Understanding the IPsec Protocol

IPsec is an end-to-end security scheme protocol suite that secures IP communications using authentication and encryption of each communication session IP packet. IPsec can be used to protect data flows on a host-to-host and host-to-network basis. IPsec protects any application traffic across an IP network. Applications do not need to be specifically designed to use IPsec.

The S- K- and 7100-Series IPsec implementation uses the ESP and SA protocols from the IPsec protocol suite. ESP provides for packet:

• Authenticity – ensures that the owner of the packet is who he claims to be
• Integrity – ensures that the contents of the packet have not been tampered with
• Confidentiality – ensures that information is accessible only to those authorized to have access

ESP operates directly on top of IP, using IP protocol number 50.

The Security Association (SA) protocol provides a bundle of algorithms and data required for ESP operations that are the basis for IPsec. The algorithms and data configured within an SA are used to encrypt and authenticate a particular flow in one direction. In a standard bi-directional communications session, two SAs are used, one for each direction. Security associations are established using the Internet Security Association and Key Management Protocol which provides for manual configuration of pre-shared secrets (keys) using the Internet Key Exchange (IKE).

IPsec identifies the SA that determines the protection to provide to an outgoing packet based upon a Security Parameter Index (SPI) and the packet header destination address. The SPI is an index to the security association database.

The S- K- and 7100-Series IPsec implementation supports the configuration of a default SA. A default SA is configured by entering the IPsec default instance configuration mode and assigning an IKE map to the default SA.