IPSec Transforms
and Transform Sets
One set of decisions that must be made early in the IPSec
implementation is whether to use AH or ESP, or MD5 or SHA-1 hashing, combined
with Transport or Tunnel mode. These decisions create what are called
transforms.
An IPSec transform
defines a single IPSec security protocol—AH or ESP—with its associated
security algorithms and mode. You can see the possible transform choices in Figure
9-13.
Two possible transform choices might include the following:
-
AH protocol with HMAC-MD5 authentication algorithm in
Transport mode, where authentication and performance are important, but
encryption security isn’t required.
-
ESP protocol, 3DES encryption algorithm, and HMAC-SHA-1
authentication algorithm in Tunnel mode, where both data confidentiality and
authentication are critical. Performance will be traded away for improved
security.
The actual transforms supported might vary by device type. VPN
devices support a slightly different group than the PIX Firewall. The following
are transforms supported by the IOS-based devices.
AH Transforms—Choose up to one
ESP Encryption Transforms—Choose up to one
ESP Authentication Transform—Choose up to one, only if you also
selected the esp-des or esp-3des transform (not esp-rfc1829)
Sections
Comments (0 posted)
Syndication
