Overlay
-
LISP Routing Architecture
In a traditional routing architecture, the endpoints IP address represents it’s identity and location. If the location of the endpoint changes, it’s IP address also changes. LISP separates the IP address into endpoint identifiers (an EID) and routing locators (RLOC). Endpoints are able to roam from site to site, and the only thing that will…
-
Definitions for LISP Architecture
Endpoint Identifier The Endpoint Identifier is the IP address of an endpoint within a LISP site, such as a laptop or other end user device LISP Site The LISP site is a name of a site where LISP routers and endpoint identifiers reside Ingress Tunnel Router (ITR) An ingress tunnel router are the LISP routers…
-
Cisco Location/ID Separation Protocol (LISP)
The rapid growth a default-free zone, DFZ, also known as the global internet routing table led to development of Cisco Location/ID Separation Protocol. LISP is a routing architecture, data and control plane protocol designed to address several problems on the internet: Aggregation Issues Routes on the internet that a provider independent routes that can not…
-
Site-to-Site IPSec Configuration
GRE over IPSec first encapsulates traffic within GRE and adds a new IP header. That new GRE packet is then encapsulated again inside of a IPSec transport mode. VTI over IPSec encapsulates an IP packet without the need of an additional GRE header. Site to Site GRE over IPSec with Pre-Shared Key There are two…
-
Cisco IPSec Virtual Private Network Types
Cisco offers many different types of IPSec VPN solutions. Site to Site IPSec VPN A site to site IPSec virtual private network is the most flexible VPN with support for multiple vendors. They can be difficult to scale and manage in larger networks. It has support for private IP addressing and stateless failover. The VPN…
-
Internet Key Exchange Version 2 – IKEv2
IKEv2 is successor to IKEv1. It includes many changes to the protocol that make it more efficient and easier to set up. IKEv2 is not backwards compatible with IKEv1 A major change between IKEv1 and IKEv2 is the method that security associations, SAs, are established. Communications in IKEv2 consist of request and response pairs called…
-
Internet Key Exchange Version 1 – IKEv1
IKEv1 is an implementation of ISAKMP (Internet Security Association Key Management Protocol) using Oakley and Skeme key exchange techniques . It is a framework for authentication and key exchange between two network devices to establish, modify, and remove IPSec security associations. IKEv1 utilises UDP port 500 for communication between peers. IKEv1 requires a minimum of…
-
Internet Key Exchange
IKE is a protocol that performs authentication between two end points to establish a security association. The security association established by the Internet Key Exchange is used to carry control plane and data plane traffic for IPSec. There are two versions of IKE: Internet Key Exchange Version 1 as defined in RFC2409 and Internet Key…
-
IPSec Transform Sets
In IPSec, a transform set is a combination of security protocols and algorithms. During the IPSec security association negotiation, peers will agree to use a particular transform set for protecting data flows. When an agreement for a transform set is found, it is used on the security association on both peers. Authentication Header Transform Sets…
-
IPSec Fundamentals
IPSec is an open standard framework for creating highly secure virtual private networks. IPSec can provide a high security virtual private network in four parts: Peer Authentication IPSec uses peer authentication to verify the identity of the VPN peer. It can utilise a pre-shared key or a digital certificate to verify its peer. Diffie-Hellman (DH)…