Avaya IP Security User Manual

Configuring IPsec Services

BayRS Version 13.20 Site Manager Software Version 7.20
Part No. 304111-B Rev 00 April 1999
Bay Networ ks, Inc.
4401 Great America Parkway
Santa Clara, CA 95054
Copyright © 1999 Bay Networks, Inc.
All rights reserved. Printed in the USA. April 1999. The information in this document is subject to change without notice. The statements, configurations, technical data,
and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility fo r th eir a pplic a tio ns of any products specified in this document. The information in this document is proprietary to Bay Networks, Inc.
The software described in this document is furnished under a license agreement and may only be used in accordance with the terms of that licen se. A summary of the Software License is included in this document.
Trademarks
AN, BN, and Bay Networks are registered trademarks and Advanced Remote Node, ARN, ASN, BayRS, BayStack, and System 5000 are trademarks of Bay Networks, Inc.
All other trademarks and registered trademarks are t he property of their respective owners.
Restricted Rights Legend
Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer So ftware clause at DFARS 252.227-7013.
Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted Rights cl ause at FAR 52.227-19.
Statement of Conditions
In the interest of improving internal design, operational function, and/or reliability, Bay Networks, Inc. reserves the right to make changes to the pr oducts described in this document without notice.
Bay Networks, Inc. does not assume any liability that may occur du e to the use or application of the product(s) or circuit layout(s) described herein.
Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided th at the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that su ch portions of the software were developed by the University of California, Berkeley. The name of the University may not be used to endorse or promote products derived from such portions of the software without specific prior written permission.
SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third parties).
304111-B Rev 00
Bay Networks, Inc. Software License Agreement
NOTICE: Please carefully read this license agre ement before copying or using the accompanying software or installing the hardware unit with pre-enabled software (each of which is referred to as “Software” in this Agreement). BY COPYING OR USING THE SOFTWARE, YOU ACCEPT ALL OF THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT. THE TERMS EXPRESSED IN THIS AGREEMENT ARE THE ONLY TERMS UNDER WHICH BAY NETWORKS WILL PERMIT YOU TO USE THE SOFTWARE. If you do not accept these terms and conditions, return the product, unused and in the original shipping container, within 30 days of purchase to obtain a credit for the full purchase price.
1. License Grant. Bay Networks, Inc. (“Bay Networks”) grants the end user of the Software (“Licensee”) a personal, nonexclusive, nontransferable license: a) to use the Software either on a single computer or, if applicable, on a single authorized device identified by host ID, for which it was originally acquired; b) to copy the Software solely for backup purposes in support of authorized use of the Software; and c) to use and copy the associated user manual solely i n support of authorized use of the Software by Licensee. This license applies to the Software only and does not extend to Bay Networks Agent software or other Bay Networks software pro ducts. Bay Networks Agent software or other Bay Networks software products are licensed for use under the terms of the applicable Bay Networks, Inc. Software License Agreement that accomp anies such software and upon payment by the end user of the applicable license fees for such software.
2. Restrictions on use; reservation of rights. The Software and user manuals are protected under copyright laws. Bay Networks and/or it s licensors retain all title and ownership in both the Software and user manuals, including any revisions made by Bay Networks or its licensors. The copyright notice must be reproduced and included with any copy of any portion of the Software or user manuals. Licensee may not modify, translate, decompile, disassemble, use for any competitiv e analysis, re v erse engineer , distrib ute, or create deriv ati ve works from the Softwa re or user manuals or any copy, in whole or in part. Except as expressly provided in thi s Agreement, Licensee may not copy or transfer the Software or user manuals, in whole or in part. The Soft ware and user manuals embody Bay Networks’ and its licensors’ confidential and proprietary intellectual property. Licensee shall not sublicense, assign, or otherwise disclose to any third party the Software, or any information about the operation, design, performance, or implementation of the Software and user manuals that is confidential to Bay Networks and its licensors; however, Licensee may grant permission to its consultants, subcontractors, a nd agents to use the Softw are at Licensee’s facility , provided they have agreed to use the Software only in accordance with the terms of this license.
3. Limited warranty. Bay Netw o r ks wa r ra nts ea c h item of So ft ware, as delivered by Bay Networks and properly installed and operated on Bay Networks hardware or other equipment it is originally licensed for, to function substantially as described in its accompanying user m anual during its warranty period , which begins on the date Software is first shipped to Licensee. If an y item of S oftware f ails to so function d uring its w arranty period, as the sole remedy Bay Networks will at its discretion provide a suitable fix, patch, or workaround for the problem that may be included in a future Software release. Bay Network s fur ther w arra nts to Licen see that the medi a on which the Software is provided will be free from defec ts in materials and wo rkman ship under no rmal use for a peri od of 90 da ys from the date Software is first shipped to Licensee. Bay Networks will replace defective media at no cha rge if it is returned to Bay Netw orks during the warran ty perio d alon g with proof of the date of shipment . This war ranty do es not apply if the media has been dam aged as a