Configuring ipsec, Overview, Basic concepts – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 864: Security protocols
843
Configuring IPsec
Overview
IP Security (IPsec) is a security framework defined by IETF for securing IP communications. It is a Layer 3
VPN technology that transmits data in a secure tunnel established between two endpoints.
IPsec guarantees the confidentiality, integrity, and authenticity of data and provides anti-replay service at
the IP layer in an insecure network environment:
•
Confidentiality—The sender encrypts packets before transmitting them over the Internet.
•
Data integrity—The receiver verifies the packets received from the sender to ensure they are not
tampered with during transmission.
•
Data origin authentication—The receiver verifies the authenticity of the sender.
•
Anti-replay—The receiver examines packets, and drops outdated or repeated packets.
IPsec delivers these benefits:
•
Reduced key negotiation overheads and simplified maintenance by supporting the IKE protocol.
IKE provides automatic key negotiation and automatic IPsec security association (SA) setup and
maintenance.
•
Good compatibility. IPsec can be applied to all IP-based application systems and services without
any modification to them.
•
Encryption on a per-packet rather than per-flow basis. This allows for flexibility and greatly
enhances IP security.
IPsec comprises a set of protocols for IP data security, including AH, ESP, IKE, and algorithms for
authentication and encryption. AH and ESP provides security services and IKE performs key exchange.
For more information about IKE, see "
Basic concepts
Security protocols
IPsec comes with two security protocols:
•
AH (protocol 51)—Provides data origin authentication, data integrity, and anti-replay services. For
these purposes, an AH header is added to each IP packet. AH is suitable for transmitting
non-critical data because it cannot prevent eavesdropping even though it works fine in preventing
data tampering. AH supports authentication algorithms such as MD5 and SHA-1.
•
ESP (protocol 50)—Provides data encryption in addition to origin authentication, data integrity, and
anti-replay services. ESP works by inserting an ESP header and an ESP trailer in IP packets. Unlike
AH, ESP encrypts data before encapsulating the data to ensure data confidentiality. ESP supports
encryption algorithms such as DES, 3DES, and AES, and authentication algorithms such as MD5
and SHA-1. The authentication function is optional to ESP.
Both AH and ESP provide authentication services, but the authentication service provided by AH is
stronger. In practice, you can choose either or both security protocols. When both AH and ESP are used,
an IP packet is encapsulated first by ESP and then by AH.