Configuring IPSec Offloads
33
Offloading Encryption Processing
You can configure any two (or more) computers running Windows 2000 or Windows XP
to perform IPSec encryption by changing the Local Security Setting in the operating
system. With most non-3CR990-FX-97 NICs, all the IPSec processing is done by the host
central processing unit (CPU), which significantly diminishes CPU performance. The
3CR990-FX-97 NIC can
offload
all the encryption processing from the host CPU, thereby
freeing the CPU to work on other tasks. The data-encryption offload capability of the
3CR990-FX-97 NIC is enabled at the factory.
For any two or more computers running operating systems other than Windows 2000 or
Windows XP (that is, Windows 95/98/Me/NT), IPSec encryption is provided by third-party
applications. The 3CR990-FX-97 NIC does not provide IPSec encryption offloading for
those operating systems.
Auto-Selecting Basic or Strong Encryption Processing
The 3CR990-FX-97 NIC provides Data Encryption Standard (DES) 56-bit basic encryption
processing and 3DES (3DES 168-bit) strong encryption processing. DES and 3DES are IPSec
bulk encryption algorithms for coding data. DES encrypts 64-bit data blocks using a 56-bit
key. DES can be applied in several modes. 3DES (Triple DES) achieves a higher level of
security by encrypting the data three times using DES with three different, unrelated keys.
3DES is also known as 168-bit data encryption.
There is no need to configure the 3CR990-FX-97 NIC to establish a particular encryption
setting: the NIC auto-selects the strongest encryption setting based on the data
encryption setting of the partner (receiving or sending) node. If the partner node has a
3DES encryption setting, the NIC automatically processes data encryption using the 3DES
standard; if the partner node has a DES encryption setting, the NIC automatically
processes data encryption using the DES standard; if the partner node has no encryption
setting, the NIC automatically processes data in unencrypted form.
Configuring IPSec for Windows 2000
The 3CR990-FX-97 NIC accelerates IP security (IPSec) data encryption from supported
operating systems that provide this offload capability. This feature is currently available in
the Windows 2000 and Windows XP operating systems.
IPSec primarily consists of two parts:
■
encryption/decryption
■
authentication
To send or receive encrypted data in a PC running Windows 2000 with a
3CR990-FX-97 NIC installed, you must first create a
security policy
, and then enable
encryption on the NIC. The security policy establishes and defines how encrypted network
traffic between your PC and a specified server occurs.
Authentication enables the receiver to verify the sender of a packet by adding key fields to
a packet without altering the packet data content.