No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


NE40E V800R010C10SPC500 Feature Description - Security 01

This is NE40E V800R010C10SPC500 Feature Description - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPsec SA

IPsec SA

IPsec provides secure communication between IPsec peers (two communication ends).

An SA functions as a convention for some elements of IPsec peers, and is used to protect protocol packets, providing IPsec with essential functions. It defines the security protocol to be applied, encapsulation mode, authentication mode, and shared key for protocol packets protection. The security protocol can be configured as either Authentication Header (AH) or Encapsulating Security Payload (ESP).

An SA is unidirectional, with incoming protocol packets and outgoing protocol packets being processed by different SAs. Therefore, if two hosts (Device A and Device B) are to communicate through ESP, two SAs must be set up on Device A, one of which processes the outgoing protocol packets and the other processes the incoming protocol packets. Similarly, two SAs must be set up on Device B, as shown in Figure 13-23.
Figure 13-23 Unidirectional logical connections of SAs

SAs are protocol-specific. If Device A and Device B use both AH and ESP for secure communication, four SAs are required on Device A. Two SAs (one for incoming protocol packets and one for outgoing protocol packets) are configured for AH and the other two SAs (one for incoming protocol packets and one for outgoing protocol packets) are configured for ESP. Similarly, four SAs with equivalent relationships are required on Device B.

An SA is uniquely identified by a 3-tuple, which comprises the Security Parameter Index (SPI), destination IP address, and security protocol (AH or ESP). The SPI is a 32-bit number generated to identify an SA and is carried in the AH or ESP header during transmission.

SA Establishment Modes

The SA can be established by means of manual configuration and automatic negotiation.
  • In manual configuration mode, you can set some parameters on both ends. After parameters on both ends match and the negotiation is successful, an IPsec SA is established. The manual configuration mode is complex, because all information required for establishing an IPsec SA needs to be manually configured. Specific advanced features (such as periodic key update) of IPsec are not supported. However, the advantage of the manual configuration mode is that IPsec functions can be implemented without relying on IKE. Currently, the manual configuration mode is mainly applicable to protocol packet authentication, for example, RIPng, OSPFv3, IGMP, MLD, PIM, and DHCPv6 Relay.

  • The automatic negotiation mode is initiated and maintained by IKE. Both parties establish an SA after matching and negotiation based on respective security policy library, without user intervention.

    IKE is a hybrid protocol. It is based on a framework defined by Internet Security Association and Key Management Protocol (ISAKMP). IKE provides services for IPsec such as key exchange for automatic negotiation and SA establishment, thereby simplifying IPsec use and management.

    IKE is classified as IKEv1 and IKEv2. IKEv1 and IKEv2 use similar SA establishment modes. For details, see IKEv1 SA Negotiation Process and IKEv2 SA Negotiation Process.

IKE Security Mechanism

  • DH key exchange

  • Perfect Forward Secrecy (PFS): If a key is cracked, security of other keys is not affected because these keys do not have a legacy relationship. PFS is ensured by the DH algorithm. This feature is implemented by adding the key exchange mechanism to IKE phase-2 negotiation.

  • Authentication: Authentication is used to verify identities of both communication parties. In the pre-shared key (PSK) method, an authenticator is used to generate a key for a party. If authenticators are different, the generated keys are different. The authenticator is a key factor used to verify identifies of both parties.

  • Identity protection: Identity data is encrypted for transmission after a key is generated, thereby protecting the identity data.

Updated: 2019-01-03

Document ID: EDOC1100055047

Views: 12705

Downloads: 31

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next