[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]


Overview of IPSec

IPSec provides IP-level security for packets sent between specified hosts by using both authentication and encryption:

IPSec uses cryptographic keys during authentication and encryption. For authentication, the key and the data form a checksum value; for encryption, a key encrypts data before it is sent and decrypts data when it is received.

Before IPSec-protected communication can be established, both sender and receiver share configuration information with each other. As a result, IPSec defines a security association (SA), the set of security parameters that dictate how IPSec processes a packet, for a sender and for a receiver. These parameters include addressing and key information, both of which must be common to both hosts. Typically, a security association includes parameters for packets transmitted in one direction. Another security association is needed for packets transmitted in the opposite direction.

Figure 17 shows Encapsulating Security Payload (ESP) encapsulated packets sent between SAE and a RADIUS server, and between SAE and a CMTS device.


Figure 17: IPSec-Protected Communications

The SAE uses the IPSec implementation available on the Solaris platform on which the SAE runs. The SAE provides a configuration interface to simplify IPSec configuration for the SAE. For information about the IPSec implementation on the Solaris operating system, see the Sun product documentation at

http://docs.sun.com/app/docs/prod/solaris#hic

Security Keys

For a sender and receiver to participate in IPSec-protected communication, both must use the same type of key that is based on the algorithms used.

Key Types

IPSec uses different key algorithms for authentication and encryption. The SAE supports use of the following algorithms for authentication:

The SAE supports use of the following algorithms for encryption:

Which encryption algorithms are available depends on whether the system has the Solaris Encryption Kit installed. See the Solaris documentation for more information.

Key Management

The implementation of IPSec for the SAE uses automatic key management through Internet Key Management (IKE). IKE is a protocol that provides key generation and secure distribution. It also secures negotiations to create security associations.

The SAE configuration uses a preshared key for IKE negotiations. A preshared key is one whose value is shared by the administrators of the systems that participate in IPSec-protected communication. You define a value for the key and communicate the value of the key out-of-band to the system administrator who is configuring the CMTS device or RADIUS server. When you communicate the key value, make sure that only trusted parties have access to the key information.

NOTE: When you configure the value of this key for the SAE, you use SDX Configuration Editor. Anyone who can open SDX Configuration Editor can read the value for this key. The key value, however, is not stored in the LDAP directory.


Although SDX Configuration Editor supports only configuration of preshared keys, the Solaris operating system also supports certificate authentication. We recommend that you use preshared keys; however, you can configure certificate authentication directly from Solaris if required by your environment.


[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]