Cisco ISR 4000 Family Routers Administrator Guidance
Page
30
of
66
Data confidentiality--The IPsec sender can encrypt packets before transmitting them across
a network.
Data integrity--The IPsec receiver can authenticate packets sent by the IPsec sender to
ensure that the data has not been altered during transmission.
Data origin authentication--The IPsec receiver can authenticate the source of the sent IPsec
packets. This service is dependent upon the data integrity service.
Anti-replay--The IPsec receiver can detect and reject replayed packets.
IPsec provides secure
tunnels
between two peers, such as two routers. The privileged administrator
defines which packets are considered sensitive and should be sent through these secure tunnels
and specifies the parameters that should be used to protect these sensitive packets by specifying
the characteristics of these tunnels. When the IPsec peer recognizes a sensitive packet, the peer
sets up the appropriate secure tunnel and sends the packet through the tunnel to the remote peer.
More accurately, these
tunnels
are sets of security associations (SAs) that are established between
two IPsec peers. The SAs define the protocols and algorithms to be applied to sensitive packets
and specify the keying material to be used by the two peers. SAs are unidirectional and are
established per security protocol (AH or ESP).
With IPsec, privileged administrators can define the traffic that needs to be protected between two
IPsec peers by configuring access lists and applying these access lists to interfaces using crypto
map sets. Therefore, traffic may be selected on the basis of the source and destination address, and
optionally the Layer 4 protocol and port. (The access lists used for IPsec are only used to determine
the traffic that needs to be protected by IPsec, not the traffic that should be blocked or permitted
through the interface. Separate access lists define blocking and permitting at the interface.)
A crypto map set can contain multiple entries, each with a different access list. The crypto map
entries are searched in a sequence--the router attempts to match the packet to the access list
specified in that entry.
When a packet matches a permit entry in a particular access list, and the corresponding crypto map
entry is tagged as cisco, connections are established, if necessary. If the crypto map entry is tagged
as ipsec-isakmp, IPsec is triggered. If there is no SA that the IPsec can use to protect this traffic to
the peer, IPsec uses IKE to negotiate with the remote peer to set up the necessary IPsec SAs on
behalf of the data flow. The negotiation uses information specified in the crypto map entry as well
as the data flow information from the specific access list entry.
Once established, the set of SAs (outbound to the peer) is then applied to the triggering packet and
to subsequent applicable packets as those packets exit the router. "Applicable" packets are packets
that match the same access list criteria that the original packet matched. For example, all applicable
packets could be encrypted before being forwarded to the remote peer. The corresponding inbound
SAs are used when processing the incoming traffic from that peer.
Access lists associated with IPsec crypto map entries also represent the traffic that the router needs
protected by IPsec. Inbound traffic is processed against crypto map entries--if an unprotected
packet matches a permit entry in a particular access list associated with an IPsec crypto map entry,
that packet is dropped because it was not sent as an IPsec-protected packet.