Avaya Configuring IPsec Services Bedienungsanleitung PDF herunterladen (Seite 34)

Configuring IPsec Services

1-16

308630-15.1 Rev 00

ESP applies the following algorithms and transform identifiers to deliver its

services:

• DES (56-bit)

• 40-bit DES (manual keying only)

• Triple DES (3DES) (3DES IPsec option only)

• HMAC Message Digest 5 (MD5)

• HMAC SHA1

ESP uses the DES algorithm or the Triple DES (3DES) algorithm for encryption.

ESP uses Hashing Message Authentication Code Message Digest 5

(HMAC MD5) or HMAC SHA1 transform identifiers for authentication.

ESP uses the CBC mode of the DES encryption algorithm. CBC is considered the

most secure mode of DES. A 56-bit or 40-bit number, known as a key, controls

encryption and decryption. Key management is automated through IKE, or can be

controlled manually.

Both sides of an SA must use the same encryption service. Normally, you should

use the stronger 56-bit DES key for greater security, or triple DES if appropriate.

However, if you are communicating with a security gateway that is limited to a

40-bit DES key due to cryptography export restrictions, you must use the 40-bit

key.

When ESP protection is used in tunnel mode, an “outer” IP header specifies the

IPsec processing destination, and an “inner” IP header specifies the (actual) target

destination for the packet. The security protocol header appears after the outer IP

header and before the inner one. Only the tunneled packet is protected, not the

outer header.

Authentication Header (AH) Protocol

The AH protocol provides data integrity, data origin authentication, and optional

anti-replay services. It provides encryption services to the header only, not to the

entire IP packet.

The AH protocol uses HMAC MD5 and HMAC SHA1 transform identifiers. The

AH protocol is not used in the Nortel Networks implementation of IPsec.

1 2 ... 29 30 31 32 33 34 35 36 37 38 39 ... 121 122

Keine Kommentare

Avaya Configuring IPsec Services Bedienungsanleitung Seite 34