Product specifications

ManualsBrandsEfficient Networks ManualsComputer equipmentRouter family Command line interface

181

182

183

184

185

186

187

188

189

190

Chapter 5: System Security Efficient Networks

Router family

Technical Reference Guide

Page 5-52 Efficient Networks

If ESP encryption is selected, ESP automatically encrypts the data portion (payload)

of each packet using the chosen encryption method, DES (56-bit keys) or 3DES (168-

bit keys).

CAUTION:

Restrictions may exist on the export of the DES and 3DES encryption options outside

the United States or Canada.

Although encryption cannot be specified for individual applications, a server could be

partitioned to achieve the same effect. Given that packets can be encrypted using any

combination of security association (SA), protocol, source port, and destination port,

you could specify that traffic to and from one database be encrypted while allowing

unencrypted traffic to pass freely to and from other databases on the server.

Both the ESP and AH protocols support authentication and replay detection. Replay

detection uses sequence numbers to reject old or duplicate packets. The packet is

authenticated using a message digest derived from either of two hashing

algorithms—SHA-1 (Secure Hashing Algorithm 1) or MD5 (Message Digest 5).

The ESP protocol can authenticate the data origin and data integrity; it does not

authenticate the entire packet. More specifically, the message digest is inserted

following, not before, the payload. Both the message digest and payload are

sandwiched between the ESP header and ESP trailer.

The AH protocol can perform packet authentication. The AH header protocol defines

authentication methods for both the packet’s outer IP header and its payload. Unlike

ESP authentication, the message digest is inserted in front of the payload.

Figure 5-5 shows the transformed IP packet after the ESP or AH protocol has been

applied in tunnel mode.

IKE Management

Internet Key Exchange (IKE) management makes encryption key exchange practical,

even in large networks where there are many unknown intermediate links between

sending and receiving nodes. Unlike protocols that allow only one key exchange per

session, IKE can generate and transfer multiple keys between peers during a single

tunnel session. Users may specify the duration for which keys are valid. This dynamic

type of Diffie-Hellman key exchange greatly reduces the chances of a network

attacker finding an entry into a tunnel.

If you wish, you may also select Perfect Forward Secrecy (PFS) to increase the

security of the key exchange. PFS ensures that the compromise of a single key

permits access to only data protected by that particular key. However, PFS requires

use of a Diffie-Hellman group for each re-key, adding overhead to the process and

causing IKE to run more slowly. Thus, PFS is not always desirable.