1 ipsec and ike overview, Security association, 1 ipsec and ike overview -3 – Panasonic 8000 User Manual
Page 50
Attention! The text in this document has been recognized automatically. To view the original document, you can use the "Original mode".
Nortel Secure Router 8000 Series
Troubleshooting - VAS__________
2 IPSec and IKE troubleshooting
2.1 IPSec and IKE overview
The IP Security (IPSec) protocol suite is a series of protocols defined by the Internet
Engineering Task Force (IETF). It provides high-quality, interoperable, and cryptology-based
security for IP packets.
IPSec consists of two protocols:
•
Authentication Header (AH) protocol
•
Encapsulating Security Payload (ESP) protocol
Internet Key Exchange (IKE) supports autonegotiation of keys. It sets up and maintains the
Security Association (SA) to simplify IPSec application and management.
The IKE protocol is based on the Internet Security Association and Key Management Protocol
(ISAKMP). It provides automatic protection, through which the following tasks can be
performed in an unsafe network:
•
distributing shared keys
•
authenticating the user
•
setting up an IPSec SA
Security Association
IPSec provides secure communication between two ends, called IPSec peers. It allows users
or administrators to control the granularity of security services between peers.
An SA is standard for some elements of communication peers and is the basis of IPSec. It
determines the following:
•
which protocol to apply (AH, ESP or both)
•
which encapsulation mode to apply (transport mode or tunnel mode)
•
which cryptographic algorithm to apply (DES or 3DES)
•
the shared key in the specified protected data flow and its duration
An SA is unidirectional, so you need at least two SAs to protect data flow in bidirectional
communication.
An SA is uniquely identified by the following three parameters:
•
Security Parameter Index (SPI)
The SPI is a 32-bit number generated to uniquely identify an SA. It is contained in the
AH/ESP header during transmission.
•
destination IP address
•
security protocol ID (AH or ESP)
The SA duration is calculated as follows:
•
Time-based duration: updates the SA at a specific interval.
•
Traffic-based duration: updates the SA after transmission of certain data (bytes).
Regardless of the type of duration, when it expires, the SA becomes invalid. Before this
occurs, IKE negotiates to set up a new SA for IPSec. The new SA is available when the old
SA becomes invalid.
Issue 01.01 (30 March 2009)
Nortel Networks Inc.
2-3