Authentication and encryption, Authentication algorithms, Encryption algorithms – H3C Technologies H3C S6300 Series Switches User Manual

220

•

Traffic-based lifetime—Defines the maximum traffic that the SA can process.

If both lifetime timers are configured for an SA, the SA becomes invalid when either of the lifetime timers
expires. Before the SA expires, IKE negotiates a new SA, which takes over immediately after its creation.

Authentication and encryption

Authentication algorithms

IPsec uses hash algorithms to perform authentication. A hash algorithm produces a fixed-length digest for

an arbitrary-length message. IPsec peers respectively calculate message digests for each packet. The

receiver compares the local digest with that received from the sender. If the digests are identical, the

receiver considers the packet intact and the sender's identity valid. IPsec uses the Hash-based Message
Authentication Code (HMAC) based authentication algorithms, including HMAC-MD5 and

HMAC-SHA1. Compared with HMAC-SHA1, HMAC-MD5 is faster but less secure.

Encryption algorithms

IPsec uses symmetric encryption algorithms, which encrypt and decrypt data by using the same keys. The

following encryption algorithms are available for IPsec on the device:

•

DES—Encrypts a 64-bit plaintext block with a 56-bit key. DES is the least secure but the fastest

algorithm.

•

3DES—Encrypts plaintext data with three 56-bit DES keys. The key length totals up to 168 bits. It
provides moderate security strength and is slower than DES.

•

AES—Encrypts plaintext data with a 128-bit, 192-bit, or 256-bit key. AES provides the highest
security strength and is slower than 3DES.

IPsec implementation

To implement IPsec protection for packets between two peers, complete the following tasks on each peer:

•

Configure an IPsec policy, which defines the range of packets to be protected by IPsec and the
security parameters used for the protection.

•

Apply the IPsec policy to an interface or an application.

When you apply an IPsec policy to an interface, you implement IPsec based on the interface. Packets

received and sent by the interface are protected according to the IPsec policy. When you apply an IPsec

policy to an application, you implement IPsec based on the application. Packets of the application are
protected according to the IPsec policy, regardless of the receiving and sending interface of the packets.
IPsec protects packets as follows:

•

When an IPsec peer identifies the packets to be protected according to the IPsec policy, it sets up
an IPsec tunnel and sends the packet to the remote peer through the tunnel. The IPsec tunnel can be

manually configured beforehand, or it can be set up through IKE negotiation triggered by the

packet. The IPsec tunnels are actually the IPsec SAs. The inbound packets are protected by the
inbound SA, and the outbound packets are protected by the outbound SA.

•

When the remote IPsec peer receives the packet, it drops, de-encapsulates, or directly forwards the
packet according to the configured IPsec policy.

Interface-based IPsec supports setting up IPsec tunnels based on ACLs.