Documente Academic
Documente Profesional
Documente Cultură
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
What Is Cryptography
A way of keeping information private Provides authentication and integrity Nonrepudiation Requires key management A communications enabler Communication with confidence
318 0944_05F9_c1
1999, Cisco Systems, Inc.
Agenda
Encryption Concepts and Terminology The PKI and CEP A Day In the Life of an IPSec Packet IPSec Implementation Issues
318 0944_05F9_c1
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
318 318 0944_05F9_c1 1999, Cisco Systems, Inc. 0944_05F9_c1 1999, Cisco Systems, Inc.
55
Confidentiality
Confidentialitycommunicating such that the intended recipients know what was being sent but unintended parties cannot determine what was sent
318 0944_05F9_c1
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Keys
Pub Pri Pub Pri
WAN
DES DES
Key Sizes
Estimated Time for Brute-Force Attack (1995) on Symmetric Keys
Cost 40 100 K 2 secs 1M .2 secs 10 M .02 secs 100 M 2 millisecs 1 B .2 millisec 56 64 80 35 hours 1 year 70,000 yrs 3.5 hours 37 days 7000 years 21 mins 4 days 700 years 2 mins 9 hours 70 years 13 secs 1 hour 7 years 112 1014 yrs 1013 yrs 1012 yrs 1011 yrs 1010 yrs 128 1019 yrs 1018 yrs 1017 yrs 1016 yrs 1015 yrs
318 0944_05F9_c1
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Networkers
Encryption
&^$!@#l:{Q
Decryption
Networkers
Encryptor and decryptor use different mathematical functions Encryptor and decryptor use different keys Example: Public key algorithms (RSA, Diffie-Hellman) Generate a secret key
318 0944_05F9_c1
1999, Cisco Systems, Inc.
Bob
YA =g
XA
mod p
YA YB
YB = g XB mod p
YB
XA
mod p = g
XA XB
mod p = YA
XB
mod p
10
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Diffie-Hellman Example
Host A prime p = 5, primitive g = 3 Choose Xa such that 0 <= Xa < p, Xa = 2 Ya = g ^Xa mod p = 3^2 mod 5 =4 Exchange Values p, g, Ya Host B prime p =5, primitive g = 3 Choose Xb such that 0 <= Xb < p, Xb =4 Yb = g^Xb mod p = 3^4 mod 5 =1 Exchange Values p, g, Yb
Symmetric Encryption
Secret Key
Secret Key
Networkers
Encryption
&^$!@#l:{Q
Decryption
Networkers
Encryption and decryption use same mathematical function Encryption and decryption use same key Example: Data Encryption Standard (DES, IDEA RC2, RC4)
318 0944_05F9_c1
1999, Cisco Systems, Inc.
12
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
DES Encryption
Original Clear-Text
Networkers
Clear-Text
Cipher-Text
Peer routers now have identical keys DES encryption turns cleartext into ciphertext Decryption restores cleartext from ciphertext
318 0944_05F9_c1
1999, Cisco Systems, Inc.
13
DES TransformsCFB
IV Pi P i+1
EK
EK
C i-1
318 0944_05F9_c1
Ci
C i+1
14
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
DES TransformsCBC
IV Pi P i+1
EK
EK
EK
C i-1
318 0944_05F9_c1
Ci
C i+1
15
DES Explained
64 bit block plain text
Initial Permutation 32 bits 32 bits Shift 28 bits Shift 28 bits
56 bit Key
i-1
R i-1
Expansion Permutation Compression Permutation Choose 48 bits
XOR
S-Box Substitution
P-Box Permutation
XOR
56 bit Key Ri
16
L
318 0944_05F9_c1
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Integrity
Integrityensuring that data is transmitted from source to destination without undetected alteration
318 0944_05F9_c1
17
Message-Digest Algorithms
Secret key and message are hashed together Recomputation of digest verifies that message originated with peer and that message was not altered in transit Also used in digital signatures Examples HMAC-MD5, HMAC-SHA
318 0944_05F9_c1
1999, Cisco Systems, Inc.
