Alcatel-Lucent Service Router IPSec-ISA

IP SEC IN T EGR AT ED SERV ICE A DA P T ER

The advanced security capabilities of the Alcatel-Lucent Service Router (SR) IPSec-Integrated Service Adapter
(IPSec-ISA) provides comprehensive network-integrated Layer 3 IPSec virtual private network (VPN) deployment options, such as Remote Access Concentrator (RAC), site-to-site and network-to-network encrypted
IPSec security. Up to four IPSec-ISAs can be virtualized in a single Alcatel-Lucent 7750 SR chassis, enabling
up to 40 Gb/s of throughput with up to 64,000 concurrent IPSec VPN tunnels.

Integrated Service Adapters (ISA)

extend the level of intelligence of the
industry-leading Alcatel-Lucent 7750
SR platform by virtualizing advanced
service capabilities into a single, unified
IP/MPLS service edge. These adapters
provide purpose-built, extended
functionality to the Service Router
enabling deeper levels of service
capabilities that otherwise would
require external dedicated networkattached appliances.
The IPSec-ISA significantly extends the
service depth and functionality of the
7750 SR by integrating and virtualizing
advanced VPN services into an IP/MPLS
network infrastructure. As a fully
integrated VPN solution, any physical
interface on the 7750 SR platform
can operate as an encrypted IPSec
VPN port, enabling support for a
diverse range of network traffic types,
interfaces and topologies. As a result,
IPSec-ISA enables greater service scale
and resiliency and reduced network
latency, while enabling optimized VPN
services for personalized, on-demand
service deployments. IPSec-ISA reduces
the number of network devices and
helps control multivendor complexity,

which helps to reduce operational

complexity and significantly lower
the total cost of ownership (TCO).

Features
Modular and highly scalable
The half-slot, hot-swappable IPSecISA is supported on the Input/Output
Module-2 (IOM-2), enabling rapid
service integration and service delivery.
This is especially useful where rack
space is at a premium. Up to four
IPSec-ISAs can be deployed in a single
chassis, along with any Media Dependent Adapter (MDA) or MDA-XP, and
on the same or multiple IOMs for
complete configuration flexibility.
Up to four 7750 SR IPSec-ISAs can be
deployed in the same 7750 SR chassis,
enabling service providers to scale VPN
service capacity as required. Each IPSecISA can support up to 16,000 concurrent sessions per adapter, and can
scale up to 64,000 concurrent sessions
when multiple adapters are deployed.
In addition, IPSec-ISA supports encryp
tion or decryption of both Layer 2 and
Layer 3 IPSec tunnel traffic at the rate
of 10 Gb/s per ISA, for a total per-

Service Router capacity of 40 Gb/s. For

sessions requiring both encryption and
decryption of traffic, IPSec-ISA can
support bi-directional flows of up to
5 Gb/s per adapter, and up to 20 Gb/s
per 7750 SR chassis.

Advanced network-based
IPSec security
As a standards-based implementation,
the IPSec-ISA supports multivendor
interoperability for network devices,
end-node software and other VPN
systems. IPSec-ISA delivers a compre
hensive range of interoperable and
advanced VPN encryption and security
services. Key elements of the IPSecISAs advanced IPSec VPN services
include:
Network Address Translation
Traversal (NAT-T), including RFC
3947, RFC 3948
DES, 3DES, AES-128, AES-192 and
AES-256 encryption methods
HMAC-MD5 and HMAC-SHA1
authentication and hashing methods
Diffie-Hellman key generation
algorithms
Pre-shared keys and Internet Key
Exchange (IKE) shared secret with
Perfect Forward Secrecy (PFS) key
management authentication methods

Integrated resiliency
In addition to leveraging all of the
High Availability mechanisms from the
7750 SR, redundant IPSec-ISAs can be
configured in the 7750 SR chassis. In
addition, primary and standby IPSecISA designations can be defined, enabling
an IPSec-ISA to provide resiliency
protection for all concurrent sessions
across up to four primary IPSec-ISAs.
Upon failure of a primary ISA, the
standby IPSec-ISA assumes operations.
The active and redundant ISAs can be
deployed on any IOM in the same
chassis. In addition, the IPSec-ISA
supports a comprehensive range of
resiliency capabilities including Dead
Peer Detection, Multiple IPSec tunnels
per Virtual Private Routed Network
(VPRN), Dynamic Routing Protection
and Bidirectional Forwarding
Detection (BFD).

Comprehensive manageability
and OSS integration
As a fully integrated VPN solution,
the 7750 SR IPSec-ISA reduces opera
tional complexity by providing unified
network and VPN services from a single
managed platform with consistent and
simple operational provisioning and
subscriber policy management. All
functionality and services are tightly

integrated and fully managed by the

Alcatel-Lucent 5620 Service Aware
Manager (SAM) including element,
network and OSS management inter
faces. As a result, the cost and complexity of managing stand-alone
VPN appliances is greatly reduced
and service providers can offer
unified VPN services with end-to-end
service continuity.

Comprehensive network-based
IPSec security deployment
options
The integrating and virtualized
IPSec services on the SR allow service
providers to blend service offerings
by combining the capabilities of the
IPSec-ISA with the comprehensive
range of Layer 2 and Layer 3 IP/MPLS
service capabilities of the SR. For
example, service providers can simul
taneously map traffic into different
VPNs, such as IPSec VPN, Layer 3 VPN
or Layer 2 VPN, on the SR. IPSec VPN
security can be enabled on any SR
port, to any subscriber, regardless of
media type. Layer 2 traffic can be
encrypted into an IPSec tunnel with
generic routing encapsulation (GRE)
service distribution point (SDP), using
VSM. The different service deployment
options are described in Table 1.

