Overview of IPSec
IPSec provides IP-level security for packets sent between specified hosts by using both authentication and encryption:
- Authentication ensures data integrity and verifies the identity of the sender and receiver.
- Encryption ensures data confidentiality; only the sender and intended recipient can read the information.
IPSec uses cryptographic keys during authentication and encryption. For authentication, the key and the data form a checksum value; for encryption, a key encrypts data before it is sent and decrypts data when it is received.
Before IPSec-protected communication can be established, both sender and receiver share configuration information with each other. As a result, IPSec defines a security association (SA), the set of security parameters that dictate how IPSec processes a packet, for a sender and for a receiver. These parameters include addressing and key information, both of which must be common to both hosts. Typically, a security association includes parameters for packets transmitted in one direction. Another security association is needed for packets transmitted in the opposite direction.
Figure 17 shows Encapsulating Security Payload (ESP) encapsulated packets sent between SAE and a RADIUS server, and between SAE and a CMTS device.
![]()
The SAE uses the IPSec implementation available on the Solaris platform on which the SAE runs. The SAE provides a configuration interface to simplify IPSec configuration for the SAE. For information about the IPSec implementation on the Solaris operating system, see the Sun product documentation at
http://docs.sun.com/app/docs/prod/solaris#hic
Security Keys
For a sender and receiver to participate in IPSec-protected communication, both must use the same type of key that is based on the algorithms used.
Key Types
IPSec uses different key algorithms for authentication and encryption. The SAE supports use of the following algorithms for authentication:
- Hashed Message Authentication Code using a Message Digest 5 key (HMAC-MD5)
- Hashed Message Authentication Code using a Secure Hash Standard 1 key (HMAC-SHA-1)
The SAE supports use of the following algorithms for encryption:
- Data Encryption Standard (DES)
- Triple Data Encryption Standard (3DES)
- Advanced Encryption Standard (AES)
- Blowfish
Which encryption algorithms are available depends on whether the system has the Solaris Encryption Kit installed. See the Solaris documentation for more information.
Key Management
The implementation of IPSec for the SAE uses automatic key management through Internet Key Management (IKE). IKE is a protocol that provides key generation and secure distribution. It also secures negotiations to create security associations.
The SAE configuration uses a preshared key for IKE negotiations. A preshared key is one whose value is shared by the administrators of the systems that participate in IPSec-protected communication. You define a value for the key and communicate the value of the key out-of-band to the system administrator who is configuring the CMTS device or RADIUS server. When you communicate the key value, make sure that only trusted parties have access to the key information.
Although SDX Configuration Editor supports only configuration of preshared keys, the Solaris operating system also supports certificate authentication. We recommend that you use preshared keys; however, you can configure certificate authentication directly from Solaris if required by your environment.