Secret Key
ge Messa
Hash Function
Hash
18
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Hash Algorithms
MD5
Produces a 128 bit hash value Input 512 bit block split as 16 x 32 bit blocks Output is 4 x 32 bit blocks concatenated 4 Chaining variables 4 rounds of 16 operations with 4 functions per round
SHA
Produces a 160 bit hash value Input 512 bit block split as 16 x 32 bit blocks, expanded to 80 x 32 bit blocks Output is 5 x 32 bit blocks concatenated 5 Chaining variables 4 rounds of 20 ops
318 0944_05F9_c1
19
Authentication
AuthenticationKnowing that the data received is the same as the data that was sent and that the claimed sender is in fact the actual sender.
318 0944_05F9_c1
20
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
10
Digital Signatures
ge Messa
One-way function. Easy to produce hash from message, impossible to produce message from hash
Hash Function
Alice Alice
Hash of Message
s74hr7sh7040236fw 7sr7ewq7ytoj56o457
21
Signature Verification
Message
M es sa
ge
Hash Function
Hash of Message
Hash Message
318 0944_05F9_c1
22
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
11
Digital Envelope
ge Messa
+
Alice Encrypts Message with a Random Secret Key Encrypt the Secret Key with Bobs Public Key Bob Decrypts the Secret Key with His Private Key, then Decrypts the Message
23
24
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
12
PKI Components
Registration and Certification Issuance Key Recovery Key Generation Key Storage Certificate Authority Certificate Revocation Certificate Distribution Trusted Time Service
25
Revocation
26
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
13
Internet Certificate Authority (CA) verifies identity CA signs digital certificate containing devices public key Verisign On-Site, Entrust PKI, Netscape CA, Microsoft CA
318 0944_05F9_c1
1999, Cisco Systems, Inc.
27
X.509v3 Certificate
Binds user identity (Subject Name) to a public key via signature Issuer (CA) signs cert Note cert has defined lifetime Identifies which signature algorithm was used to sign cert Extension fields allow other information to be bound to cert (e.g., subjects clearances)=
318 0944_05F9_c1
1999, Cisco Systems, Inc.
Certificate :: = { Version (v3) Serial Number Sign Algorithm ID Issuer Name Validity Period Subject Name Subject Public Key Issuer Unique ID Subject Unique ID Extensions Signature }
28
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
14
318 0944_05F9_c1
Generate public/private keys Send certificate request to CA CA signs certificate Retrieve certificate from CA
29
Revoked
Cert 12345 Cert 12241 Cert 22333
30
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
15
CA CA CA
Alice Certificate (points issuer to subject) Cross Certificate
318 0944_05F9_c1
1999, Cisco Systems, Inc.
CA CA
CA
Bob Carol
CA Certificate Authority
Certificate User
31
PKCS #7 for signing and enveloping PKCS #10 for certificate request HTTP and LDAP for transport Requires manual authentication during enrollment CRL distribution is manual
318 0944_05F9_c1
1999, Cisco Systems, Inc.
32
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
16
33
IPSec Overview
Interoperable authentication, integrity and encryption
IP (En D a t a cryp ted)
318 0944_05F9_c1
34
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
17
Authentication Header
Firewall Router
Data integrityno twiddling of bits Origin authenticationdefinitely came from Router Uses keyed-hash mechanism Does NOT provide confidentiality Replay protection
318 0944_05F9_c1
1999, Cisco Systems, Inc.
35
318 0944_05F9_c1
36
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
18
Next Payload RESERVED Header Length Security Parameter Index (SPI) Sequence Number Field
Authentication Data
37
38
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
19
Authenticated Encrypted
318 0944_05F9_c1
39
Security Parameter Index (SPI) Sequence Number Field Initialization Vector Payload Data Padding (If Any) Pad Length Next Header
Authentication Data
40
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
20
IPSec Modes
IP HDR DATA
Tunnel Mode
New IP HDR IPSec HDR IP HDR DATA Encrypted
IP HDR
DATA
Transport Mode
IP HDR IPSec HDR DATA Encrypted
318 0944_05F9_c1
1999, Cisco Systems, Inc.
41
Agreement between two entities on method to communicate securely Unidirectionaltwo-way communication consists of two SAs
318 0944_05F9_c1
1999, Cisco Systems, Inc.
42
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
21
318 0944_05F9_c1
43
318 0944_05F9_c1
44
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
22
IKE
Negotiates policy to protect communication Authenticated Diffie-Hellman key exchange Negotiates (possibly multiple) security associations for IPSec A flavor of ISAKMP/Oakley for IPSec Provides PFS
318 0944_05F9_c1
1999, Cisco Systems, Inc.
