|
and keying material applied to a data flow. Both IKE and IPSec use SAs, although SAs are independent of one another. IPSec SAs are unidirectional and they are unique in each security protocol. A set of SAs are needed for a protected data pipe, one per direction per protocol. For example, if you have a pipe that supports ESP between peers, one ESP SA is required for each direction. SAs are uniquely identified by destination (IPSec endpoint) address, security protocol (AH or ESP), and security parameter index (SPI).
IKE negotiates and establishes SAs on behalf of IPSec. A user can also establish IPSec SAs manually.
An IKE SA is used by IKE only. Unlike the IPSec SA, it is bi-directional.
Secure Hash Algorithm (SHA): A one way hash put forth by NIST. SHA is closely modeled after MD4 and produces a 160-bit digest. Because SHA produces a 160-bit digest, it is more resistant to brute-force attacks than 128-bit hashes (such as MD5), but it i 页码:[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] 第5页、共13页 |
