Page 31 of 72
Data confidentiality--The IPsec sender can encrypt packets before transmitting them
across a network.
Data integrity--The IPsec receiver can authenticate packets sent by the IPsec sender to
ensure that the data has not been altered during transmission.
Data origin authentication--The IPsec receiver can authenticate the source of the sent
IPsec packets. This service is dependent upon the data integrity service.
Anti-replay--The IPsec receiver can detect and reject replayed packets.
IPsec provides secure tunnels between two peers, such as two routers. The privileged
administrator defines which packets are considered sensitive and should be sent through these
secure tunnels and specifies the parameters that should be used to protect these sensitive packets
by specifying the characteristics of these tunnels. When the IPsec peer recognizes a sensitive
packet, the peer sets up the appropriate secure tunnel and sends the packet through the tunnel to
the remote peer.
More accurately, these tunnels are sets of security associations (SAs) that are established
between two IPsec peers. The SAs define the protocols and algorithms to be applied to sensitive
packets and specify the keying material to be used by the two peers. SAs are unidirectional and
are established per security protocol (AH or ESP).
With IPsec, privileged administrators can define the traffic that needs to be protected between
two IPsec peers by configuring access lists and applying these access lists to interfaces using
crypto map sets. Therefore, traffic may be selected on the basis of the source and destination
address, and optionally the Layer 4 protocol and port. (The access lists used for IPsec are only
used to determine the traffic that needs to be protected by IPsec, not the traffic that should be
blocked or permitted through the interface. Separate access lists define blocking and permitting
at the interface.)
A crypto map set can contain multiple entries, each with a different access list. The crypto map
entries are searched in a sequence--the router attempts to match the packet to the access list
specified in that entry.
When a packet matches a permit entry in a particular access list, and the corresponding crypto
map entry is tagged as cisco, connections are established, if necessary. If the crypto map entry is
tagged as ipsec-isakmp, IPsec is triggered. If there is no SA that the IPsec can use to protect this
traffic to the peer, IPsec uses IKE to negotiate with the remote peer to set up the necessary IPsec
SAs on behalf of the data flow. The negotiation uses information specified in the crypto map
entry as well as the data flow information from the specific access list entry.
Once established, the set of SAs (outbound to the peer) is then applied to the triggering packet
and to subsequent applicable packets as those packets exit the router. "Applicable" packets are
packets that match the same access list criteria that the original packet matched. For example, all
applicable packets could be encrypted before being forwarded to the remote peer. The
corresponding inbound SAs are used when processing the incoming traffic from that peer.
Access lists associated with IPsec crypto map entries also represent the traffic that the router
needs protected by IPsec. Inbound traffic is processed against crypto map entries--if an
unprotected packet matches a permit entry in a particular access list associated with an IPsec
crypto map entry, that packet is dropped because it was not sent as an IPsec-protected packet.
To Next Page
Loading...
Need help?
General
