IPsec overview

Internet Protocol security (IPsec) is a suite of protocols that provide secure communication between devices at the network layer (Layer 3) across public and private networks.

Note: IPsec is only supported on the RUCKUS ICX 7450 switch. To enable IPsec functionality, an ICX7400-SERVICE-MOD module must be installed on the device or stack. For further information about the installation procedure, refer to the Ruckus ICX 7450 Switch Hardware Installation Guide.

ICX7400-SERVICE-MOD modules are not supported in RUCKUS ICX 7450 devices used as port extender (PE) units in a Campus Fabric network.

The ICX7400-SERVICE-MOD module supports, with pre-shared authentication, the Suite-B-GCM-128 and Suite-B-GCM-256 user interface suites described in RFC 6379 (https://tools.ietf.org/html/rfc6379) and should interoperate with third-party equipment that supports Suite-B-GCM-128 and Suite-B-GCM-256.

IPsec provides end-to-end security for data traffic by using encryption and authentication techniques that ensure data privacy. Encrypted packets are routed in the same way as ordinary IP packets.

IPsec components include:
  • Authentication Header (AH)
  • Encapsulating Security Payload (ESP)
  • Internet Key Exchange (IKE)

Authentication Header (AH) is a security protocol that provides source authentication and data integrity.

Encapsulating Security Payload (ESP) is a security protocol that provides data confidentiality in addition to the source authentication and data integrity that is also provided by AH. The RUCKUS implementation of IPsec uses ESP.

ESP supports two modes of use: transport mode and tunnel mode. In transport mode, an IPsec header is inserted into the IP packet, and the packet payload is encrypted. In tunnel mode, the original IP packet is encrypted as an inner IP payload, and an IPsec header and outer IP header are added so that the IPsec header and encrypted IP packet become the data component of a new and larger IP packet as shown in the following figure.

The ICX 7450 supports ESP in tunnel mode.

Figure 1. IPsec tunnel mode versus transport mode

Internet Key Exchange (IKE) is used to establish an IPsec tunnel. IKE performs mutual authentication of peer devices and establishes and maintains a secure channel for communication between the devices.

Note: The RUCKUS ICX 7450 supports Internet Key Exchange version 2 (IKEv2) only.

A security association (SA) is another important concept in IPsec. The SA is a logically secure relationship between peer devices. Both IKEv2 and IPsec SAs are used to establish an IPsec tunnel.

The RUCKUS ICX 7450 supports IPv4 and IPv6 IPsec tunnels.

Figure 2. Basic IPsec functionality

The preceding figure shows the secure transfer of IP data between two routers, R1 and R3, over an insecure or public network by using IPsec. First, the tunnel parameters, transform set, and crypto algorithms to be used for encryption and authentication along with associated policy filters are configured on both R1 and R3. IKE negotiations are used to establish the tunnel.

Once the tunnel is up, all packets going out over the tunnel are encrypted, and packets received on the tunnel interface are decrypted.