Basic concepts, Security association, Encapsulation modes – H3C Technologies H3C SecPath F1000-E User Manual
Page 164

152
IPsec is available with the following security protocols:
•
AH (protocol 51), which provides data origin authentication, data integrity, and anti-replay services.
For these purposes, an AH header is added to each IP packet. AH is suitable for transmitting
non-critical data because it cannot prevent eavesdropping, although it can prevent data tampering.
AH supports authentication algorithms such as Message Digest (MD5) and Secure Hash Algorithm
(SHA-1).
•
ESP (protocol 50), which provides data encryption as well as data origin authentication, data
integrity, and anti-replay services. ESP works by inserting an ESP header and an ESP trailer in IP
packets. Unlike AH, ESP encrypts data before encapsulating the data to ensure data confidentiality.
ESP supports encryption algorithms such as Data Encryption Standard (DES), 3DES, and Advanced
Encryption Standard (AES), and authentication algorithms such as MD5 and SHA-1. The
authentication function is optional to ESP.
Both AH and ESP provide authentication services, but the authentication service provided by AH is
stronger. In practice, you can choose either or both security protocols. When both AH and ESP are used,
an IP packet is encapsulated first by ESP and then by AH.
shows the format of IPsec packets.
Basic concepts
Security association
A security association is an agreement negotiated between two communicating parties called IPsec
peers. It comprises a set of parameters for data protection, including security protocols, encapsulation
mode, authentication and encryption algorithms, and shared keys and their lifetime. SAs can be set up
manually or through IKE.
An SA is unidirectional. At least two SAs are needed to protect data flows in a bidirectional
communication. If two peers want to use both AH and ESP to protect data flows between them, they
construct an independent SA for each protocol.
An SA is uniquely identified by a triplet, which consists of the security parameter index (SPI), destination
IP address, and security protocol identifier (AH or ESP).
An SPI is a 32-bit number for uniquely identifying an SA. It is transmitted in the AH/ESP header. A
manually configured SA requires an SPI to be specified manually for it. An IKE created SA will have an
SPI generated at random.
A manually configured SA never ages out. An IKE created SA has a specified period of lifetime, which
comes in two types:
•
Time-based lifetime, which defines how long the SA can be valid after it is created.
•
Traffic-based lifetime, which defines the maximum traffic that the SA can process.
The SA becomes invalid when either of the lifetime timers expires. Before the SA expires, IKE negotiates
a new SA, which takes over immediately after its creation. In FIPS mode, IKE negotiates a new SA also
when an IPsec SA's traffic-based lifetime expires.
Encapsulation modes
IPsec supports the following IP packet encapsulation modes:
•
Tunnel mode—IPsec protects the entire IP packet, including both the IP header and the payload. It
uses the entire IP packet to calculate an AH or ESP header, and then encapsulates the original IP
packet and the AH or ESP header with a new IP header. If you use ESP, an ESP trailer is also
encapsulated. Tunnel mode is typically used for protecting gateway-to-gateway communications.
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS