Upload
edu-rvr
View
218
Download
0
Embed Size (px)
Citation preview
8/18/2019 Ipsec Isa Ds
http://slidepdf.com/reader/full/ipsec-isa-ds 1/4
Alcatel-Lucent Service Router IPSec-ISAI P S E C – I N T E G R A T E D S E R V I C E A D A P T E R
The advanced security capabilities of the Alcatel-Lucent Service Router (SR) IPSec-Integrated Service Adapter
(IPSec-ISA) provides comprehensive network-integrated Layer 3 IPSec virtual private network (VPN) deploy-
ment options, such as Remote Access Concentrator (RAC), site-to-site and network-to-network encryptedIPSec security. Up to four IPSec-ISAs can be virtualized in a single Alcatel-Lucent 7750 SR chassis, enabling
up to 40 Gb/s of throughput with up to 64,000 concurrent IPSec VPN tunnels.
Integrated Service Adapters (ISA)
extend the level of intelligence of the
industry-leading Alcatel-Lucent 7750
SR platform by virtualizing advanced
service capabilities into a single, unified
IP/MPLS service edge. These adapters
provide purpose-built, extendedfunctionality to the Service Router
enabling deeper levels of service
capabilities that otherwise would
require external dedicated network-
attached appliances.
The IPSec-ISA significantly extends the
service depth and functionality of the
7750 SR by integrating and virtualizing
advanced VPN services into an IP/MPLS
network infrastructure. As a fully
integrated VPN solution, any physical
interface on the 7750 SR platform
can operate as an encrypted IPSec
VPN port, enabling support for a
diverse range of network traffic types,
interfaces and topologies. As a result,
IPSec-ISA enables greater service scale
and resiliency and reduced network
latency, while enabling optimized VPN
services for personalized, on-demand
service deployments. IPSec-ISA reduces
the number of network devices and
helps control multivendor complexity,
which helps to reduce operational
complexity and significantly lower
the total cost of ownership (TCO).
Features
Modular and highly scalableThe half-slot, hot-swappable IPSec-
ISA is supported on the Input/Output
Module-2 (IOM-2), enabling rapid
service integration and service delivery.
This is especially useful where rack
space is at a premium. Up to four
IPSec-ISAs can be deployed in a single
chassis, along with any Media Depen-
dent Adapter (MDA) or MDA-XP, and
on the same or multiple IOMs for
complete configuration flexibility.
Up to four 7750 SR IPSec-ISAs can be
deployed in the same 7750 SR chassis,
enabling service providers to scale VPN
service capacity as required. Each IPSec-
ISA can support up to 16,000 concur-
rent sessions per adapter, and can
scale up to 64,000 concurrent sessions
when multiple adapters are deployed.
In addition, IPSec-ISA supports encryp-
tion or decryption of both Layer 2 and
Layer 3 IPSec tunnel traffic at the rate
of 10 Gb/s per ISA, for a total per-
8/18/2019 Ipsec Isa Ds
http://slidepdf.com/reader/full/ipsec-isa-ds 2/4
Alcatel-Lucent Service Router IPSec-ISA | Data Sheet2
Service Router capacity of 40 Gb/s. For
sessions requiring both encryption and
decryption of traffic, IPSec-ISA can
support bi-directional flows of up to
5 Gb/s per adapter, and up to 20 Gb/s
per 7750 SR chassis.
Advanced network-basedIPSec security
As a standards-based implementation,
the IPSec-ISA supports multivendor
interoperability for network devices,
end-node software and other VPN
systems. IPSec-ISA delivers a compre-
hensive range of interoperable and
advanced VPN encryption and security
services. Key elements of the IPSec-
ISA’s advanced IPSec VPN services
include:
• Network Address Translation –
Traversal (NAT-T), including RFC
3947, RFC 3948
• DES, 3DES, AES-128, AES-192 and
AES-256 encryption methods
• HMAC-MD5 and HMAC-SHA1
authentication and hashing methods
• Dife-Hellman key generation
algorithms
• Pre-shared keys and Internet Key
Exchange (IKE) shared secret with
Perfect Forward Secrecy (PFS) key
management authentication methods
Integrated resiliency
In addition to leveraging all of the
High Availability mechanisms from the
7750 SR, redundant IPSec-ISAs can be
configured in the 7750 SR chassis. In
addition, primary and standby IPSec-
ISA designations can be defined, enabling
an IPSec-ISA to provide resiliencyprotection for all concurrent sessions
across up to four primary IPSec-ISAs.
Upon failure of a primary ISA, the
standby IPSec-ISA assumes operations.
The active and redundant ISAs can be
deployed on any IOM in the same
chassis. In addition, the IPSec-ISA
supports a comprehensive range of
resiliency capabilities including Dead
Peer Detection, Multiple IPSec tunnels
per Virtual Private Routed Network
(VPRN), Dynamic Routing Protection
and Bidirectional Forwarding
Detection (BFD).
Comprehensive manageabilityand OSS integration
As a fully integrated VPN solution,
the 7750 SR IPSec-ISA reduces opera-
tional complexity by providing unified
network and VPN services from a single
managed platform with consistent and
simple operational provisioning and
subscriber policy management. All
functionality and services are tightly
integrated and fully managed by the
Alcatel-Lucent 5620 Service Aware
Manager (SAM) — including element,
network and OSS management inter-
faces. As a result, the cost and com-
plexity of managing stand-alone
VPN appliances is greatly reduced
and service providers can offer
unified VPN services with end-to-end
service continuity.
Comprehensive network-basedIPSec security deploymentoptions
The integrating and vir tualized
IPSec services on the SR allow service
providers to blend service offerings
by combining the capabilities of the
IPSec-ISA with the comprehensive
range of Layer 2 and Layer 3 IP/MPLS
service capabilities of the SR. For
example, service providers can simul-
taneously map traffic into different
VPNs, such as IPSec VPN, Layer 3 VPN
or Layer 2 VPN, on the SR. IPSec VPN
security can be enabled on any SR
port, to any subscriber, regardless of
media type. Layer 2 traffic can be
encrypted into an IPSec tunnel with
generic routing encapsulation (GRE)
service distribution point (SDP), using
VSM. The different service deployment
options are described in Table 1.
HIGHLY SCALA BLE IPSEC-ISA DEPLOYMENT OPTIONS DESCRIPTION
1. Remote-Access VPN Concentrator (RAC) • Integrated remote access VPNs are a significant source of revenue for many wireline and wireless serviceproviders
• The IPSec-ISA allows businesses and users to add, remove and change sites quickly and easily, usingintegrated security-survival capabilities from their service providers
2. Site-to-site secure and encrypted IPSec VPNs • Integrated site-to-site VPNs allow businesses to share secure and encrypted VPN traffic among multiple sites
3. Network-to-network encrypted VPN security • With increasing demand for IP Multimedia Subsystem (IMS), triple play and premium business services,network-to-network security between partner carrier networks has become imperative, requiring scalable,high-performance IPSec VPNs for traffic or content encryption
4. Mobile backhaul secure and encrypted traffic • Wireless backhaul traffic may need to traverse partner or vulnerable wireline metro networks. Network-basedintegrated IPSec security can be used to provide secure connectivity for wireless backhaul traffic
Table 1. IPSec-ISA flexible deploymen t options
8/18/2019 Ipsec Isa Ds
http://slidepdf.com/reader/full/ipsec-isa-ds 3/4
Alcatel-Lucent Service Router IPSec-ISA | Data Sheet 3
Technical specifications
Dimensions
• Height: 1.3 cm (0.5 in.)
• Width: 17.1 cm (6.7 in.)
• Depth: 17.8 cm (7.0 in.)