45
46
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
23
IKE Authentication
Signatures (RSA or DSS)
Diffie-Hellman secret, identity, hashed together and signed Nonrepudiable proof of communication
Preshared key
Key is agreed-upon out-of-band Key, Diffie-Hellman secret, identities hashed Limited applicability
318 0944_05F9_c1
1999, Cisco Systems, Inc.
47
crypto isakmp key 1234 address 192.168.0.6 crypto isakmp key fred address 192.168.0.20
! These are the transforms or algorithms to be proposed for use ! by IPSec. They may include both an AH and ESP mechanism or ! one of either mechanism. Tunnel Mode is the default.
crypto ipsec transform-set test2 esp-des crypto ipsec transform-set router esp-des espsha-hmac mode transport
318 0944_05F9_c1
1999, Cisco Systems, Inc.
48
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
24
crypto map test1 10 ipsec-isakmp set peer 192.168.0.20 set transform-set router test2 match address 101
! Apply the crypto map to an interface
interface Ethernet0 ip address 192.168.0.2 255.255.255.0 crypto map test1 access-list 101 permit ip host 192.168.0.2 host 192.168.0.20
318 0944_05F9_c1
1999, Cisco Systems, Inc.
49
In the Clear
Protected
50
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
25
Wilma IPSec SA Offertransform, mode,pfs, authentication,lifetime Policy Match accept offer ISAKMP Phase 2 Oakley Quick Mode Fred D-H exchange or refresh IKE key Wilma D-H exchange or refresh IKE key IPSec Outbound SA Established IPSec Inbound SA Established Protected by the IKE SA
Fred
318 0944_05F9_c1
51
A Day Debug
IKE with preshared keys Fred proposes using esp-des to Wilma, access-list 101 triggers the IPSec requirement. fred#telnet 192.168.0.2 Trying 192.168.0.2
318 0944_05F9_c1
52
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
26
A Day Debug
Traffic matching an ACL specification triggers a policy formulation by the sender. If more than one policy exists for a particular destination, then gather all relevant policies.
IPSEC(sa_request): , (key eng. msg.) src= 192.168.0.20, dest= 192.168.0.2, src_proxy= 192.168.0.20/255.255.255.255/0/0 (type=1), dest_proxy= 192.168.0.2/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-des , lifedur= 3600s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
318 0944_05F9_c1
1999, Cisco Systems, Inc.
53
A Day Debug
ISAKMP Phase One using Oakley Main Mode. Negotiate an ISAKMP security association (policy). This SA will protect any key and/or parameter negotiation required by other services such as IPSec.
ISAKMP (26): beginning Main Mode exchange ISAKMP (26): processing SA payload. message ID = 0 ISAKMP (26): Checking ISAKMP transform 1 against priority 1 policy ISAKMP: encryption DES-CBC ISAKMP: hash SHA ISAKMP: default group 1 ISAKMP: auth pre-share ISAKMP (26): atts are acceptable. Next payload is 0
318 0944_05F9_c1
1999, Cisco Systems, Inc.
54
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
27
A Day Debug
Exchange public/shared keys and nonces. This is the actual Diffie-Hellman shared secret calculation. Process KE which is the pre-shared key information, then process the nonces and generate the shared key SKEYID which will be used as the actual encryption key.
CRYPTO: DH gen phase 1 status for conn_id 26 slot 0:OK ISAKMP (26): SA is doing pre-shared key authentication ISAKMP (26): processing KE payload. message ID = 0 CRYPTO: DH gen phase 2 status for conn_id 26 slot 0:OK ISAKMP (26): processing NONCE payload. message ID = 0 ISAKMP (26): SKEYID state generated
318 0944_05F9_c1
55
A Day Debug
Next, authenticate the Diffie-Hellman Exchange using SHA as the hash algorithm to make sure the payload information has not be intercepted and tampered with.
