Connection initialization phase, Registration phase – H3C Technologies H3C SecPath F1000-E User Manual
Page 416
404
Connection initialization phase
When a client accesses the server for the first time, connection initialization is performed first. During the
initialization procedure, the two parties negotiate whether VAM protocol packets should be secured. If so,
they negotiate the packet encryption and integrity validation algorithms, generate the keys, and
acknowledge the negotiated result. After the connection initialization process completes, the client
proceeds with the registration phase.
shows the initialization process.
Figure 297 Initialization process
1.
The client sends the server a connection request, which carries the supported encryption and
integrity validation algorithms.
2.
Upon reception of the connection request, the server and the client begin to negotiate the
algorithms to be used, with the server dominating the negotiation. When negotiating an algorithm
to be used, the VAM server first compares the algorithm of the highest priority on its own algorithm
list against the algorithm list of the client. If a match is found, the algorithm is used. If not, the server
compares its next-highest priority algorithm against the list. The operation continues until a match
is found or all the algorithms on the server’s algorithm list have been compared. If a match is found,
the server sends to the client a connection response, which carries the negotiation result, and at the
same time, the server and the client generate the encryption key and integrity validation key.
3.
The client and server respectively checks whether the algorithm negotiation and key negotiation
are successful through the negotiation acknowledge packets.
Registration phase
Figure 298 Registration process
shows the registration process:
1.
The client sends the server a registration request, which carries information about the client.
2.
Upon reception of the registration request, the server first determines whether to authenticate the
identity of the client. If identity authentication is not required, the server directly registers the client
and sends the client a registration acknowledgement. Otherwise, the server sends the client an
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS