Netopia 6.3 User Manual

155

Appendix B

Security Association

From the IPSEC point of view, an SA is a data structure that describes
which transformation is to be applied to a datagram and how. The SA
specifies:
• The authentication algorithm for AH and ESP
• The encryption algorithm for ESP
• The encryption and authentication keys
• Lifetime of encryption keys
• The lifetime of the SA
• Replay prevention sequence number and the replay bit table
An arbitrary 32-bit number called a Security Parameters Index (SPI), as
well as the destination host’s address and the IPSEC protocol identi-
fier, identify each SA. An SPI is assigned to an SA when the SA is nego-
tiated. The SA can be referred to by using an SPI in AH and ESP
transformations. SA is unidirectional. SAs are commonly setup as bun-
dles, because typically two SAs are required for communications. SA
management is always done on bundles (setup, delete, relay).

serial communication

Method of data transmission in which data bits are transmitted
sequentially over a communication channel

SHA-1

An implementation of the U.S. Government Secure Hash Algorithm; a
160-bit authentication algorithm.

SLIP

Serial Line Internet Protocol. Predecessor to PPP that allows communi-
cation over serial point-to-point connections running TCP/IP. Defined
in RFC 1055.

Soft MBytes

Setting the Soft MBytes parameter forces the renegotiation of the IPSec
Security Associations (SAs) at the configured Soft MByte value. The
value can be configured between

1 and 1,000,000 MB

and refers to data

traffic passed. If this value is not achieved, the Hard MBytes parameter
is enforced.

Soft Seconds

Setting the Soft Seconds parameter forces the renegotiation of the
IPSec Security Associations (SAs) at the configured Soft Seconds value.
The value can be configured between 60 and 1,000,000 seconds.

SPI

The Security Parameter Index is an identifier for the encryption and
authentication algorithm and key. The SPI indicates to the remote fire-
wall the algorithm and key being used to encrypt and authenticate a
packet. It should be a unique number greater than 255.

STATEFUL

The Cayman Gateway monitors and maintains the state of any network
transaction. In terms of network request-and-reply, state consists of
the source IP address, destination IP address, communication ports,
and data sequence. The Cayman Gateway processes the stream of a
network conversation, rather than just individual packets. It verifies
that packets are sent from and received by the proper IP addresses
along the proper communication ports in the correct order and that no
imposter packets interrupt the packet flow. Packet filtering monitors
only the ports involved, while the Cayman Gateway analyzes the con-
tinuous conversation stream, preventing session hijacking and denial
of service attacks.

static route

Route entered manually in a routing table.

subnet mask

A 32-bit address mask that identifies which bits of an IP address rep-
resent network address information and which bits represent node
identifier information.

synchronous
communication

Method of data communication requiring the transmission of timing
signals to keep PPP peers synchronized in sending and receiving
blocks of data.