resul t of acci dent, misuse , or ab use. The Licen see assumes all re sponsibilit y for selection of the Software to achieve Licensee’s intended results and for the installation, use, and results obtained from the Software. Bay Networks does not warrant a) that the functions contained in the software will meet the Licensee’ s requireme nts, b) that the Software will operate in the hardware or software combinations tha t the L icens ee may select, c) that the operation of the Softw a re will be uninterru pte d or error free, or d) that all defec ts in the operation of the Software will be corrected. Bay Networks is not obligated to remedy any Software defect that cannot be reproduced with the latest Software release. These warranties do not apply to the So ftw are if i t has been (i) altered, except by Bay Networks or in accordance with its instructions; (ii) used in conjunction with another vendor’s product, resulting in the defect; or (iii) damaged by improper environment, abuse, misuse, accident, or negligence. THE FOREGOING WARRANTIES AND LIMITATIONS ARE EXCLUSIVE REMEDIES AND ARE IN LIEU OF ALL OTHER WARRANTIES EXPRESS OR IMPLIED, INCLUDING W ITHOUT LIMITATION ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Licensee is responsible for the security of
304111-B Rev 00 iii
its own data and information and for maintaining adequate procedures apart from the Software to reconstruct los t or altered files, data, or programs.
4. Limitation of liability. IN NO EVENT WILL BAY NETWORKS OR ITS LICENSORS BE LIABLE FOR ANY COST OF SUBSTITUTE PROCUREMENT; SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES; OR ANY DAMAGES RESULTING FROM INACCURATE OR LOST DATA OR LOSS OF USE OR PROFITS ARISING OUT OF OR IN CONNECTION WITH THE PERFORMANCE OF THE SOFTWARE, EVEN IF BAY NETWORKS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL THE LIABILITY OF BAY NETWORKS RELATING TO THE SOFTWARE OR THIS AGREEMENT EXCEED THE PRICE PAID TO BAY NETWORKS FOR THE SOFTWARE LICENSE.
5. Government Licensees. This provision applies to a ll Softwa re and docum entation acquired d irectly or i ndirectly by or on behalf of the United States Government. The Software and documentation are commercial products, licensed on the open market at market prices, and were developed entirely at private expense and without th e use of any U.S. Government funds. The license to the U.S. Government is granted only with restricted rights, and use, duplication, or disclosure by the U.S. Government is subject to the restrictions set forth in subparagraph (c)(1) of the Commercial Computer Software––Restricte d Rig hts cla u se o f FAR 52.227-19 and the limita tio ns set o ut in this license for civilian agencies, and subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause of DFARS
252.227-7013, for agencies of t he Department of Defense or their successors, whichever is applicable.
6. Use of Software in the European Community. This provision applies to all Software acquired for use within the European Community. If Licensee uses the Software within a country in the European Community, the Software Directive enacted by the Council of European Communities Directive dated 14 Ma y, 1991, will apply to the examination of th e Software to facilitate interoperability. Licensee agrees to notify Ba y Networks of any such intended examination of the Software and may procure support and assistance from Bay Networks.
7. Term and termination. This license is effective until terminated; however, all of the restrictions with respect to Bay Networks’ copyright in the Software and user manuals will cease being effective at the date of expiration of the Bay Networks copyright; those restrictions relating to use and disclosure of Bay Networks’ confidential information shall continue in effect. Licensee may terminate this license at any time. The license will automatically terminate if Licensee fails to comply with any of the terms and conditions of the license. Upon termination for any reason, Licensee will immediately destroy or return to Bay Networks the Software, user manuals, and all copies. Bay Networks is not liable to Licensee for damages in any form solely by reason of the termination of this license.
8. Export and Re-export. Licensee agrees not to export, directly or indirectly, t he S oft ware or re lated technical data or information without first obtaining any required export licenses or other governmental approvals. Without limiting the foregoing, Licensee, on behalf of itself and its subsidiaries and affiliates, agrees that it will not, without first obtaining all export licenses and approvals required by the U.S. Government: (i) export, re-export, transfer, or divert any such Software or technical data, or any direct product thereof, to any country to which such exports or re-exports are restricte d or em b argoed under United States ex po r t con t rol laws and re gulations, or to any national or resident of such restricted or embargoed countries; or (ii) provide the Software or related technical data or information to any military end user or for any military end use, including the design, development, or production of any chemical, nuclear, or biological weapons.
9. General. If any provision of this Agreement is held to be invalid or unenf orceable by a court of competent jurisdiction, the remainder of the provisions of this Agreement shall remain in full force and effect. This Agreement will be governed by the laws of the state of California.
Should you have any questions concerning this Agreement, contact Bay Networks, Inc., 4401 Great America Parkway, P.O. Box 58185, Santa Clara, California 95054-8185.
LICENSEE ACKNOWLEDGES THAT LICENSEE HAS READ THIS AGREEMENT, UNDERSTANDS IT, AND AGREES TO BE BOUND BY ITS TERMS AND CONDITIONS. LICENSEE FURTHER AGREES THAT THIS AGREEMENT IS THE ENTIRE AND EXCLUSIVE AGREEMENT BETWEEN BAY NETWORKS AND LICENSEE, WHICH SUPERSEDES ALL PRIOR ORAL AND WRITTEN AGREEMENTS AND COMMUNICATIONS BETWEEN THE PARTIES PERTAINING TO THE SUBJECT MATTER OF THIS AGREEMENT. NO DIFFERENT OR ADDITIONAL TERMS WILL BE ENFORCEABLE AGAINST B AY NETWORKS UNLESS BAY NETWORKS GIVES ITS EXPRESS WRITTEN CONSENT, INCLUDING AN EXPRESS WAIVER OF THE TERMS OF THIS AGREEMENT.
iv 304111-B Rev 00

Contents

Preface
Before You Begin .............................................................................................................xiii
Text Conventions .............................................................................................................xiv
Acronyms ........................... .......................... .......................... ......................... ................. xv
Bay Networks Technical Publications .............................................................................xvii
How to Get Help .............................................................................................................xvii
Chapter 1 Overview of IPsec
About IPsec .... ...... ...... ....... ...... ....................................... ....... ...... ...... ....... ...... ....... ...... ...1-2
IPsec Services ................................................................................................................1-2
Confidentiality ....... ....... ...... ....... ...... ....... ...... ....... ...... ....... ...... ...... ....... ...... ....... ...... ...1-2
Integrity ....................................................................................................................1-3
Authentication ..........................................................................................................1-3
Additional IPsec Services ........................................................................................1-3
How IPsec Works ...........................................................................................................1-3
IPsec Protection .......................................................................................................1-4
IPsec Tunnel Mode ...................................................................................................1-5
Elements of IPsec ...........................................................................................................1-5
Security Gateways ..........................................................................................................1-7
Security Policies .............................................................................................................1-8
Policy Templates ......................................................................................................1-8
Inbound Policies .......................................................................................................1-9
Outbound Policies ....................................................................................................1-9
Policy Criteria Specification ....................................................................................1-10
Security Associations ...................................................................................................1-11
Automated Security Associations Using Internet Key Exchange (IKE) ..................1-11
Manual Security Associations ................................................................................1-12
Security Associations for Bidirectional Traffic .........................................................1-12
304111-B Rev 00 v
How IKE Negotiates Security Associations ............................................................1-13
Security Parameter Index (SPI) ..............................................................................1-13
Summarizing Security Policies and SAs .......................................................................1-14
Security Protocols .........................................................................................................1-15
Encapsulating Security Payload .............................................................................1-15
Authentication Header ............................................................................................1-16
Internet Key Exchange (IKE) Protocol ..........................................................................1-17
Perfect Forward Secrecy ........................................................................................1-17
Network Requirements for Bay Networks Routers .......................................................1-18
Supported Routers .................................................................................................1-18
Supported WAN Protocols .....................................................................................1-18
Chapter 2 Getting Started With IPsec
Upgrading Router Software ............................................................................................2-2
Installing the IPsec Software ................................................. ...... ...... ....... ...... ....... ...... ...2-2
Completing the Installation Process ..................................................................2-3
Installing Triple DES Encryption ...............................................................................2-3
Securing Your Site ..........................................................................................................2-4
Securing Your Configuration ...........................................................................................2-4
Encryption Keys .......................................................................................................2-4
Random Number Generator (RNG) .........................................................................2-5
Creating a Node Protection Key (NPK) ..........................................................................2-5
Generating NPKs .....................................................................................................2-5
Entering an Initial NPK and a Seed for Encryption .........................................................2-6
Changing an NPK ....................................................................................................2-8
Monitoring NPKs ......................................................................................................2-8
Chapter 3 Configuring IPsec
Enabling IPsec and IKE ........... ....... ...... ....... ...... ....... ...... ....... ...... ...... ....... ......................3-1
Creating Policies .............................................................................................................3-2
Specifying Criteria ....................................................................................................3-2
Specifying an Action .................................................................................................3-3
Policy Considerations ...............................................................................................3-3
Creating an Outbound Policy ...................................................................................3-4
vi 304111-B Rev 00
Creating an Inbound Policy ......................................................................................3-6
Creating Security Associations .......................................................................................3-8
About Automated SA Creation ........................... ...... ....... ...................................... ...3-8
About Manual SA Creation .......................................................................................3-8
Creating a Protect SA Automatically Using IKE .......................................................3-9
Creating an Unprotect SA Automatically Using IKE ...............................................3-10
Creating a Protect SA Manually .............................................................................3-11
Creating an Unprotect SA Manually .......................................................................3-12
Disabling IPsec .................. ...... ....... ...... ....... ...... ....................................... ...... ....... ...... .3-13
Appendix A Site Manager Parameters
Node Protection Key Para meter .................................................................................... A-1
Enabling IPsec Parameters ........................................................................................... A-2
IPsec Policy Parameters ................................................................................................ A-3
Manual Security Association Parameters ...................................................................... A-4
Automated Security Association (IKE) Parameters ....................................................... A-9
Appendix B Definitions of k Commands
Appendix C Configuration Examples
Inbound and Outbound Policies .....................................................................................C-1
Automated SA (IKE) Policy Examples ..................................................................... C-2
Manual SA Policy Examples ...................................................................................C-5
Manual Protect and Unprotect SA Configuration ........................................................... C-9
Appendix D Protocol Numbers
Assigned Internet Proto co l Number by Name ....................................................... ...... .. D-2
Assigned Internet Protocol Numbers by Number .......................................................... D-6
Index
304111-B Rev 00 vii

Figures

Figure 1-1. IPsec Environment: Unique Security Associations (SAs)
Between Routers .....................................................................................1-4
Figure 1-2. IPsec Concepts: Security Gateways, Security Policies, and SAs ............1-6
Figure 1-3. IPsec Security Gateways and Security Policies .......................................1-7
Figure 1-4. Security Associations for Bidirectional Traffic .........................................1-12
Figure C-1. IPsec Automated Outbound Policies for RTR1, RTR2, and RTR3 ..........C-2
Figure C-2. IPsec Manual Outbound Policies for RTR1, RTR2, and RTR3 ...............C-5
Figure C-3. Single Protect/Unprotect SA Pair ............................................................ C-9
Figure C-4. Multiple Protect/Unprotect SA Pairs ...................................................... C-12
304111-B Rev 00 ix

Tables

Table 1-1. Security Policy Specifications ................................................................1-14
Table 1-2. Manual Security Association (SA) Configurations .................................1-15
Table D-1. Internet Protocol Numbers, Sorted by Acronym .................................... D-2
Table D-2. Internet Protocol Numbers, Sorted by Number ......................................D-6
304111-B Rev 00 xi
This guide describes the Bay Networks® implementation of IP Security and how to configure it on a Bay Networks router.

Before You Begin

Before using this guide, you must complete the following procedures. For a new router:
Install the router (see the installation guide that came w ith your router).
Connect the router to the network and create a pilot configuration file (see Quick-Starting Routers or Configuring BayStack Remote Access).

Preface

Make sure that you are running the latest version of Bay Networks BayRS Site Manager software. For information about upgrading BayRS and Site Manager, see the upgrading guide for your version of BayRS.
304111-B Rev 00 xiii
and
Configuring IPsec Services