ISAKMP (26): processing ID payload. message ID = 0 ISAKMP (26): processing HASH payload. message ID = 0 ISAKMP (26): SA has been authenticated
318 0944_05F9_c1
56
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
28
A Day Debug
Now, negotiate an SA for IPSec This is ISAKMP Phase 2 using Oakley Quick Mode
ISAKMP (26): beginning Quick Mode exchange, M-ID of -652741699 IPSEC(key_engine): got a queue event... IPSEC(spi_response): getting spi 258023605 for SA from 192.168.0.2 to 192.168.0.20 for prot 3 ISAKMP (26): processing SA payload. message ID = -652741699 ISAKMP (26): Checking IPSec proposal 1 ISAKMP: transform 1, ESP_DES ISAKMP: attributes in transform: ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 3600
318 0944_05F9_c1
57
A Day Debug
ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 ISAKMP (26): atts are acceptable.
IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= 192.168.0.2, src= 192.168.0.20, dest_proxy= 192.168.0.2/255.255.255.255/0/0 (type=1), src_proxy= 192.168.0.20/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-des , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
318 0944_05F9_c1
58
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
29
A Day Debug
Generate a shared key for encryption for IPSec. Generally the original D-H generated shared secret key is refreshed via combining it with a random value (another nonce) as shown below.
ISAKMP (26): processing NONCE payload. message ID = 652741699 ISAKMP (26): processing ID payload. message ID = -652741699 ISAKMP (26): processing ID payload. message ID = -652741699
318 0944_05F9_c1
59
A Day Debug
ISAKMP (26): Creating IPSec SAs inbound SA from 192.168.0.2 to 192.168.0.20 (proxy 192.168.0.2 to 192.168.0.20 ) has spi 258023605 and conn_id 27 and flags 4 lifetime of 3600 seconds lifetime of 4608000 kilobytes outbound SA from 192.168.0.20 to 192.168.0.2 (proxy 192.168.0.20 to 192.168.0.2 ) has spi 251200955 and conn_id 28 and flags 4 lifetime of 3600 seconds lifetime of 4608000 kilobytes IPSEC(key_engine): got a queue event...
318 0944_05F9_c1
60
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
30
A Day Debug
IPSEC(initialize_sas): , (key eng. msg.) dest= 192.168.0.20, src= 192.168.0.2, dest_proxy= 192.168.0.20/255.255.255.255/0/0 (type=1), src_proxy= 192.168.0.2/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-des , lifedur= 3600s and 4608000kb, spi= 0xF6120B5(258023605), conn_id= 27, keysize= 0, flags= 0x4 IPSEC(initialize_sas): , (key eng. msg.) src= 192.168.0.20, dest= 192.168.0.2, src_proxy= 192.168.0.20/255.255.255.255/0/0 (type=1), dest_proxy= 192.168.0.2/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-des , lifedur= 3600s and 4608000kb, spi= 0xEF905BB(251200955), conn_id= 28, keysize= 0, flags= 0x4
318 0944_05F9_c1
1999, Cisco Systems, Inc.
61
A Day Debug
Each SA is unidirectional so we need to see two SAs created on each participating peer, one outbound and one inbound :
IPSEC(create_sa): sa created, (sa) sa_dest= 192.168.0.20, sa_prot= 50, sa_spi= 0xF6120B5(258023605), sa_trans= esp-des , sa_conn_id= 27 IPSEC(create_sa): sa created, (sa) sa_dest= 192.168.0.2, sa_prot= 50, sa_spi= 0xEF905BB(251200955), sa_trans= esp-des , sa_conn_id= 28
318 0944_05F9_c1
62
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
31
ip domain-name cisco.com crypto isakmp policy 4 crypto ca identity cisco.com enrollment mode ra enrollment url http://10.0.0.2/cgi-bin query url ldap://10.0.0.2 crl optional
1999, Cisco Systems, Inc.
