见:Instant IPsec Review
部分摘录如下:
IPsec requires that participating devices establish a Security Association (SA) where they agree on how to go about encrypting data. This SA is set up when the initial packet(s) of a flow matchs an access list (ACL) on one endpoint of the SA, triggering the endpoint to try to establish an SA with another IPsec endpoint.
部分摘录如下:
IPsec requires that participating devices establish a Security Association (SA) where they agree on how to go about encrypting data. This SA is set up when the initial packet(s) of a flow matchs an access list (ACL) on one endpoint of the SA, triggering the endpoint to try to establish an SA with another IPsec endpoint.
In order to establish an SA, the two IPsec devices typically use an automatic technique called IKE (ISAKMP). IKE stands for Internet Key Exchange. IKE uses asymmetric public key cryptography to securely establish the SA between the two devices. The first stage of IKE, Phase 1, is for the devices to authenticate to each other. In the second stage of IKE, Phase 2, the devices then negotiate securely as to what form of encryption to use, and the other parameters of the SA (lifetime for example). The outcome of all this is the secure exchange of a single key. This key is subsequently used by both endpoints for encoding and decoding messages using the DES or 3DES symmetric encryption algorithm.
IPsec uses DES or 3DES because using public key cryptography to encrypt large data flows is still too processor intense. Public key cryptography is only used during IKE to encode small amounts of data, namely the negotiation to agree upon rules for the security association and the symmetric key exchange. IKE is simply the preliminary asymmetric process used to get the two endpoints talking and agreeing on a symmetric key.
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】博客园社区专享云产品让利特惠,阿里云新客6.5折上折
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步