Avaya Configuring Integrated IP Security Manual do Utilizador descarregar pdf (Página 38)

Configuring IP Security Services

3-2

304111-A Rev 00

Always configure your NPKs locally, not over a network. When you connect a PC

or a workstation to a router console port to configure encryption, use a machine

that is not connected to any other equipment.

Be sure to also protect the routers on which the NPKs reside.

Encryption Keys

IPsec uses a hierarchy of keys to protect and transmit data:

• Node protection key (NPK) -- encrypts the cipher and integrity keys

• Cipher key -- encrypts data that travels across the network in the ESP payload

• Integrity key -- calculates the integrity check value (ICV), which is used at the

data packet destination to detect any unauthorized modification of the data

Random Number Generator (RNG)

The router software uses the secure random number generator (RNG) in Site

Manager to generate initialization vectors (IVs) that are used in the ESP DES

encryption transformation. These values are statistically random. As its source,

the RNG uses a seed that you supply from the Technician Interface secure shell.

See “Entering an NPK and a Seed for Encryption” on page 3-4.

Node Protection Key (NPK)

The NPK encrypts cipher and integrity keys for MIB storage. Note that it does not

encrypt, decrypt, or authenticate data.

The NPK is stored in the router nonvolatile random access memory (NVRAM). Its

fingerprint, which is a 128-bit version of the NPK generated by a hash algorithm,

is stored in the management information base (MIB). For encryption to occur, the

NPK and its fingerprint in the MIB must match.

Caution:

The NPK is the most critical key in the hierarchy. If the NPK is

compromised, all encrypted data on the router can be compromised.

1 2 ... 33 34 35 36 37 38 39 40 41 42 43 ... 71 72

Sem comentários

Avaya Configuring Integrated IP Security Manual do Utilizador Página 38