anti-replay—Security service where the receiver
can reject old or duplicate packets to protect itself against replay attacks.
IPsec provides this optional service by use of a sequence number combined with
the use of data authentication. Cisco IOS XE IPsec provides this service
whenever it provides the data authentication service, except for manually
established SAs (that is, SAs established by configuration and not by IKE).
data authentication—Verification of the
integrity and origin of the data. Data authentication can refer either to
integrity alone or to both of these concepts (although data origin
authentication is dependent upon data integrity).
data confidentiality—Security service in which
the protected data cannot be observed.
data flow—Grouping of traffic, identified by a
combination of source address or mask, destination address or mask, IP next
protocol field, and source and destination ports, where the protocol and port
fields can have the values of
any. IPsec protection is applied to data flows.
IKE—Internet Key Exchange. IKE establishes a
shared security policy and authenticates keys for services (such as IPSec) that
require keys. Before any IPSec traffic can be passed, each router/firewall/host
must verify the identity of its peer. This can be done by manually entering
preshared keys into both hosts or by a CA service.
IPsec—IP Security. A framework of open
standards that provides data confidentiality, data integrity, and data
authentication between participating peers. IPSec provides these security
services at the IP layer. IPSec uses IKE to handle the negotiation of protocols
and algorithms based on local policy and to generate the encryption and
authentication keys to be used by IPSec. IPSec can protect one or more data
flows between a pair of hosts, between a pair of security gateways, or between
a security gateway and a host.
peer—In the context of this module, a “peer” is
a router or other device that participates in IPsec.
PFS—perfect forward secrecy. Cryptographic
characteristic associated with a derived shared secret value. With PFS, if one
key is compromised, previous and subsequent keys are not compromised, because
subsequent keys are not derived from previous keys.
SA—security association. Description of how two
or more entities use security services in the context of a particular security
protocol (AH or ESP) to communicate securely on behalf of a particular data
flow. The transform and the shared secret keys are used for protecting the
SPI—security parameter index. A number which,
together with a destination IP address and security protocol, uniquely
identifies a particular security association. Without IKE, the SPI is manually
specified for each security association.
transform—List of operations performed on a
dataflow to provide data authentication, data confidentiality, and data
compression. For example, one transform is the ESP protocol with the HMAC-MD5
authentication algorithm; another transform is the AH protocol with the 56-bit
DES encryption algorithm and the ESP protocol with the HMAC-SHA authentication
tunnel—In the context of this module, “tunnel”
is a secure communication path between two peers, such as two routers. It does
not refer to using IPsec in tunnel mode.