IPsec Components and IPsec VPN Features参考.ppt

IPsec VPNs IPsec Components and IPsec VPN Features What Is IPsec? IPsec is an IETF standard that employs cryptographic mechanisms on the network layer:IPsec是IETF的标准,其在网络层使用加密机制实现: Authentication of every IP packet IP报文的认证 Verification of data integrity for each packet为每一个数据包提供数据完整性的保证 Confidentiality of packet payload对数据进行机密性的保护 What Is IPsec? (Cont.) Consists of open standards for securing private communicationsIPsec由一系列的开放标准组成，用于保护秘密的通信。 Scales from small to very large networks不管是小型的网络还是大型的网络都可以实施IPsec技术。 Is available in Cisco IOS software version 11.3(T) and later Is included in PIX Firewall version 5.0 and later IPsec Security Features IPsec is the only standard Layer 3 technology that provides: Confidentiality 机密性 Data integrity 数据完整性 Authentication 认证 Replay detection 反重放检测 IPsec Protocols IPsec uses three main protocols to create a security framework: Internet Key Exchange (IKE): Provides framework for negotiation of security parameters Establishment of authenticated keys Encapsulating Security Payload (ESP): Provides framework for encrypting, authenticating, and securing of data Authentication Header (AH): Provides framework for authenticating and securing of data IPsec Headers IPsec ESP provides the following: Authentication and data integrity (MD5 or SHA-1 HMAC) with AH and ESP Confidentiality (DES, 3DES, or AES) only with ESP Peer Authentication Peer authentication methods: Username and password OTP (Pin/Tan) (one time password) Biometric (生物特征) Preshared keys Digital certificates Internet Key Exchange IKE solves the problems of manual and unscalable implementation of IPsec by automating the entire key exchange process: Negotiation of SA characteristics Automatic key generation Automatic key refresh Manageable manual configuration IKE Phases Phase 1: Authenticate the peers Negotiate a bidirectional SA Main mode or aggressive mode Phase 1.5: Xauth Mode config Phase 2: IPsec SAs/SPIs Quick mode IKE Modes IKE: Other Functions Dead peer detection (D