Avaya Configuring IP Security Services Manual do Utilizador descarregar pdf (Página 35)

Overview of IPsec

304111-B Rev 00

1-17

Internet Key Exchange (IKE) Protocol

The Internet Key Exchange (IKE) protocol negotiates and provides private and

authenticated keying material for security associations. Before providing keying

material, the IKE protocol itself must be authenticated, that is, something must

create an IKE security association between the security gateways IKE is servicing.

BayRS software creates an IKE SA through a pre-shared authentication key. IKE

creates and changes IPsec SAs dynamically, with no user intervention necessary,

making them faster and more frequently than they might otherwise be made, for

greater security.

To negotiate a security association, IKE peers form a security association (an IKE

SA) between them. The IKE SA protects the negotiation of the IPsec SA

parameters and key exchange.

The IKE protocol can change IPsec and IKE SA keys based on preconfigured

criteria such as elapsed time or number of bytes sent.

Perfect Forward Secrecy

Perfect forward secrecy (PFS) disassociates each IPsec SA key from others in the

same IKE-negotiated security association. To obtain PFS, IKE uses the

Diffie-Hellman algorithm to exchange keys for each SA. This means that as IKE

and IPsec SAs are automatically re-keyed over the course of IPsec peer

communication, old keys, if compromised, cannot be used to derive previous or

future keys used for other SAs.

With PFS, if an intruder manages to break an encryption key, they gain access to a

limited amount of data (packets protected by a single SA).

1 2 ... 30 31 32 33 34 35 36 37 38 39 40 ... 99 100

Sem comentários

Avaya Configuring IP Security Services Manual do Utilizador Página 35