--aggressive mode. A mode during IKE negotiation. Compared to MM, AM eliminates several steps, making it faster but less secure
than MM. Cisco IOS XE software will respond in aggressive mode to an IKE peer that initiates aggressive mode.
--generic routing encapsulation. Tunnels that provide a specific pathway across the shared WAN and encapsulate traffic with
new packet headers to ensure delivery to specific destinations. The network is private because traffic can enter a tunnel
only at an endpoint. Tunnels do not provide true confidentiality (encryption does) but can carry encrypted traffic.
GRE tunneling can also be used to encapsulate non-IP traffic into IP and send it over the Internet or IP network. The Internet
Package Exchange (IPX) and AppleTalk protocols are examples of non-IP traffic.
--Internet Key Exchange. A hybrid protocol that implements Oakley key exchange and Skeme key exchange inside the ISAKMP framework.
Although IKE can be used with other protocols, its initial implementation is with IPsec. IKE provides authentication of the
IPsec peers, negotiates IPsec keys, and negotiates IPsec security associations.
--IP security. A framework of open standards developed by the Internet Engineering Task Force (IETF). IPsec provides security
for transmission of sensitive information over unprotected networks such as the Internet. IPsec acts at the network layer,
protecting and authenticating IP packets between participating IPsec devices (“peers”), such as Cisco routers.
ISAKMP--Internet Security Association Key Management Protocol. A protocol framework that defines payload formats, the mechanics
of implementing a key exchange protocol, and the negotiation of a security association.
MM--main mode. Mode that is slower than aggressive mode but more secure and more flexible than aggressive mode because it
can offer an IKE peer more security proposals. The default action for IKE authentication (rsa-sig, rsa-encr, or preshared)
is to initiate main mode.
--Next Hop Resolution Protocol. Routers, access servers, and hosts can use NHRP to discover the addresses of other routers
and hosts connected to an NBMA network.
The Cisco implementation of NHRP supports the IETF draft version 11 of NBMA Next Hop Resolution Protocol (NHRP).
The Cisco implementation of NHRP supports IP Version 4, Internet Packet Exchange (IPX) network layers, and, at the link layer,
ATM, FastEthernet, SMDS, and multipoint tunnel networks. Although NHRP is available on FastEthernet, NHRP need not be implemented
over FastEthernet media because FastEthernet is capable of broadcasting. FastEthernet support is unnecessary (and not provided)
PFS--perfect forward secrecy. A cryptographic characteristic associated with a derived shared secret value. With PFS, if one
key is compromised, previous and subsequent keys are not compromised, because subsequent keys are not derived from previous
SA--security association. Describes how two or more entities will utilize security services to communicate securely. For example,
an IPsec SA defines the encryption algorithm (if used), the authentication algorithm, and the shared session key to be used
during the IPsec connection.
Both IPsec and IKE require and use SAs to identify the parameters of their connections. IKE can negotiate and establish its
own SA. The IPsec SA is established either by IKE or by manual user configuration.
transform--The list of operations done on a data flow to provide data authentication, data confidentiality, and data compression.
For example, one transform is the ESP protocol with the HMAC-MD5 authentication algorithm; another transform is the AH protocol
with the 56-bit DES encryption algorithm and the ESP protocol with the HMAC-SHA authentication algorithm.
VPN--Virtual Private Network. A framework that consists of multiple peers transmitting private data securely to one another
over an otherwise public infrastructure. In this framework, inbound and outbound network traffic is protected using protocols
that tunnel and encrypt all data. This framework permits networks to extend beyond their local topology, while remote users
are provided with the appearance and functionality of a direct network connection.