• Weight: 0.45 kg (1.0 lb)
Environmental specifications• Operating temperature:
0°C to 40°C (32°F to 104°F)
• Relative humidity: 15% to 85%(non-condensing)
• Altitude: 3048 m (10,000 ft)
Regulatory agency standards
• Safety: UL 60950-1; CAN 60950-1;EN 60950-1; CE Mark
• EMC: EN 55022
• EMI: FCC Part 15, Class A;EN 55022
Minimum platformrequirements
• IPSec-ISA requires IOM-2
• Supported chassis:
¬ 7750 SR-7, 7750 SR-12
• Minimum operating system:
¬ For SR chassis: Service RouterOperating System (SR OS)Release 6.1 or higher
¬ For IPSec-ISA Adapter: SR OSRelease 6.1 or higher
IPSec-ISA per ISA, per IOMand per chassis throughput
• 5 Gb/s full-duplex encryption anddecryption, or 10 Gb/s of eitherencryption or decryption per ISA
• 10 Gb/s full-duplex encryptionand decryption, or 20 Gb/s ofeither encryption or decryptionper IOM
• 20 Gb/s full-duplex encryptionand decryption, or 40 Gb/s ofeither encryption or decryptionper supported 7750 SR
IPSec VPN concurrent sessionscalability per ISA, per IOMand per chassis
Hardware:
• Up to 16,000 concurrent IPSecsessions per IPSec-ISA
• Up to 32,000 concurrent IPSecsessions per IOM
• Up to 64,000 concurrent IPSecsessions per 7750 SR chassis
Software (SR OS Release 6.1):
• Up to 8000 concurrent IPSecsessions per IPSec-ISA
• Up to 32,000 concurrent IPSecsessions per IOM
• Up to 32,000 concurrent IPSecsessions per 7750 SR chassis
IPSec VPN session setup rate
• Up to 172 sessions per second persupported 7750 SR
Integrated services
• IPSec VPN, GRE, VPRN, InternetEnhanced Services, Virtual PrivateLAN Service, Virtual Leased Line
Encryption methods
• DES, 3DES, AES-128, AES-192and AES-256
Authentication andhashing methods
• HMAC-MD5, HMAC-SHA1
Key distribution methods
• IKE shared secret with PFS
support• Manual exchange
IPSec encapsulation methods
• ESP with authentication, intunnel mode
Key generation algorithms
• Diffie-Hellman
Key managementauthentication methods
• Pre-shared keys
Network/elementmanagement
• Fully supported andprovisioned by 5620 SAM
• Command line interface
Statistics and accountingsupport
• Interface-level IPSec tunnelcumulative statistics
• Debugging stats for IKE andother systems
OAM
• Ping, trace-route, servicemirroring, IPSec Dead PeerDetection, BFD
IPSec service resiliency
• Dead Peer Detection for IPSectunnel
• Primary and backup IPSec-ISAon same line card IOM ordifferent line card IOM
• Multiple IPSec tunnels per VPRN
• Dynamic routing
• BFD for underlying IP path
Platform level redundancyand availability
• 4:1 redundant IPSec-ISAs persupported 7750 SR
• In-service insertion and removal
of IPSec-ISA
End-user clients verified
• Windows 2000/XP, Linux,Forticlient
MIBs
• Timetra MIB
End-user system or networkelements verified
• Multiple non Alcatel-Lucentnetwork appliances supported
• Full list available upon request
Key IPSec RFC(s) supported
• RFC 2401 – Security Architecturefor the Internet Protocol
• RFC 3706 – IKE Dead PeerDetection
• RFC 3947 – Negotiation of NAT-Traversal in the IKE
• RFC 3948 – UDP Encapsulationof IPSec ESP Packets
Ordering information
• 3HE03080AA ISA – 7750 SRIPSec – ISA
8/18/2019 Ipsec Isa Ds
http://slidepdf.com/reader/full/ipsec-isa-ds 4/4
www.alcatel-lucent.com Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logoare trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners.The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibilityfor inaccuracies contained herein. Copyright © 2008 Alcatel-Lucent. All rights reserved.CAR4688080911 (09)