Terms and Definitions

The following table lists terms and definitions used in this IPsec configuration discussion.

Click to expand in new window

IPsec Configuration Terms and Definitions

Term Definition
Encapsulating Security Payload (ESP) An IPv4 and IPv6 packet header designed to provide a mix of security services including: confidentiality, data origin authentication, connectionless integrity, depending upon supported and configured SA configuration.
Encryption The process of transforming information, usually referred to as plaintext, using an algorithm, called a cipher, to make it unreadable to anyone except those possessing the associated key.
ESP Authenticity An ESP feature that ensures that the owner of the packet is who he claims to be.
ESP Confidentiality An ESP feature that ensures that information is accessible only to those authorized to have access.
ESP Integrity An ESP feature, also referred to as data authentication, that ensures that the contents of the packet have not been tampered with.
Hash The Secure Hash Algorithm 1 (SHA1) hash algorithm is used during phase 1 negotiation between the SA authenticating devices.
IKE Diffie-Hellman Group A method of exchanging keys allowing two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel.
IKE Map A bundling of all algorithms and parameters that make up the SA.
IKE Policy A combination of security parameters that exist both locally and on the peer, to be used during the IKE SA negotiation.
IKE Proposal A set of parameters applied to both Phase I and Phase II IPSec negotiations during which the two peers establish a secure connection by which they then negotiate the Phase 2 parameters.
Initial Contact A feature that when enabled sends an initial contact message to the peer upon reboot instructing the peer to delete old SAs.
Internet Key Exchange protocol (IKE) The protocol used to set up a Security Association (SA) in the IPsec protocol suite.
IPsec The Internet Protocol Security Architecture, defined in RFC 4301, that provides a set of security services for traffic at the IP layer in both IPv4 and IPv6 environments.
Security Association (SA) The establishment of shared security attributes between two network entities to support secure communication within the IPsec protocol suite.
Security Parameter Index (SPI) An index to the security association database that helps in differentiating between two traffic streams where different encryption rules and algorithms may be in use.