Basic concepts of ipsec, Security association, Encapsulation modes – H3C Technologies H3C SecPath F1000-E User Manual

2

supports the encryption algorithms including Data Encryption Standard (DES), 3DES, and

Advanced Encryption Standard (AES), and authentication algorithms such as MD5 and SHA-1

algorithms.

Both AH and ESP provide authentication services. However, the authentication service provided by AH is

stronger than that provided by ESP. In practice, you can choose either or both security protocols as

required. When both AH and ESP are used, an IP packet is encapsulated first by ESP and then by AH.

Basic Concepts of IPsec

Security association

A security association is an agreement negotiated between communicating parties called IPsec peers. It

comprises a set of parameters for data protection, including security protocols, encapsulation mode,

authentication and encryption algorithms, and privacy keys and their lifetime. SAs can be set up

manually or through IKE.
An SA is unidirectional. Therefore, at least two SAs are needed to protect data flows in a bidirectional
communication. Moreover, if two peers want to use both AH and ESP to protect data flows between them,

they will construct an independent SA for each protocol.
An SA is uniquely identified by a triplet, which consists of the security parameter index (SPI), destination

IP address, and security protocol (AH or ESP).
An SPI is a 32-bit number for uniquely identifying an SA. It is transmitted in the AH/ESP header. A

manually configured SA requires an SPI to be specified manually for it; while an IKE created SA will have
an SPI generated at random.
While a manually configured SA never ages out, an IKE created SA has a specified period of lifetime,

which comes in two types:

•

Time-based lifetime, which defines how long an SA can be valid after it is created.

•

Traffic-based lifetime, which defines the maximum traffic that an SA is allowed to process.

An SA becomes invalid when its lifetime expires. Before that, IKE will negotiate a new SA and, once

created, the new SA takes over the responsibility immediately.

Encapsulation modes

IPsec supports two IP packet encapsulation modes:

•

Tunnel mode – IPsec protects the entire IP packet (the IP header and the payload). It uses the entire
IP packet to calculate an AH or ESP header, and then encapsulates the original IP packet and the

AH or ESP header with a new IP header. If you use ESP, an ESP tail is also encapsulated. Tunnel

mode is typically used for protecting gateway-to-gateway communications.

•

Transport mode – IPsec protects only the IP payload. It uses only the IP payload to calculate the AH

or ESP header, and inserts the calculated header between the original IP header and payload. If
you use ESP, an ESP tail is also encapsulated. The transport mode is typically used for protecting

host-to-host or host-to-gateway communications.

Figure 1

illustrates how IPsec uses different security protocols to encapsulate an IP packet in different

encapsulation modes.