Technical Documentation

IPSec Protocols

IPSec protocols determine the type of authentication and encryption applied to packets that are secured by the router. The JUNOS Software supports the following IPSec protocols:

  • AH—Defined in RFC 2402, AH provides connectionless integrity and data origin authentication for IPv4 and IPv6 packets. It also provides protection against replays. AH authenticates as much of the IP header as possible, as well as the upper-level protocol data. However, some IP header fields may change in transit. Because the value of these fields may not be predictable by the sender, they cannot be protected by AH. In an IP header, AH can be identified with a value of 51 in the Protocol field of an IPv4 packet and the Next Header field of an IPv6 packet. An example of the IPSec protection offered by AH is shown in Figure 1.

    Note: AH is not supported on the T Series, M120, and M320 routers.

Figure 1: AH Protocol

Image g015522.gif

 

  • ESP—Defined in RFC 2406, ESP can provide encryption and limited traffic flow confidentiality, or connectionless integrity, data origin authentication, and an anti-replay service. In an IP header, ESP can be identified a value of 50 in the Protocol field of an IPv4 packet and the Next Header field of an IPv6 packet. An example of the IPSec protection offered by ESP is shown in Figure 2.

Figure 2: ESP Protocol

Image g015521.gif

  • Bundle—When you compare AH with ESP, there are some benefits and shortcomings in both protocols. ESP provides a decent level of authentication and encryption, but does so only for part of the IP packet. Conversely, although AH does not provide encryption, it does provide authentication for the entire IP packet. Because of this, the JUNOS Software offers a third form of IPSec protocol called a protocol bundle. The bundle option offers a hybrid combination of AH authentication with ESP encryption.

Published: 2010-04-15