Enterasys Networks CSX7000 Manuel d'utilisateur télécharger pdf (Page 36)

100

101

USER’S GUIDE

36 CyberSWITCH

ENCRYPTION OVERVIEW

Cabletron’s encryption options provide two popular approaches for encrypting WAN

communications, each with distinct advantages in certain applications. These options are: Network

Layer Encryption and Link Layer Encryption.

NETWORK LAYER

Cabletron’s Network Layer Encryption is an IP Security-based form of encryption. IP Security

(IPSec) can potentially reside in many devices within the network. Since IPSec is specific to IP, data

must be contained in an IP datagram in order for encryption to take place. This also implies that an

IPSec-compliant switch or router must perform network-layer routing. A device which does not

perform network-layer processing (such as a pure bridge) will not be capable of IPSec-based

encryption. Non-IP protocols such as IPX and AppleTalk must be encapsulated within IP in order

to take advantage of IPSec.

IPSec is primarily aimed at providing secure communications across IP networks such as the

Internet. Data can traverse multiple intermediate (untrusted) nodes (such as Internet backbone

routers) while still ensuring strong data security. But it can also be applied in point-to-point

networks where the layer-3 protocol is IP (for example, IP transported across the WAN using PPP).

Network-layer encryption works as follows:

IP datagrams transmitted from one LAN to another LAN funnel through a CyberSWITCH node

where they are encrypted and encapsulated. The destination address on the encapsulated

datagram is that of the CyberSWITCH node servicing the other trusted subnet.

When the IP datagram reaches the destination CyberSWITCH node, the Encapsulating Security

Payload (ESP) header is removed, the ESP payload is decrypted, and the original IP datagram is

forwarded to its original destination.

CyberSWITCH encryption requires additional Security Association information that can be supplied

through CFGEDIT. Each security association identifies a range of IP addresses, encryption

parameters to be used to encrypt communications to those IP addresses, and the IP address of the

peer CyberSWITCH (or other ESP node) responsible for decrypting the communications. The peer

will have knowledge of the same security association.

Security associations between peer CyberSWITCH nodes are identified by a Security Parameter

Index (SPI), which is a 32-bit number. The SPI is transmitted in the ESP header and is used by the

peer CyberSWITCH node to identify the necessary information to decrypt the ESP payload.

IP datagrams to these IP destination addresses are encrypted and encapsulated with an ESP header.

The ESP header indicates a destination address of an intermediate CyberSWITCH node which will

be responsible for decrypting and decapsulating these packets before sending them on to their

intended destination.

LINK LAYER

Link layer encryption occurs at layer 2 of the ISO networking model. In the case of a WAN, PPP

acts as a layer 2 protocol. Encryption Control Protocol (ECP) serves to handle encryption of a PPP

datagram.

1 2 ... 31 32 33 34 35 36 37 38 39 40 41 ... 728 729

Commentaires sur ces manuels

Pas de commentaire

Enterasys Networks CSX7000 Manuel d'utilisateur Page 36

Commentaires sur ces manuels