Managing ipsec proposals, Basic concepts, Security protocol – H3C Technologies H3C Intelligent Management Center User Manual

33

Managing IPsec proposals

Basic concepts

An IPsec proposal defines a set of security parameters for IPsec SA negotiation, including security

protocols, encryption/authentication algorithms, and encapsulation mode.
After an IPsec proposal is created, it can be referenced by IPsec security policies.

Security protocol

IVM supports the following security protocols:

•

AH—Provides data origin authentication, data integrity, and anti-replay services by adding an AH
header to each IP packet. AH is suitable only for transmitting non-critical data because it cannot

prevent eavesdropping, although it can prevent data tampering. AH supports authentication
algorithms such as MD5 and SHA-1.

•

ESP—Provides data encryption as well as data origin authentication, data integrity, and anti-replay
services by inserting an ESP header and an ESP trailer in IP packets. Unlike AH, ESP encrypts data

before encapsulating the data to guarantee data confidentiality. ESP supports encryption

algorithms such as DES, 3DES, and AES, and authentication algorithms such as MD5 and SHA-1.

The authentication function is optional to ESP.

Both AH and ESP provide authentication services, but the authentication service provided by AH is

stronger. In practice, you can choose either or both security protocols. When both AH and ESP are used,

an IP packet is encapsulated first by ESP and then by AH.

Authentication algorithm

IVM supports the following hash algorithms for authentication:

•

MD5—Takes a message of arbitrary length as input and produces a 128-bit message digest.

•

SHA-1—Takes a message of a maximum length of less than the 64th power of 2 in bits as input and

produces a 160-bit message digest.

Compared with SHA-1, MD5 is faster but less secure.

Encryption algorithm

IVM supports the following encryption algorithms:

•

DES—Encrypts a 64-bit plain text block with a 56-bit key. DES is the least secure but the fastest
algorithm.

•

3DES—Encrypts plaintext data with three 56-bit DES keys. The key length totals up to 168 bits. It
provides moderate security strength and is slower than DES.

•

AES—Encrypts plaintext data with a 128-bit, 192-bit, or 256-bit key. AES provides the highest

security strength but is slower than 3DES.

Encapsulation mode

IPsec supports the following IP packet encapsulation modes:

•

Tunnel mode—IPsec protects the entire IP packet, including both the IP header and the payload. It
uses the entire IP packet to calculate an AH or ESP header, and then encapsulates the original IP

packet and the AH or ESP header with a new IP header. If you use ESP, an ESP trailer is also

encapsulated. Tunnel mode is typically used for protecting gateway-to-gateway communications.