Security association, Encapsulation modes – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 865
844
Security association
A security association is an agreement negotiated between two communicating parties called IPsec
peers. It comprises a set of parameters for data protection, including security protocols, encapsulation
mode, authentication and encryption algorithms, and privacy keys and their lifetime. SAs can be set up
manually or through IKE.
An SA is unidirectional. At least two SAs are needed to protect data flows in a bidirectional
communication. Moreover, if two peers want to use both AH and ESP to protect data flows between them,
they construct an independent SA for each protocol.
An SA is uniquely identified by a triplet, which consists of the security parameter index (SPI), destination
IP address, and security protocol (AH or ESP).
An SPI is a 32-bit number for uniquely identifying an SA. It is transmitted in the AH/ESP header. A
manually configured SA requires an SPI to be specified manually for it. An IKE created SA will have an
SPI generated at random.
A manually configured SA never ages out. An IKE created SA has a specified period of lifetime, which
comes in two types:
•
Time-based lifetime—Defines how long an SA can be valid after it is created.
•
Traffic-based lifetime—Defines the maximum traffic that an SA is allowed to process.
The SA becomes invalid when either of the lifetime timers expires. Before the SA expires, IKE negotiates
a new SA, which takes over immediately after its creation.
Encapsulation modes
IPsec supports the following IP packet encapsulation modes:
•
Tunnel mode—IPsec protects the entire IP packet (the IP header and the payload). It uses the entire
IP packet to calculate an AH or ESP header, and then encapsulates the original IP packet and the
AH or ESP header with a new IP header. If you use ESP, an ESP trailer is also encapsulated. Tunnel
mode typically is used for protecting gateway-to-gateway communications.
•
Transport mode—IPsec protects only the IP payload. It uses only the IP payload to calculate the AH
or ESP header, and inserts the calculated header between the original IP header and payload. If
you use ESP, an ESP trailer is also encapsulated. The transport mode typically is used for protecting
host-to-host or host-to-gateway communications.
shows how the security protocols encapsulate an IP packet in different encapsulation modes.
Figure 897 Encapsulation by security protocols in different modes
Authentication algorithms and encryption algorithms
•
Authentication algorithms