beautypg.com

Encryption overview, Network layer, Link layer – Enterasys Networks CSX6000 User Manual

Page 36: Encryption overview 36, Network layer 36 link layer 36, Encryption, Overview

background image

USER’S GUIDE

36 CyberSWITCH

E

NCRYPTION

O

VERVIEW

Cabletron’s encryption options provide two popular approaches for encrypting WAN
communications, each with distinct advantages in certain applications. These options are: Network
Layer Encryption and Link Layer Encryption.

N

ETWORK

L

AYER

Cabletron’s Network Layer Encryption is an IP Security-based form of encryption. IP Security
(IPSec) can potentially reside in many devices within the network. Since IPSec is specific to IP, data
must be contained in an IP datagram in order for encryption to take place. This also implies that an
IPSec-compliant switch or router must perform network-layer routing. A device which does not
perform network-layer processing (such as a pure bridge) will not be capable of IPSec-based
encryption. Non-IP protocols such as IPX and AppleTalk must be encapsulated within IP in order
to take advantage of IPSec.

IPSec is primarily aimed at providing secure communications across IP networks such as the
Internet. Data can traverse multiple intermediate (untrusted) nodes (such as Internet backbone
routers) while still ensuring strong data security. But it can also be applied in point-to-point
networks where the layer-3 protocol is IP (for example, IP transported across the WAN using PPP).

Network-layer encryption works as follows:
IP datagrams transmitted from one LAN to another LAN funnel through a CyberSWITCH node
where they are encrypted and encapsulated. The destination address on the encapsulated
datagram is that of the CyberSWITCH node servicing the other trusted subnet.

When the IP datagram reaches the destination CyberSWITCH node, the Encapsulating Security
Payload (ESP) header is removed, the ESP payload is decrypted, and the original IP datagram is
forwarded to its original destination.

CyberSWITCH encryption requires additional Security Association information that can be supplied
through CFGEDIT. Each security association identifies a range of IP addresses, encryption
parameters to be used to encrypt communications to those IP addresses, and the IP address of the
peer CyberSWITCH (or other ESP node) responsible for decrypting the communications. The peer
will have knowledge of the same security association.

Security associations between peer CyberSWITCH nodes are identified by a Security Parameter
Index (SPI), which is a 32-bit number. The SPI is transmitted in the ESP header and is used by the
peer CyberSWITCH node to identify the necessary information to decrypt the ESP payload.

IP datagrams to these IP destination addresses are encrypted and encapsulated with an ESP header.
The ESP header indicates a destination address of an intermediate CyberSWITCH node which will
be responsible for decrypting and decapsulating these packets before sending them on to their
intended destination.

L

INK

L

AYER

Link layer encryption occurs at layer 2 of the ISO networking model. In the case of a WAN, PPP
acts as a layer 2 protocol. Encryption Control Protocol (ECP) serves to handle encryption of a PPP
datagram.

This manual is related to the following products: