Avaya Configuring IPsec Services Manual do Utilizador descarregar pdf (Página 35)

Overview of IPsec

308630-15.1 Rev 00

1-17

Internet Key Exchange Protocol

The IKE protocol negotiates and provides private and authenticated keying

material for security associations. Before IKE can provide keying material, the

IKE protocol itself must be authenticated; that is, some other mechanism must

create an IKE security association between the security gateways that IKE is

servicing.

BayRS software creates an IKE SA through a preshared authentication key. IKE

creates and changes IPsec SAs dynamically, with no user intervention necessary.

To negotiate a security association, IKE peers form a security association

(an IKE SA) between themselves. The IKE SA protects the negotiation of the

IPsec SA parameters and key exchange.

The IKE protocol can change IPsec and IKE SA keys based on preconfigured

criteria such as elapsed time or number of bytes sent.

Perfect Forward Secrecy

Perfect forward secrecy (PFS) disassociates each IPsec SA key from others in the

same IKE-negotiated security association. To implement PFS, IKE uses the

Diffie-Hellman algorithm to exchange keys for each SA. This means that as IKE

and IPsec SAs are automatically rekeyed over the course of IPsec peer

communication, old keys, if compromised, cannot be used to derive previous or

future keys used for other SAs.

With PFS, if an intruder manages to break an encryption key, the intruder gains

access to a limited amount of data (packets protected by a single SA).

Performance Considerations

IPsec performance can vary greatly and can affect overall router performance.

Factors that affect performance include:

• Cryptographic algorithms used by IPsec

• Other protocols and features running on the slot that share the same CPU

resources as IPsec

• Processing power of the BayRS router

1 2 ... 30 31 32 33 34 35 36 37 38 39 40 ... 121 122

Sem comentários

Avaya Configuring IPsec Services Manual do Utilizador Página 35