Security for IP-based communication is provided via many mechanisms. Central to these is the IP Security (IPsec) suite of protocols and algorithms. The IPsec suite is defined in many IETF RFCs. Each IPsec RFC falls into one of the following seven categories:
The primary IPsec RFCs include the following:
The IPsec suite provides the following services:
IPsec is implemented at the OSI Network Layer between two peer devices, so all IP-based ULPs can be protected. IPsec supports two modes of operation: transport and tunnel. In transport mode, a security association (SA) is established between two end nodes. In tunnel mode, an SA is established between two gateway devices or between an end node and a gateway device. A security association is a unidirectional tunnel identified by a Security Parameter Index (SPI), the protocol used (ESP) and the destination IP address. Two SAs must be established (one in each direction) for successful communication to occur. IP routers and switches also support Access Control Lists (ACL). An ACL permits or denies protocol actions based on a highly granular permissions list applied to the ingress or egress traffic of a specified interface or group of interfaces. An ACL can be applied to inter-VLAN traffic or intra-VLAN traffic. Inter-VLAN traffic is filtered by applying an ACL to a router interface. This is sometimes called a Router ACL (RACL). Intra-VLAN traffic is filtered by applying an ACL to all non-ISL switch ports in a given VLAN. An intra-VLAN ACL is sometimes called a VLAN ACL (VACL). |