Table 1. IPSec-ISA flexible deployment options

Highly scalable IPSec-ISA deployment options Description

1. Remote-Access VPN Concentrator (RAC)

Integrated remote access VPNs are a significant source of revenue for many wireline and wireless service
providers
The IPSec-ISA allows businesses and users to add, remove and change sites quickly and easily, using
integrated security-survival capabilities from their service providers

2. Site-to-site secure and encrypted IPSec VPNs

Integrated site-to-site VPNs allow businesses to share secure and encrypted VPN traffic among multiple sites

3. Network-to-network encrypted VPN security

With increasing demand for IP Multimedia Subsystem (IMS), triple play and premium business services,
network-to-network security between partner carrier networks has become imperative, requiring scalable,
high-performance IPSec VPNs for traffic or content encryption

4. Mobile backhaul secure and encrypted traffic

Wireless backhaul traffic may need to traverse partner or vulnerable wireline metro networks. Network-based
integrated IPSec security can be used to provide secure connectivity for wireless backhaul traffic

Alcatel-Lucent Service Router IPSec-ISA | Data Sheet

Technical specifications
Dimensions
Height: 1.3 cm (0.5 in.)
Width: 17.1 cm (6.7 in.)
Depth: 17.8 cm (7.0 in.)
Weight: 0.45 kg (1.0 lb)

Environmental specifications
Operating temperature:
0C to 40C (32F to 104F)
Relative humidity: 15% to 85%
(non-condensing)
Altitude: 3048 m (10,000 ft)

Regulatory agency standards

Safety: UL 60950-1; CAN 60950-1;
EN 60950-1; CE Mark
EMC: EN 55022
EMI: FCC Part 15, Class A;
EN 55022

Minimum platform
requirements
IPSec-ISA requires IOM-2
Supported chassis:
7750 SR-7, 7750 SR-12
Minimum operating system:
For SR chassis: Service Router
Operating System (SR OS)
Release 6.1 or higher
For IPSec-ISA Adapter: SR OS
Release 6.1 or higher

IPSec-ISA per ISA, per IOM

and per chassis throughput
5 Gb/s full-duplex encryption and
decryption, or 10 Gb/s of either
encryption or decryption per ISA
10 Gb/s full-duplex encryption
and decryption, or 20 Gb/s of
either encryption or decryption
per IOM
20 Gb/s full-duplex encryption
and decryption, or 40 Gb/s of
either encryption or decryption
per supported 7750 SR

IPSec VPN concurrent session

scalability per ISA, per IOM
and per chassis

Key management
authentication methods

MIBs
Timetra MIB

Pre-shared keys

Hardware:

Up to 16,000 concurrent IPSec

sessions per IPSec-ISA
Up to 32,000 concurrent IPSec
sessions per IOM
Up to 64,000 concurrent IPSec
sessions per 7750 SR chassis
Software (SR OS Release 6.1):

Up to 8000 concurrent IPSec

sessions per IPSec-ISA
Up to 32,000 concurrent IPSec
sessions per IOM
Up to 32,000 concurrent IPSec
sessions per 7750 SR chassis

IPSec VPN session setup rate

OAM

IPSec service resiliency

Authentication and
hashing methods
HMAC-MD5, HMAC-SHA1

Key distribution methods

IKE shared secret with PFS
support
Manual exchange

IPSec encapsulation methods

ESP with authentication, in
tunnel mode

RFC 2401 Security Architecture

for the Internet Protocol
RFC 3706 IKE Dead Peer
Detection
RFC 3947 Negotiation of NATTraversal in the IKE
RFC 3948 UDP Encapsulation
of IPSec ESP Packets

Interface-level IPSec tunnel

cumulative statistics
Debugging stats for IKE and
other systems

Integrated services

DES, 3DES, AES-128, AES-192

and AES-256

Key IPSec RFC(s) supported

Statistics and accounting

support

Ping, trace-route, service

mirroring, IPSec Dead Peer
Detection, BFD

Encryption methods

Multiple non Alcatel-Lucent

network appliances supported
Full list available upon request

Fully supported and

provisioned by 5620 SAM
Command line interface

Up to 172 sessions per second per

supported 7750 SR

IPSec VPN, GRE, VPRN, Internet

Enhanced Services, Virtual Private
LAN Service, Virtual Leased Line

End-user system or network

elements verified

Network/element
management

Ordering information
3HE03080AA ISA 7750 SR
IPSec ISA

Dead Peer Detection for IPSec

tunnel
Primary and backup IPSec-ISA
on same line card IOM or
different line card IOM
Multiple IPSec tunnels per VPRN
Dynamic routing
BFD for underlying IP path

Platform level redundancy

and availability
4:1 redundant IPSec-ISAs per
supported 7750 SR
In-service insertion and removal
of IPSec-ISA

End-user clients verified

Windows 2000/XP, Linux,
Forticlient

Key generation algorithms

Diffie-Hellman

Alcatel-Lucent Service Router IPSec-ISA | Data Sheet

www.alcatel-lucent.com

Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo

are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners.
The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility
for inaccuracies contained herein. Copyright 2008 Alcatel-Lucent. All rights reserved.
CAR4688080911 (09)