74
ESP is a packet security encapsulating protocol with the protocol number of 50. Different from
AH protocol, ESP encrypts the user data required to be protected and then encapsulates it into
IP packets, in order to guarantee the confidentiality of data. Common encryption algorithms
include DES, 3DES, AES, etc. Meanwhile, as options, users can select MD5 and SHA-1
algorithms to ensure the integrity and authenticity of packets.
AH and ESP can be used either independently or in combination. The way of combined use
supported by the device is to: first conduct ESP encapsulation of packets and then conduct AH
encapsulation of packets. After encapsulation, the packets are successively original IP packet, ESP
header, AH header and external IP header from inside to outside.
2. Basic Concept of IPSec
(1) SA
IPSec provides secure communication between two endpoints, which is called IPSec peer.
SA is the basis and nature of IPSec. SA is the convention on certain elements between peers, e.g.
use which protocol (AH, ESP, or combination of both), protocol encapsulation mode (transmission
mode and tunnel mode), encryption algorithms (DES, 3DES and AES), shared key of protected data
in a particular stream and life cycle of key.
SA is one-way and two-way communication between two peers. A minimum of two SAs are
required to respectively provide safety protection for data streams in two directions. If two peers
want to use AH and ESP for secure communication, each peer will build an independent SA for
each protocol.
SA uses a triple for unique identification. The triple includes SPI (Security Parameter Index),
destination IP address and security protocol number (AH or ESP).
SPI is a 32-bit number generated for unique identification of SA. It is transmitted in AH and ESP
headers. In manual configuration of SPI, it is required to manually specify the value of SPI; when
SA is generated through IKE negotiation, SPI will be randomly generated.
SA has a lifetime, and is only effective for SA established by way of IKE. When the life cycle
reaches the specified time or specified flow rate, SA will lose efficacy, before which, IKE will
establish a new SA through IPSec negotiation, so that the new SA will be ready before the old SA
loses efficacy. When the new SA starts negotiation and the negotiation is not finished, the old SA
will still be used to protect communication. When the negotiation of new SA is finished, the new
SA will be immediately applied to protect communication.
(2) Authentication and Encryption Algorithms
Authentication algorithm:
The authentication algorithm is realized through the hashing function. The hashing function is an
algorithm that accepts message input of arbitrary length and produces an output of fixed length. The
output is referred to as a message digest. As to the computing digest of IPSec peers, if the two
digests are the same, it indicates that the message is intact and not tampered.
IPSec uses two authentication algorithms:
To Next Page
Loading...