Text Conventions

This guide uses the following text conventions:
angle brackets (< >) Indicate that you choose the text to enter based on the
description inside the brackets. Do not type the brackets when entering the command.
Example: If the command syntax is:
ping
<
ip_address
ping 192.32.10.12
>, you enter:
bold text
Indicates command names and options and text that you need to enter.
Example: Enter
show ip {alerts | routes
Example: Use the
dinfo
command.
}.
braces ({}) Indicate required elements in syntax descriptions
where there is more than one option. You must choose only one of the options. D o not type the braces when entering the command.
Example: If the command syntax is:
show ip {alerts | routes show ip alerts or show ip routes
}
, you must enter either:
, but not both.
brackets ([ ]) Indicate optional elements in syntax descriptions. Do
not type the brackets when entering the command. Example: If the command syntax is:
show ip interfaces [-alerts show ip interfaces
or
]
, you can enter either:
show ip interfaces -alerts
.
italic text Indicates file and directory names, new terms, book
titles, and variables in command syntax descriptions. Where a variable is two or more words, the words are connected by an underscore.
Example: If the command syntax is:
show at
valid_route
<
valid_route
>
is one variable and you substitute one value
for it.
xiv 304111-B Rev 00
Preface
screen text Indicates system output, for example, prompts and
system messages.

Acronyms

Example:
Set Bay Networks Trap Monitor Filters
separator ( > ) Shows menu paths.
Example: Protocols > I P ide nti fies the IP option on the Protocols menu.
vertical line (
) Separates choices for command keywords and
|
arguments. Enter only one of the choices. Do not type the vertical line when entering the command.
Example: If the command syntax is:
show ip {alerts | routes show ip alerts
or
This guide uses the following acronyms:
3DES Triple DES AH authentication header CBC cipher block chaining
}
, you enter either:
show ip routes
, but not both.
DES Data Encryption Standard ESP Encapsulating Security Payload HMAC Hashing Message Authentication Code IANA Internet Assigned Numbers Authority ICMP Internet Control Me ssage Protocol ICV integri ty check value IETF Internet Engineering Task Force IKE Internet Key Exchange protocol IP Internet P rotocol IPsec Internet Protocol Security
304111-B Rev 00 xv
Configuring IPsec Services
ISAKMP/Oakley Internet Security Association and Key Management
IV initialization vector MD5 Message Digest 5 MIB management information base NPK node protection key NVRAM nonvolatile random access memory PPP Point-to-Point Protocol RNG random number generator RSA RSA Data Security, Inc.’s public-key encryption
SA security association SAD security associations database SHA Secure Hash Algorithm SPD security policy database
Protocol (also known as IKE)
algorithm
SPI security parameter index VPN virtual private network WAN wide area network
xvi 304111-B Rev 00

Bay Networks Technical Publications

You can now print Bay Networks technical manuals and release notes free, directly from the Internet. Go to support.baynetwork s.com/libr ary/ tpubs/ . Fi nd the Bay Networks product for which you need documentation. Then locate the specific category and model or version for your hardware or software product. Using Adobe Acrobat Re ader, you can open the manuals an d rel ease n otes, searc h for the sections you need, and print them on most standard printers. You can download Acrobat Reader free from the Adobe Systems Web site, www.adobe.com.
You can purchase Bay N etworks documentation sets, CDs, and selected technical publications through the Bay Networks Collateral Catalog. The catalog is located on the World Wide Web at support.baynetworks.com/catalog.html and is divided into sections arranged alphabetically:
The “CD ROMs” section lists available CDs.
The “Guides/Books” section lists books on technical topics.
The “Technical Manuals” section lists available printed documentation sets.
Preface
Make a note of the part numbers and prices of the items that you want to order. Use the “Marketing Collateral Catalog description” link to place an order and to print the order form.

How to Get Help

For product assi stance, support contracts, information abo ut educational services, and the telephone numbers of our gl obal supp ort offices, go to the following URL:
http://www.baynetworks.com/corpor a te/co ntacts /
In the United States and Canada, you can dial 800-2LANWAN for assistance.
304111-B Rev 00 xvii
Chapter 1
Overview of IPsec
This chapter descr ibes the emer ging Inte rnet Engineer ing Task Force st andards fo r security services over public networks, commonly referred to a s IP Security or IPsec. The chapter also includes information specific to the Bay Networks implementation of IPsec and requirements for that implementation.
This chapter includes the following information:
Topic Page
304111-B Rev 00
About IPsec 1-2 IPsec Services 1-2 How IPsec Works 1-3 Elements of IPsec 1-5 Security Gateways 1-7 Security Policies 1-8 Security Associations 1-11 Summarizi ng Security Policies and SAs 1-14 Security Protocols 1-15 Internet Key Exchan ge (IKE) Protocol 1-17 Network Requirements for Bay Networks Routers 1-18
1-1
Configuring IPsec Services

About IPsec

IP Security (I Psec) is the Internet Engineering Task Force (IETF) set of emerging standards for security services for communications over public networks. The standards are documented in the IETF Requests for Comments (RFCs) 2401 through 2412. Additional RFCs may be relevant as well.
These standards were developed to ensure secure, private communications for the remote access, extranet, and intranet virtual pr ivate networks (VPNs) used in enterprise communications. They are the security architecture for the next generation of IP, called IP v6, but are available for the current IPv4 Internet as well.
The Bay Networks implementation of the IETF standards provides network (layer 3) security services for wide area network (WAN) communications on Bay Networks routers.

IPsec Ser vices

IPsec serv ices consist of confidentiality, integrity, and authentication services for data packets traveling between security gate ways.
Confidentiality ensures the privacy of communications.
The integrity service detects modification of data packets.
Authentication ser vices verify the origin of every data packet.

Confidentiality

Confidentiality is accomplished by encrypting and decrypting data packets. The Encapsulating Security Payload (ESP) protocol uses the Data Encryption Standard (DES) algorithm in cipher block chaining (CBC) mode to encrypt and decrypt data packets.
You set confidentiality with the cipher algorithm and cipher key parameters. The cipher algorithm and cipher key are specified in security associat ions (SAs). A security association is a relationship in which two peers share the necessary information to secur ely prote ct and unpr otect data. Th e algori thm and ke y must b e identical on both ends of an IPsec SA.
1-2
304111-B Rev 00

Integrity

Integrity determines whether the data has been altered during trans it. The ESP protocol ensures that data has not been modified as it passes between the security gateways . The ESP protoco l uses the HMAC MD5 (RFC 2403) or HMAC SHA-1 (RFC 2404) transform.
You set integrit y with the integrity algorithm a nd integrity key parameters. The integrity algorithm and integrity key must be identical on both e nds of an IPsec SA.

Authentication

Authentication ensures that data has been transmitted by the identified source.

Additional IPsec Services

Within the IPsec framework, additional security services are provided. An access control service ensures authorized use of the network, and an auditing service tracks all actions and events.
Overview of IPsec
IPsec services can be configured on an interface-by-interface basis. Up to 127 inbound and 127 outbound security policies (customized) are supported on each IPsec interface.

How IPsec Works

IPsec services are bundled as an Internet Protocol (IP) encryption packet. The packets resemble ordinary IP packets to Internet rout ing nodes; only the sending and receiving devices are involved in the encryption. IPsec packets are delivered over the Internet like ordinary IP packets to branch offices, corporate partners, or other remote organizations in a secure, encrypted, and private manner.
Sever al well-est ablished tech nologies pro vide enc ryption and aut henticatio n at the application laye r. IPsec adds security at the underlying network layer, providing a higher degree of secur ity fo r all a ppl icati ons, inc luding those wit hou t an y secur ity features of their own.
304111-B Rev 00
1-3
Configuring IPsec Services

IPsec Protection

To configure a router with IPsec, you first configure the router interface as an IP interface. Then you add the IPsec software to the IP interface, creating a security gateway. A security gateway is a router between a trusted network (for example, the enterprise intranet) and an untrusted network (the Internet) that provides a security service such as IPsec.
The router interface is secured with inbound and outbound security policies that filter traffic to and from the router module. The data packets themselves are protected by IPsec protocol processing specified by security associations (SAs).
Figure 1-1 sho ws ho w IPsec can prote ct data c ommunication s within a n enterpr ise and from external hosts.
Corporate
headquarters
Server
Router A
IP security
gateway
Security
associations
(SAs A,B)
Partner
Router B Router C
Host Host
IP security
gateway
IPsec
services
Public
network
Security associations
(SAs B,C)
IPsec
services
Security
associations
(SAs C,A)
Branch office
IP security
gateway
IPsec
services
IP0088A
Figure 1-1. IPsec Environment: Unique Security Associations (SAs)
Between Routers
1-4
304111-B Rev 00

IPsec Tunnel Mode

When there is a security gateway at each end of a communication, the security associations between the gateways are said to be in tunnel mode. The tunnel metaphor refers to data being visible only at the beginning and end points of the communication. The IP packets protected by IPsec have regular, “visible” IP headers, but the packet contents are encrypted, and thus hidden. All BayRS IPsec communications occur in tunnel mode. Tunnel mode is especially effective for isolating and prot ecting enterp rise traf f ic tra veli ng across a publ ic data net work, as shown in Figure 1-1.

