Enabling mac move, Ipsec implementation – H3C Technologies H3C S12500-X Series Switches User Manual
Page 143
131
Authentication Code (HMAC) based authentication algorithms, including HMAC-MD5 and
HMAC-SHA1. Compared with HMAC-SHA1, HMAC-MD5 is faster but less secure.
463B
Encryption algorithms
IPsec uses symmetric encryption algorithms, which encrypt and decrypt data by using the same keys. The
following encryption algorithms are available for IPsec on the device:
•
DES—Encrypts a 64-bit plaintext block with a 56-bit key. DES is the least secure but the fastest
algorithm.
•
3DES—Encrypts plaintext data with three 56-bit DES keys. The key length totals up to 168 bits. It
provides moderate security strength and is slower than DES.
•
AES—Encrypts plaintext data with a 128-bit, 192-bit, or 256-bit key. AES provides the highest
security strength and is slower than 3DES.
464B
Crypto engine
The IPsec feature is resource intensive for its complex encryption/decryption and authentication
algorithms. To improve processing performance, you can use a crypto engine to offload IPsec tasks.
The crypto engine processes all IPsec protected packets and hands the processed packets back to the
device for forwarding.
For more information about crypto engines, see "
839H
Configuring crypto engines
."
234B
IPsec implementation
To implement IPsec protection for packets between two peers, complete the following tasks on each peer:
•
Configure an IPsec policy, which defines the range of packets to be protected by IPsec and the
security parameters used for the protection.
•
Apply the IPsec policy to an interface.
When you apply an IPsec policy to an interface, you implement IPsec based on the interface. Packets
received and sent by the interface are protected according to the IPsec policy.
IPsec protects packets as follows:
•
When an IPsec peer identifies the packets to be protected according to the IPsec policy, it sets up
an IPsec tunnel and sends the packet to the remote peer through the tunnel. The IPsec tunnel can be
manually configured beforehand, or it can be set up through IKE negotiation triggered by the
packet. The IPsec tunnels are actually the IPsec SAs. The inbound packets are protected by the
inbound SA, and the outbound packets are protected by the outbound SA.
•
When the remote IPsec peer receives the packet, it drops, de-encapsulates, or directly forwards the
packet according to the configured IPsec policy.
Interface-based IPsec supports setting up IPsec tunnels based on ACLs.
465B
ACL-based IPsec
To implement ACL-based IPsec, configure an ACL to define the data flows to be protected, reference the
ACL in an IPsec policy, and then apply the IPsec policy to an interface. When packets sent by the
interface match the permit rule of the ACL, the packets are protected by the outbound IPsec SA and
encapsulated with IPsec. When the interface receives an IPsec packet whose destination address is the
IP address of the local device, it searches for the inbound IPsec SA according to the SPI carried in the
IPsec packet header for de-encapsulation. If the de-encapsulated packet matches the permit rule of the
ACL, the device processes the packet. Otherwise, it drops the packet.