol, which simplifies use and management of IPSec.
IPSec involves the following terms:
l Security association (SA)
– An SA is a set of conventions adopted by the communicating parties. For example, it
determines the security protocol (AH, ESP, or both), encapsulation mode (transport
mode or tunnel mode), key algorithm (DES, 3DES, or AES), shared key to protect
certain flow, and the lifetime of the shared key.
– An SA is unidirectional, at least two SAs are required to protect data flows in
bidirectional communication. If two peers need to communicate using both AH and
ESP, each peer needs to establish two SAs for the two protocols.
– An SA is identified by three parameters: Security Parameter Index (SPI), destination IP
address, and security protocol ID (AH or ESP).
l Encapsulation mode
– Transport mode: AH or ESP is inserted behind the IP header but before all transport-
layer protocols, as shown in Figure 5-1.
– Tunnel mode: AH or ESP is inserted before the original IP header but behind a new IP
header, as shown in Figure 5-2.
Figure 5-1 Packet format in transport mode
Mode
Protocol
transport
AH
ESP
AH-ESP
ESP
data
ESP
Tail
ESP Auth data
IP Header
TCP Header
IP Header
AH
dataTCP Header
ESP data ESP Tail ESP Auth dataIP Header TCP HeaderAH
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN 5 IPSec Configuration
Issue 01 (2012-04-20) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
284
To Next Page
Loading...
Need help?
General
