Ipsec for ipv6 routing protocols, Protocols and standards, Configuring ipsec – H3C Technologies H3C SecPath F1000-E User Manual
Page 134
6
policy to the IPsec tunnel interface; if you want to apply QoS to IPsec packets, apply the QoS to the
physical interface.
IPsec for IPv6 Routing Protocols
In IPv6, IPsec uses the AH or ESP protocol to encapsulate and de-encapsulate IPv6 routing protocol
packets to provide authentication and encryption services. At present, IPsec supports OSPFv3, IPv6 BGP,
and RIPng.
IPsec for IPv6 routing protocols is implemented on a per-protocol basis. With IPsec configured for an IPv6
routing protocol, a device uses IPsec to encapsulate the sent packets of that protocol and de-encapsulate
the received packets of that protocol. If a received protocol packet is not IPsec protected, or fails to be
de-encapsulated due to, for example, decryption or authentication failure, the device discards that
packet.
IPsec for IPv4 is implemented on a per-interface basis. Currently, an IPsec-configured interface can
implement IPsec protection for IPv4 packets that are either permitted by an ACL or routed to an IPsec
tunnel interface.
IPsec for IPv6 routing protocols does not need to use an ACL to match specific traffic on an interface or
to specify the start and end points of an IPsec tunnel. An IPsec security policy is bound to a specific IPv6
routing protocol. All the packets of that protocol will be protected by IPsec regardless of where they are
forwarded.
The key exchange mechanism of IPsec is applicable only for one-to-one communications. For
one-to-many communications on broadcast networks, IPsec cannot implement automatic key exchange.
In addition, devices on a broadcast network must use the same SA parameters (SPI and key) to process
received and sent packets. Currently, the device only supports using manually configured SA parameters
in a security policy to protect IPv6 routing protocol packets.
Protocols and Standards
These protocols and standards are relevant to IPsec:
•
RFC2401: Security Architecture for the Internet Protocol
•
RFC2402: IP Authentication Header
•
RFC2406: IP Encapsulating Security Payload
•
RFC4552: Authentication/Confidentiality for OSPFv3
Configuring IPsec
You can configure IPsec by using these methods:
•
ACL-based: This method uses ACLs in IPsec policies to identify data flows to be protected. The use
of ACLs adds flexibility to IPsec policies. IPsec policies can take effect only after they are applied to
physical interfaces. For configuration details, refer to
•
Routing-based: Also called IPsec tunnel interface-based. This method depends on the routing
mechanism to select data flows to be protected. The use of IPsec profiles greatly simplifies
configuration and management, and enhances the scalability of large VPN networks. IPsec profiles
can take effect only after they are applied to IPsec tunnel interfaces. For configuration details, refer
to
Implementing Tunnel Interface-Based IPsec
•
Application-based: This method allows you to bind an IPsec policy to an application to protect the
packets of that application. Currently, this method supports IPsec for IPv6 routing protocols. By