Hide Navigation Pane
Show Navigation Pane
Download
SHA1
Overview
The IP security functionality covered in this chapter includes the following major areas:
- Encapsulating protocols, including authentication (AH) and Encapsulating Security Payload (ESP), to provide security on specified packets
- The Internet Security Association and Key Management Protocol/Internet Key Exchange (ISAKMP/IKE) protocol suite to provide automatic negotiation of security associations, including session keys
IPsec Terms and Acronyms
Table 8 describes terms and abbreviations that are used in this discussion of IPsec.
Table 8: IPsec Terms and Abbreviations
Term or Abbreviation | Description |
|---|---|
3DES | Triple DES encryption/decryption algorithm |
AH | Authentication header. Provides authentication of the sender and of data integrity. |
CA | Certificate authority |
DES | Data Encryption Standard encryption algorithm |
DPD | Dead peer detection, which enables router to detect when communication to remote peer has been disconnected. Also known as IKE keepalive. |
DSS | Digital Signature Standard authentication algorithm |
ESP | Encapsulating Security Payload, which provides data integrity, data confidentiality and, optionally, sender's authentication |
FQDN | Fully qualified domain name, which consists of the hostname and domain name for a specific system |
HMAC | Hashed Message Authentication Code |
IKE | Internet Key Exchange |
IKE endpoint | IP address of the entity that is one of two endpoints in an IKE/ISAKMP SA. |
Inbound traffic | In the context of a secure interface, already secured traffic arriving on that interface (identified based on its SPI). This traffic is cleared and checked against the security parameters set for that interface. |
IPsec | Internet Protocol Security |
IPsec endpoint | IP address of the entity that is one of two endpoints in an IPsec SA |
ISAKMP | Internet Security Association and Key Management Protocol |
ISAKMP SA | Security associations used to secure control channels between security gateways. These are negotiated via IKE phase 1. |
MDx | Message Digest hash algorithm |
Nonce | A random value used to detect and protect against replay attacks |
Outbound traffic | In the context of a secure interface, the clear traffic forwarded to the interface (either by policy or by routing) that is typically secured according to security parameters set for that interface. |
PFS | Perfect forward secrecy |
RSA | Rivest-Shamir-Adleman encryption algorithm |
SA | Security association. The set of security parameters that dictate how IPsec processes a packet, including encapsulation protocol and session keys. A single secure tunnel uses multiple SAs. |
Secure tunnel | A virtual connection between two security gateways used to exchange data packets in a secure way. A secure tunnel is made up of a local SA and a remote SA, where both are negotiated in the context of an ISAKMP SA. |
SHA | Secure Hash Algorithm |
SPI | Security parameter index |
VPN | Virtual private network |
