ipsec is an open, with open standards developed by the Internet Engineering Task Force (IETF). ipsec provides security for transmitting sensitive information on unprotected networks (such as the internet). ipsec works at the network layer, and in multiple ipsec devices (peers, are so-called peers, such asciscoThe routers protect and authenticate IP packages.
ipsec provides the following network security services, which are optional, and generally, local security policies will specify one or more of the following:
-Data Confidentiality: The ipsec sender is able to encrypt the packet before it passes through the network.
-Data Integrity: The ipsec recipient can authenticate the packet sent by the ipsec sender to determine that it has not been changed during the transmission process.
- Data Origin Verification: ipsec receives this to verify the source of the sending ipsec packet. This service is dependent on data integrity services.
- Anti-play: The ipsec receiver can detect and reject the replayed packet.
Note: The term authentication mainly refers to data integrity and data origin verification.
Using ipsec, data can be transmitted on the public network without fraud and interference. This enables applications called vpn, including intranets (enterprise intranets), extranets (enterprise exterior), and remote user access.
Supported standards:
ciscoImplement the following standards and features:
ipsec-ip security is an open standard framework that provides data integrity and data verification between peers. ipsec provides these security services at the IP layer, which uses ike to handle protocol negotiation and local policy-based algorithms, as well as generate encryption and authentication keys to use for ipsec. ipsec can be used to protect one or more data flows between a pair of hosts, between hosts and hosts, and between gateways.
Note: The term ipsec is sometimes used to describe the entire ipsec data service and ike security protocol or to describe only the data service.
The ipse documentation is a series of Internet Drafts, all available here://.
Fully ipsec implementation Security Architecture for the Internet Protocol Internet Draft
(RFC2401). ciscoios ipsec implements RFC 2402 (IP Authentication Header) and RFC 2410 (The NULL Encryption Algorithm and Its Use With IPSec).
Internet key exchange (ike, internet key exchange) - a hybrid protocol that implements OaKley and SKEME for key exchange in the isakmp framework. Moreover, ike can be mixed with other protocols, and his presentation implementation uses the ipsec protocol. ike provides ipsec peer authentication, negotiate ipsec security association, and complete ipsec keys.
The following parts are required for the implementation of ipsec technology:
-des: The data encryption standard is used to encrypt packet data.
ciscoios Forces 56-bit des-cbc with Explicit IV.
ciscoiOS can also implement 3-fold des (168-bit), encryption, and depend on the software version of the specified platform available. 3des is a very strong encryption mode, which enables customizable network layer encryption.
-md5(hmac variable):md5(message digest 5) is a hashing algorithm. hmac is a hash variable typed to verify data.
-sha(hmac variable):sha(sercure hash algorithm) is a hash algorithm. mac is a hash variable typed to verify data.
ipsec must implementciscoIn iOS software, the following additional standards are supported:
-AH: Authenticaiton header. A security protocol that provides data authentication and optional anti-playback services. ah is embedded in the data protocol for protection (the entire IP data packet).
-esp: Encapsulate secure netload. A support for anti-playback that provides data private services and optional data authentication
Security protocol. ESP protects the data part.
List of terms
Anti-relay
Replay is a security service where the recipient can dismiss expired or duplicate packets, which protects it from replay attacks. ipsec provides this optional service for a mix of data authentication and serial number.ciscoios ipsec provides data authentication services at any time unless:
Manual Connection Security Association This service is not available.
Data Verification:
Data verification includes the following two concepts:
Data Integrity: Verify that the data has been changed.
Data origin verification (verify whether the data is sent by the sender)
Data authentication can refer to integrity, or a collection of two.
Data Confidentiality:
Data confidentiality is a security service that protects data from being eavesdropped and stolen.