About Ipsec - Cisco MDS 9000 Series Configuration Manual

About IPsec

About IPsec
IP security (IPsec) protocol is a framework of open standards that provides data confidentiality, data integrity,
and data authentication between participating peers. It is developed by the Internet Engineering Task Force
(IETF). IPsec provides security services at the IP layer, including protecting one or more data flows between
a pair of hosts, between a pair of security gateways, or between a security gateway and a host. The overall
IPsec implementation is the latest version of RFC 2401. Cisco NX-OS IPsec implements RFC 2402 through
RFC 2410.
IPsec uses the Internet Key Exchange (IKE) protocol to handle protocol and algorithm negotiation and to
generate the encryption and authentication keys used by IPsec. While IKE can be used with other protocols,
its initial implementation is with the IPsec protocol. IKE provides authentication of the IPsec peers, negotiates
IPsec security associations, and establishes IPsec keys. IKE uses RFCs 2408, 2409, 2410, and 2412, and
additionally implements the draft-ietf-ipsec-ikev2-16.txt draft.
IPsec provides security for transmission of sensitive information over unprotected networks such as the
Internet. IPsec acts at the network layer, protecting and authenticating IP packets between participating IPsec
devices (peers).
Note
IPsec is not supported by the Cisco Fabric Switch for HP c-Class BladeSystem and the Cisco Fabric Switch
for IBM BladeCenter.
IPsec provides security for transmission of sensitive information over unprotected networks such as the
Internet. IPsec acts at the network layer, protecting and authenticating IP packets between participating IPsec
devices (peers).
IPsec provides the following network security services. In general, the local security policy dictates the use
of one or more of these services between two participating IPsec devices:
• Data confidentiality—The IPsec sender can encrypt packets before transmitting them across a network.
• Data integrity—The IPsec receiver can authenticate packets sent by the IPsec sender to ensure that the
• Data origin authentication—The IPsec receiver can authenticate the source of the IPsec packets sent.
• Anti-replay protection—The IPsec receiver can detect and reject replayed packets.
Note
The term data authentication is generally used to mean data integrity and data origin authentication. Within
this chapter it also includes anti-replay services, unless otherwise specified.
With IPsec, data can be transmitted across a public network without fear of observation, modification, or
spoofing. This enables applications such as Virtual Private Networks (VPNs), including intranets, extranets,
and remote user access.
IPsec as implemented in Cisco NX-OS software supports the Encapsulating Security Payload (ESP) protocol.
This protocol encapsulates the data to be protected and provides data privacy services, optional data
authentication, and optional anti-replay services.
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
168
data has not been altered during transmission.
This service is dependent upon the data integrity service.
Configuring IPSec Network Security