1. Home
    2. /
  2. Manuals
    3. /
  3. ZTE
    4. /
  4. ZXDSL 931VII Netvigator
    5. /
  5. 26
Page 126 / 198 Scroll up to view Page 121 - 125
ZXDSL 931WII Operation manual
This page is intentionally blank.
120
Confidential and Proprietary Information of ZTE CORPORATION
Page 127 / 198
C
h
a
p
t
e
r
1
4
IPSec
Internet Protocol Security Associations (IPSec) allows creation of
secure tunnels in the Internet Protocol (IP) layer. Secure tunnels
are used to construct VPNs over the internet.
The IPSec proto-
col design includes Internet Security Association Key Management
Protocol (ISAKMP) framework.
The Internet Key Exchange (IKE)
protocol is the primary protocol to generate and maintain IPSec
Security Associations (SAs), which are the basic building blocks of
VPNs over the Internet. IKE uses cryptography extensively. How-
ever, cryptography can be regarded as a module to generate a key
and use it to encrypt or decrypt the payload.
Once the SAs are
established, the payload is transferred using IPSec Encapsulating
Security Payload (ESP) or Authentication Header (AH) protocols.
In the two payload transfer protocols, ESP and AH, the former is
most widely used and suitable for
NAT
operation.
IPSec supports two encryption modes:
Transport and Tunnel.
Transport mode encrypts only the data portion (payload) of each
packet, but leaves the header untouched. The more secure Tunnel
mode encrypts both the header and the payload. On the receiving
side, an IPSec-compliant device decrypts each packet.
For IPsec to work, the sending and receiving devices must share
a public key.
This is accomplished through a protocol known as
ISAKMP/Oakley, which allows the receiver to obtain a public key
and authenticate the sender using digital certificates.
Table of Contents
VPN
...............................................................................
121
ISAKMP
..........................................................................
122
IKE
................................................................................
123
VPN
A virtual private network (
VPN
) provides a secure connection be-
tween a sender and a receiver over a public non-secure network
such as the Internet. A secure connection is generally associated
with private networks.
(A private network is a network that is
owned, or at least controlled via leased lines, by an organization.)
Using the techniques discussed later in this chapter, a VPN can
transform the characteristics of a public non-secure network into
those of a private secure network.
VPNs reduce remote access
costs by using public network resources. Compared to other solu-
tions, including private networks, a VPN is inexpensive.
Confidential and Proprietary Information of ZTE CORPORATION
121
Page 128 / 198
ZXDSL 931WII Operation manual
VPNs are not new. In fact, they have been used in telephone net-
works for years and have become more prevalent since the devel-
opment of the intelligent network.
Frame relay networks, which
have been around for some time, are VPNs.
Virtual private net-
works are only new to IP networks such as the Internet. Therefore,
some authors use the terms Internet VPN and virtual private data
network to distinguish the VPN described in this chapter from other
VPNs. In this book, the term VPN refers to Internet VPN.
The goal of a VPN is to provide a secure passage for data of users
over the non-secure Internet.
It enables companies to use the
Internet as the virtual backbone for their corporate networks by
allowing them to create secure virtual links between their corpo-
rate office and branch or remote offices via the Internet. The cost
benefits of VPN service have prompted corporations to move more
of their data from private
WAN
s to Internet-based VPNs.
ISAKMP
ISAKMP is a definition of a high level abstract framework for point
to point, two party asymmetric key management protocols. Being
asymmetric one party assumes the role of initiator, which begins
the exchange of protocol messages by sending the first message.
The second is the responder which replies to the first message from
the initiator. ISAKMP makes a distinction between a key exchange
and key management (when the key is rolled to the next one).
Key exchange is mainly concerned with exchanging information to
generate secret keys shared between two parties. ISAKMP nego-
tiation is divided into two phases.
In the first phase ISAKMP SA
is established between two entities to protect further negotiation
traffic. The second phase SA is used for some security protocol.
The key exchange protocol must:
Generate a set of secret keys shared between the initiator and
the responder.
Authenticate the identity of the initiator and the responder.
Ensure independence of the sets of keys generated. This prop-
erty is also known as Perfect Forward Secrecy (PFS).
Key exchange protocol must be scalable.
Once the keys are generated and shared, there must be some
parameters agreed between the parties to use the keys. The fol-
lowing are the parameters to use the keys:
Cryptographic algorithms and parameters to the cryptographic
algorithms to be used with the keys.
How to apply the cryptographic algorithms and keys.
Key lifetime and refreshment policy.
122
Confidential and Proprietary Information of ZTE CORPORATION
Page 129 / 198
Chapter 14 IPSec
IKE
The Internet Key Exchange (IKE) protocol is a key management
protocol standard which is used in conjunction with the IPSec stan-
dard. IPSec is an IP security feature that provides robust authen-
tication and encryption of IP packets.
IPSec can be configured
without IKE, but IKE enhances IPSec by providing additional fea-
tures, flexibility, and ease of configuration for the IPSec standard.
IKE
is
a
hybrid
protocol
which
implements
the
OAKLEY
key
exchange and SKEME key exchange inside the Internet Security
Association and Key Management Protocol (ISAKMP) framework.
(ISAKMP, OAKLEY, and SKEME are security protocols implemented
by IKE.).
OAKLEY: Describes a specific mechanism for exchanging keys
through the definition of various key exchange “modes”. Most
of the IKE key exchange process is based on OAKLEY.
SKEME: Describes a different key exchange mechanism than
OAKLEY. IKE uses some features from SKEME, including its
method of public key encryption and its fast re-keying feature.
Confidential and Proprietary Information of ZTE CORPORATION
123
Page 130 / 198
ZXDSL 931WII Operation manual
This page is intentionally blank.
124
Confidential and Proprietary Information of ZTE CORPORATION

Rate

4 / 5 based on 1 vote.

Popular ZTE Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top