1 ipsec concepts, Red and black network, Authentication header – Nortel Networks 608(WL) User Manual

Chapter 1

IPSec: Concept for secure IP connections

E-DOC-CTC-20051017-0169 v1.0

12

1.1 IPSec Concepts

Red and Black Network

Following nomenclature will be used throughout this document:



The SpeedTouch™
The IPSec capable DSL router



The Red network
Private or trusted side of the SpeedTouch™.



The Black network
Public or non-trusted side of the SpeedTouch™. The black network is
frequently referred to as the WAN side, being the connection towards the
Internet.

Authentication Header

The Authentication Header (AH) protocol allows to check the integrity of a data
packet. A digital signature (=hash) is computed over the entire packet, with the
exception of the mutable fields (fields that change during the transmission of the
packet - e.g. TTL counter).

Encapsulated Security

Payload

The Encapsulated Security Payload (ESP) protocol provides data confidentiality and
ensures data integrity (message authentication). ESP supports various encryption
algorithms, thus making the data unreadable for an eavesdropper. A Security
Association (SA) consists of a set of parameters, negotiated between two peers:



authentication type



compression, hashing or encryption algorithms



key size



key lifetime



...

Red network

node

SpeedTouch 620 [1]

Red network

node

SpeedTouch 620 [2]

Red LAN

Trusted network side

Red LAN

Trusted network side

Black network

Non-trusted network side

As the use of the Authentication Header is deprecated, the SpeedTouch™
from Release onwards only supports the ESP protocol. Authentication
without encryption can be achieved by selecting ESP with NULL encryption.