63
64
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
32
318 0944_05F9_c1
65
318 0944_05F9_c1
66
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
33
318 0944_05F9_c1
67
68
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
34
318 0944_05F9_c1
69
318 0944_05F9_c1
70
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
35
71
318 0944_05F9_c1
72
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
36
Certificate Debug
00:02:29: ISAKMP (2): Checking ISAKMP transform 1 against priority 5 policy 00:02:29: ISAKMP: encryption DES-CBC 00:02:29: ISAKMP: hash MD5 00:02:29: ISAKMP: default group 1 00:02:29: ISAKMP: auth RSA sig
318 0944_05F9_c1
73
Certificate Debug
00:02:29: ISAKMP (2): atts are acceptable. Next payload is 0 00:02:29: ISAKMP (2): SA is doing RSA signature authentication 00:02:29: ISAKMP (2): processing KE payload. message ID = 0 00:02:29: ISAKMP (2): processing NONCE payload. message ID = 0 00:02:29: ISAKMP (2): SKEYID state generated 00:02:30: ISAKMP (2): processing ID payload. message ID = 0 00:02:30: ISAKMP (2): processing CERT payload. message ID = 0 00:02:30: ISAKMP (2): processing a CT_X509_SIGNATURE cert 00:02:30: ISAKMP (2): cert approved with warning 00:02:30: ISAKMP (2): processing CERT_REQ payload. message ID = 0 00:02:30: ISAKMP (2): peer wants a CT_X509_SIGNATURE cert 00:02:30: ISAKMP (2): processing SIG payload. message ID = 0 00:02:30: ISAKMP (2): SA has been authenticated with 10.0.0.3 00:02:30: ISAKMP (2): processing SA payload. message ID = 1451572340
318 0944_05F9_c1
74
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
37
318 318 0944_05F9_c1 1999, Cisco Systems, Inc. 0944_05F9_c1 1999, Cisco Systems, Inc.
75 75
192.168.100.0
HQ
.1
Detective
.2
IPSec IPSec
172.21.116.0
192.168.150.0
318 0944_05F9_c1
76
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
38
318 0944_05F9_c1
77
78
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
39
crypto dynamic-map AcceptRemote 20 set transform-set encrypt-des crypto map dynamicHQ 10 ipsecisakmp dynamic AcceptRemote
318 0944_05F9_c1
79
318 0944_05F9_c1
80
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
40
81
PPP
82
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
41
192.168.0.0 255.255.255.0
318 0944_05F9_c1
83
84
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
42
85
86
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
43
318 0944_05F9_c1
87
318 0944_05F9_c1
88
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
44
318 0944_05F9_c1
89
! ACL for NAT translation, any source IP from the ! 192.168.0.0 subnet will be translated access-list 1 permit 192.168.0.0 0.0.0.255 ! ! ACL triggers CBAC on traffic initiated on the inside of ! the firewall access-list 110 permit tcp any any access-list 110 permit udp any any access-list 110 permit icmp any any
318 0944_05F9_c1
90
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
45
318 0944_05F9_c1
91
92
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
46
Internet
201.168.2.1
IPSec ACL must specify WAN endpoints/subnets to facilitate RTP, H.225 Port numbers used for VOIP may not be well-known and may be negotiated
318 0944_05F9_c1
1999, Cisco Systems, Inc.
93
94
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
47
RTP packets cannot be distinguished within an ESP encrypted flow. So interleaving between fragments is not possible Increasing bandwidth for smaller packets sizes is good for IPSec and VOIP
318 0944_05F9_c1
1999, Cisco Systems, Inc.
95
Diff-serventire TOS byte is copied to the IPSEC header so precedence can be applied. The additional length may change the packets service characteristics QOS must be implemented before IPSec
318 0944_05F9_c1
1999, Cisco Systems, Inc.
96
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
48
Performance
Model 1600 2500 2600 3640 4700 7206 7505
318 0944_05F9_c1
1999, Cisco Systems, Inc.
Suggested Bandwidth up to 64Kb - 128Kb up to 128Kb up to 512Kb up to 1.5Mb up to 2.0Mb up to 2.5Mb up to 6.0Mb
97
0.2 0.3 3640 9.9+ 2.0 4.0 4700 9.59.9 4.9 1.49.1 1.53.1 1.12.6 5.3 7206 9.9+ 2.9 1.09.1 1.13.5 0.92.9 5.5 7505* 9.9+ 9.2 2.99.4 3.69.1 2.67.9 9.9 * The processing of IPSec is done on the RSP.
318 0944_05F9_c1
98
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
49
Reference Material
Applied Cryptography [2nd Edition], Bruce Schneier, Addison-Wesley Cryptography and Network Security, William Stallings, Prentice Hall Web Security and Commerce, Garfinkel and Spafford, OReilly Internet Cryptography, Richard E Smith, Addison Wesley Internet Drafts and RFCswww.ieft.org, Public-Key Infrastructure and IP Security Protocol Charters
318 0944_05F9_c1
1999, Cisco Systems, Inc.
99
100
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
50
318 0944_05F9_c1
101
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
51