Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software
Information About Implementing IKE Security Protocol Configurations for IPSec Networks
SC-107
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
OL-20382-01
Supported Standards
Cisco implements the following standards:
• IKE—Internet Key Exchange. A hybrid protocol that implements Oakley and Skeme key
exchanges inside the ISAKMP framework. IKE can be used with other protocols, but its initial
implementation is with the IPSec protocol. IKE provides authentication of the IPSec peers,
negotiates IPSec keys, and negotiates IPSec security associations (SAs).
IKE is implemented following RFC 2409, The Internet Key Exchange.
• IPSec—IP Network Security Protocol. IPSec is a framework of open standards that provides data
confidentiality, data integrity, and data authentication between participating peers. IPSec provides
these security services at the IP layer; it uses IKE to handle negotiation of protocols and algorithms
based on local policy and to generate the encryption and authentication keys to be used by IPSec.
IPSec is used to protect one or more data flows between a pair of hosts, a pair of security gateways,
or a security gateway and a host.
For more information on IPSec, see the Implementing IPSec Network Security on Cisco IOS XR
Software module of the Cisco
IOS XR System Security Configuration Guide.
• ISAKMP—Internet Security Association and Key Management Protocol. A protocol framework
that defines payload formats, the mechanics of implementing a key exchange protocol, and the
negotiation of a security association.
ISAKMP is implemented following the latest version of the Internet Security Association and Key
Management Protocol (ISAKMP) Internet Draft (RFC
2408).
• Oakley—A key exchange protocol that defines how to derive authenticated keying material.
• Skeme—A key exchange protocol that defines how to derive authenticated keying material, with
rapid key refreshment.
The component technologies implemented for use by IKE include the following:
• DES—Data Encryption Standard. An algorithm that is used to encrypt packet data. IKE implements
the 56-bit DES-CBC with Explicit IV standard. Cipher Block Chaining (CBC) requires an
initialization vector (IV) to start encryption. The IV is explicitly given in the IPSec packet.
Cisco IOS XR software also implements Triple DES (168-bit) encryption, depending on the
software versions available for a specific platform. Triple DES (3DES) is a strong form of
encryption that allows sensitive information to be sent over untrusted networks. It enables
customers, particularly in the finance industry, to use network-layer encryption.
• AES—Advanced Encryption Standard. Standards of 128-bit, 192-bit, and 256-bit are supported.
Note Cisco IOS XR images that have strong encryption (including, but not limited to, 56-bit data
encryption feature sets) are subject to U.S. government export controls, and have a limited
distribution. Images that are to be installed outside the United States require an export
license. Customer orders might be denied or subject to delay because of U.S. government
regulations. Contact your sales representative or distributor for more information, or send
e-mail to export@cisco.com.
• Diffie-Hellman—A public-key cryptography protocol that allows two parties to establish a shared
secret over an insecure communications channel. Diffie-Hellman is used within IKE to establish
session keys. 768-bit, 1024-bit, and 1536-bit Diffie-Hellman groups are supported.
• MD5 (HMAC variant)—Message Digest 5. A hash algorithm used to authenticate packet data.
HMAC is a variant that provides an additional level of hashing.
To Next Page
Loading...
Need help?
General