Elements of IPsec

IPsec has three important constructs:
Security gateways
Security policies
Security associatio ns (SAs)
Overview of IPsec
304111-B Rev 00
In the IPsec context, hosts communicate across an untrusted network through security gateways (routers configured for IPsec interfaces). Security policies determine ho w the IPsec interfaces handle data packets for the hosts on both ends of a connection. Security associations apply IPsec services to data packets traveling between the security gateways.
Figure 1-2
associations.
shows the logical relationship between security policies and security
1-5
Configuring IPsec Services
Security associations
IPsec gateway WAN interface
Inbound process
Unprotect SAs Source/Dest Addr, SPI Cipher Algo/Key, Integrity Algo/Key
Protect SAs Source/Dest Addr, SPI Cipher Algo/Key, Integrity Algo/Key
Inbound policies
criteria & action
(bypass, drop, log)
Outbound policies
criteria & action
(bypass, drop, log,
protect)
Outbound process
Security
policy
database
Figure 1-2. IPsec Concepts: Security Gateways, Security Policies, and SAs
Untrusted
network
IP00087A
1-6
304111-B Rev 00

Security Gateways

A security gateway establishes SAs between router interfaces configured with IPsec software. A Bay Networks router becomes a security gateway when you enable IPsec on a WAN interface. In this way, a Bay Networks router operati ng as a security gateway provides IPsec services to its internal hosts and subnetworks.
Hosts or networks on th e e xte rnal si de of a sec urit y ga te w ay (typic ally, the overall Internet) are considered “untrusted.” Hosts or subnetworks on the internal side of a security gat e w ay (nodes on your l ocal i ntra net) are consi dered “trus te d” beca use they are controlled and securely managed by the same network administration (Figure 1-3
).
Overview of IPsec
Trusted network
Local host
Outbound policy
Security gateway
Inbound policy (clear text only)
IPsec interface
Untrusted
network
IPsec interface
Outbound policy
Security gateway
Inbound policy (clear text only)
Figure 1-3. IPsec Security Gateways and Security Policies
When you add IPsec services to a router to create a security gateway, its internal hosts and subnetworks can communicate with external hosts that directly operate IPsec services, or with a remote security gateway that provides IPsec services for its set of hosts and subnetworks.
Trusted network
Remote host
IP0078A
304111-B Rev 00
1-7
Configuring IPsec Services

Security Policies

When you create an IPsec policy, you control which packets a security gateway protects, how it handles packets to or from particular addresses or in a particular protocol, and whether it logs information about these actions.
There are two types of IPsec policies: inbound and outbound. An inbound policy is used for data packets arriving at a security gateway, and an outbound policy is used for data pa ck ets leaving a security gateway. Each IPsec interface can support up to 127 inbound and 127 outbound security policies (refer to Figure 1-3
page 1-7
The criteria (“selectors”) and action specifications used in your inbound and outbound policies are stored in the security policy database (SPD).
IPsec defaults i n fa v or of more securit y rather th an less. I f an outbou nd or inbou nd packet does not match the criteria of any configured outbound or inbound policy in the SPD, the packet is dropped.
IPsec discards an y out bound clear-text data packet unle ss you explicitly configure a policy to bypass or protect it.
).
on

Policy Templates

Every IPsec polic y is ba sed on a policy template. A policy template is a pr edef ined policy definition that you can use on any IP interface. The template specifies one or more criteria and an action to apply to incoming or outgoing data packets.
A policy template and every policy based on it must includ e at least one criterion, for example, an IP source address, and one action. For example, an outbound policy might specify a pr otect ac tion. A poli cy t emplate or po lic y may inc lude tw o actions if one of the actions is logging. The criterion specification determines whether a data pack et matches a pa rticula r securit y polic y, and the action speci fi es how the policy is applied to the packet.
The action specifications that you can include in inbound and outbound policies are listed in the two sections that follow.
1-8
304111-B Rev 00

Inbound Policies

An inbound policy determines how a security gateway processes data packets receiv ed from a n u ntrus ted ne tw ork. Ev ery pack e t ar ri v ing at a secu rity g ateway is compared with the criteria to determine whether it matches an IPsec policy for that router. If the incoming packet matches a bypass policy, the router accepts the packet and, if the policy is so configured, logs it.
If the packet d oes n ot mat ch an y poli cy o r matches a drop poli c y, the router rejects the packet. When a packet does not match any policy, IPsec’s default action is to drop it.
For an inbound security policy, the action may be:
•Drop
Bypass
•Log
Drop and bypass are mutua lly e xc lusive. The log action may be a dded t o eit her, or used alone.
Overview of IPsec

