3Com 11.1 Network Router User Manual


 
How IPsec Works 57
IPsec works with the existing Internet infrastructure using encapsulation. It secures
a packet of data by encrypting it before sending it over the Internet. On the
receiving end, an IPsec-compliant device decrypts the data.
On each end of the link (systems at both ends comprise a security association),
IPsec is configured with the same key set and manual key information. The key set
allows each system in the security association to encrypt, decrypt, or authenticate
each other’s data.
The security protection can be selectively applied to various types of data traffic
based on protocols, IP addresses, network addresses, applications (via TCP/UDP
port addresses), and network interfaces. System-originated IP traffic (Telnet, OSPF,
RIP for example) can be protected by IPSEC directly. SNA traffic can be protected
by IPSEC through the DLSw tunnel. Other multiprotocol traffic (IPX, AppleTalk,
DECnet for example) and forwarded IP traffic are protected by IPSEC through the
PPTP tunnel. See Chapter 12 for more information about PPTP/L2TP tunneling.
Policies IPsec policies allow you to protect various types of traffic based on protocols, IP
addresses, network addresses, network interfaces, and applications (via port
addresses).
Encapsulation Security
Payload (ESP)
ESP is used to provide data confidentiality via encryption using the DES-CBC crypto
algorithm. For outbound traffic, it encrypts the IP payload and inserts an ESP
header between the IP header and the payload. For inbound traffic, it decrypts the
IP payload and removes the ESP header.
DES and RC5 encryption algorithms are supported in the xE packages. 3DES2key is
supported only in xS packages.
DES is the Cipher Block Chaining (CBC) mode of the US Data Encryption Standard
(DES). It requires an 8-byte key and operates on an 8-byte data block where the
output of each block is fed into the next block to avoid repeating the same cipher
output for those blocks with the same cleartext data.
RC5 is a cipher block chain encryption algorithm that may provide slightly faster
performance than DES. RC5 requires a minimum of 5 bytes for the encryption key.
The key may be as long as 7 bytes in xE packages, and as long as 16 bytes in xS
packages.
3DES2key is a three-stage block cipher encryption algorithm that uses an
encrypt-decrypt-encrypt sequence for greater security than standard DES
encryption. The operation is similar to the 3DES encryption algorithm except that
instead of using unique keying information for each stage, 3DES2key uses the
same keying information for both encryption stages. 3DES2key requires a 16-byte
encryption key to be entered. It uses the first 8 bytes for both encryption phases,
and the second 8 bytes for the decrypt phase.
Key lengths are enforced when they are entered. Warning or error messages
inform you when the entered key does not meet the requirements.
Entered keys longer than the supported maximum length for the chosen crypto
algorithm and the package are truncated as necessary.