USER’S GUIDE
236 CyberSWITCH
S
ECURITY
P
ARAMETER
I
NDEX
(SPI)
A 32-bit number (eight hexadecimal digits) used to identify the security associations between
CyberSWITCH nodes. The SPI must be greater than or equal to 00000100hex. The SPI is transmitted
in the Encapsulating Security Payload (ESP) header and used by the peer CyberSWITCH node to
identify the necessary information to decrypt the ESP payload.
The following element applies to Link Layer Encryption only:
P
ROPRIETARY
K
EY
E
XCHANGE
When using Link Layer encryption, this feature supports an automated key exchange (for
Cabletron products only). If you enable this feature, you do not need to manually specify
encryption/decryption keys.
E
NCRYPTION
/D
ECRYPTION
K
EY
This key is used for PPP devices only, and must be 16 digits in length. You may use any
combination of hexadecimal digits in the key. The encryption key you configure on one side of the
connection (site “A”) must match the decryption key you configure on the other side of the
connection (site “B”).
E
NCRYPTION
B
ACKGROUND
I
NFORMATION
IP N
ETWORK
L
AYER
E
NCRYPTION
IP Network Layer Encryption consists of:
•
an Encapsulating Security Payload (ESP) implementation
•
Authentication Headers (AH)
The CyberSWITCH provides IP Security by using either ESP or AH, or a combination of the two.
ESP I
MPLEMENTATION
The IP Encryption feature provides a connection between two or more trusted subnets through the
Internet or any other IP network. IP datagrams transmitted from one trusted subnet to another
trusted subnet funnel through a CyberSWITCH node where they are encrypted and encapsulated.
The destination address on the encapsulated datagram is that of the CyberSWITCH node servicing
the other trusted subnet.
IP datagrams to these IP destination addresses are encrypted and encapsulated with an
Encapsulating Security Payload (ESP) header. The ESP header indicates a destination address of an
intermediate CyberSWITCH node which is responsible for decrypting and decapsulating these
packets before sending them on to their intended destination.
When the IP datagram reaches the destination CyberSWITCH node, the ESP header is removed,
the ESP payload is decrypted, and the original IP datagram is forwarded to its original destination.
The CyberSWITCH requires Security Associations to identify:
•
range of IP addresses (i.e., one for source subnet and one for destination subnet)
•
encryption parameters to be used to encrypt communications to those IP addresses
•
IP address of the peer CyberSWITCH responsible for decrypting the communications