Outbound Policies

An outbound policy determines ho w a se curity gat e way proces ses data pac kets f or transmission across an untrust ed netwo rk. You must assign an outbound poli cy fo r all unicast traffic leaving an IPsec interface.
For an outbound policy, the action specification may be:
Protect
•Drop
Bypass
•Log
Any outbound policy with a protect action specification is mapped to a Protect SA. See information about Protect and Unprotect SAs.
Drop, protect, and bypass are mutually exclusive. The log action may be added to any of the three, or used alone.
304111-B Rev 00
Summarizing Security Policies and SAs” on page 1-14 for detailed
1-9
Configuring IPsec Services

Policy Criteria Specification

IPsec software inspects IP packet headers based on the specified criteria to determine whether a policy applies to a data packet.
You must include at least one of the following crit eria, and you may specify all three criteria in an IPsec policy:
IP source address
IP destination address
Protocol
To specify the protocol criterion, you must provide the numeric value assigned to the protocol for use o v er the I ntern et. You can specify only a sin gle pr otocol value for each policy. The protocol number is represented in the 1-byte protocol field in an IP packet header.
Refer to Appendix D
for a list of protocol numbers. To obtain the most recent list of the numeric values assigned to various protocols, see the Internet Assigned Numbers Authority (IANA) Web site at:
http://www.iana.org The direct path to the list of legal values tha t you can specify for an IP sec policy
protocol criterion as of this printing is:
http://www.isi.edu/in-notes/iana/assignments/protocol -numbers
1-10
304111-B Rev 00
Overview of IPsec

Security Associations

A security association (SA) is a relationship in which two peers share the necessary information to securely protect and unprotect data. An IPsec SA is uniquely identified by an IP destination addr ess, securit y parameter index (S PI), and security protocol identifier (for example, ESP in tunnel mode).
An IPsec policy deter mine s which pack et s will be hand le d. An IPsec SA spe cif i es which IPsec security service (for example, confidentiality) IPsec will apply to the packets. You can apply one or more IPsec security services.
SAs themselves must be created and shared in a secure manner. There are two ways of achieving this: by using the automated security negotiation process provided by the Internet Key Exchange (IKE) protocol; or by manually configuring the sending and receiving devices with a shared secret. A shared secret is a unique security identifier.

Automated Security Associations Using Internet Key Exchange (IKE)

Internet Key Exchange (IKE) is an automated protocol to establish security associations over the Internet. (IKE is also referred to as the Internet Security Association Key Management Protocol with Oakley Key Determination, or ISAKMP/Oakley.) IKE handles negot iating, esta blishing, modifying, and deleting security associations.
304111-B Rev 00
To set up these security associations, IKE itself must create a confidential, secure connection between the sender and receiver. Authentication is accomplished with one or more of the following:
Pre-shared keys: These are set up ahead of time at eac h node in a tr ansact ion.
Public key cryptography: Using the RSA public key algorithm, each
member of a transaction authenticates itself to the other using the other member’s public key to encrypt an authentication value.
Digital signature: Each member of a transaction sends a digital signature to
the other. The signatures are authenticated using the member’s public key, obtained via an X.509 digital certificate.
The BayRS implementation of IKE uses pre-shared keys only.
1-11
Configuring IPsec Services

Manual Security Associations

Manually configuring security associations is a more cumbersome and labor-intensive process than using IKE. If possible, IKE should be used to make large-scale secure communications practical.
Manually configured SAs often rely on static, symmetric keys on communicating hosts or security gate w ays. As such, you must coordina te wit hin your or ganizat ion and with outside parties to configure keys that will protect your information.

Security Associations for Bidirectional Traffic

An SA specifies the security services that are applied to data packets traveling in one direction between security gateways. To secure the traffic in both directions, the security gateway must have a Protect SA for data transmitted from the local IPsec interface and an Unprotect SA for data received by the local IPsec interface
(Figure 1-4)
.
Protect SA Source: 132.245.145.195
Security gateway Security gateway
132.245.145.195
Destination: 132.245.145.205
Unprotect SA Source: 132.245.145.205 Destination: 132.245.145.195
Unprotect SA Source: 132.245.145.195 Destination: 132.245.145.205
Network
Protect SA Source: 132.245.145.205 Destination: 132.245.145.195
Figure 1-4. Security Associations for Bidirectional Traffic
Under most circumstances, you will configure the Internet Key Exchange (IKE) protocol to negotiate SAs between security gateways automatically. You can also manually config ure SAs.
132.245.145.205
IP0079A
1-12
304111-B Rev 00
Loading...
+ 70 hidden pages