NetModule NB3700, Руководство пользователя

Страница: 85 / 194

NB3700 User Manual 3.8
5.6.2. IPsec
IPsec is a protocol suite for securing IP communications by authenticating and encrypt-
ing each packet of a communication session and thus establishing a secure virtual private
network.
IPsec includes various cryptographic protocols and ciphers for key exchange and data
encryption and can be seen as one of the strongest VPN technologies in terms of security.
It uses the following mechanisms:
Mechanism Description
AH Authentication Headers (AH) provide connectionless in-
tegrity and data origin authentication for IP datagrams and
ensure protection against replay attacks.
ESP Encapsulating Security Payloads (ESP) provide confiden-
tiality, data-origin authentication, connectionless integrity,
an anti-replay service and limited traffic-flow confidentiality.
SA Security Associations (SA) provide a secure channel and a
bundle of algorithms that provide the parameters necessary
to operate the AH and/or ESP operations. The Internet
Security Association Key Management Protocol (ISAKMP)
provides a framework for authenticated key exchange.
Negotating keys for encryption and authentication is generally done by the Internet Key
Exchange protocol (IKE) which consists of two phases:
Phase Description
IKE phase 1 IKE authenticates the peer during this phase for setting up
an ISAKMP secure association. This can be carried out by
either using
main
or
aggressive
mode. The
main
mode ap-
proach utilizes the Diffie-Hellman key exchange and authen-
tication is always encrypted with the negotiated key.The
aggressive
mode just uses hashes of the pre-shared key and
therefore represents a less-secure mechanism which should
generally be avoided as it is prone to dictionary attacks.
IKE phase 2 IKE finally negotiates IPSec SA parameters and keys and
sets up matching IPSec SAs in the peers which is required
for AH/ESP later on.
85