Ipsec Isa Ds

8/18/2019 Ipsec Isa Ds

http://slidepdf.com/reader/full/ipsec-isa-ds 1/4

Alcatel-Lucent Service Router IPSec-ISAI P S E C – I N T E G R A T E D S E R V I C E A D A P T E R

The advanced security capabilities of the Alcatel-Lucent Service Router (SR) IPSec-Integrated Service Adapter

(IPSec-ISA) provides comprehensive network-integrated Layer 3 IPSec virtual private network (VPN) deploy-

ment options, such as Remote Access Concentrator (RAC), site-to-site and network-to-network encryptedIPSec security. Up to four IPSec-ISAs can be virtualized in a single Alcatel-Lucent 7750 SR chassis, enabling

up to 40 Gb/s of throughput with up to 64,000 concurrent IPSec VPN tunnels.

Integrated Service Adapters (ISA)

extend the level of intelligence of the

industry-leading Alcatel-Lucent 7750

SR platform by virtualizing advanced

service capabilities into a single, unified

IP/MPLS service edge. These adapters

provide purpose-built, extendedfunctionality to the Service Router

enabling deeper levels of service

capabilities that otherwise would

require external dedicated network-

attached appliances.

The IPSec-ISA significantly extends the

service depth and functionality of the

7750 SR by integrating and virtualizing

advanced VPN services into an IP/MPLS

network infrastructure. As a fully

integrated VPN solution, any physical

interface on the 7750 SR platform

can operate as an encrypted IPSec

VPN port, enabling support for a

diverse range of network traffic types,

interfaces and topologies. As a result,

IPSec-ISA enables greater service scale

and resiliency and reduced network

latency, while enabling optimized VPN

services for personalized, on-demand

service deployments. IPSec-ISA reduces

the number of network devices and

helps control multivendor complexity,

which helps to reduce operational

complexity and significantly lower

the total cost of ownership (TCO).

Features

Modular and highly scalableThe half-slot, hot-swappable IPSec-

ISA is supported on the Input/Output

Module-2 (IOM-2), enabling rapid

service integration and service delivery.

This is especially useful where rack

space is at a premium. Up to four

IPSec-ISAs can be deployed in a single

chassis, along with any Media Depen-

dent Adapter (MDA) or MDA-XP, and

on the same or multiple IOMs for

complete configuration flexibility.

Up to four 7750 SR IPSec-ISAs can be

deployed in the same 7750 SR chassis,

enabling service providers to scale VPN

service capacity as required. Each IPSec-

ISA can support up to 16,000 concur-

rent sessions per adapter, and can

scale up to 64,000 concurrent sessions

when multiple adapters are deployed.

In addition, IPSec-ISA supports encryp-

tion or decryption of both Layer 2 and

Layer 3 IPSec tunnel traffic at the rate

of 10 Gb/s per ISA, for a total per-



Alcatel-Lucent Service Router IPSec-ISA | Data Sheet2

Service Router capacity of 40 Gb/s. For

sessions requiring both encryption and

decryption of traffic, IPSec-ISA can

support bi-directional flows of up to

5 Gb/s per adapter, and up to 20 Gb/s

per 7750 SR chassis.

Advanced network-basedIPSec security

As a standards-based implementation,

the IPSec-ISA supports multivendor

interoperability for network devices,

end-node software and other VPN

systems. IPSec-ISA delivers a compre-

hensive range of interoperable and

advanced VPN encryption and security

services. Key elements of the IPSec-

ISA’s advanced IPSec VPN services

include:

• Network Address Translation –

Traversal (NAT-T), including RFC

3947, RFC 3948

• DES, 3DES, AES-128, AES-192 and

AES-256 encryption methods

• HMAC-MD5 and HMAC-SHA1

authentication and hashing methods

• Dife-Hellman key generation

algorithms

• Pre-shared keys and Internet Key

Exchange (IKE) shared secret with

Perfect Forward Secrecy (PFS) key

management authentication methods

Integrated resiliency

In addition to leveraging all of the

High Availability mechanisms from the

7750 SR, redundant IPSec-ISAs can be

configured in the 7750 SR chassis. In

addition, primary and standby IPSec-

ISA designations can be defined, enabling

an IPSec-ISA to provide resiliencyprotection for all concurrent sessions

across up to four primary IPSec-ISAs.

Upon failure of a primary ISA, the

standby IPSec-ISA assumes operations.

The active and redundant ISAs can be

deployed on any IOM in the same

chassis. In addition, the IPSec-ISA

supports a comprehensive range of

resiliency capabilities including Dead

Peer Detection, Multiple IPSec tunnels

per Virtual Private Routed Network

(VPRN), Dynamic Routing Protection

and Bidirectional Forwarding

Detection (BFD).

Comprehensive manageabilityand OSS integration

As a fully integrated VPN solution,

the 7750 SR IPSec-ISA reduces opera-

tional complexity by providing unified

network and VPN services from a single

managed platform with consistent and

simple operational provisioning and

subscriber policy management. All

functionality and services are tightly

integrated and fully managed by the

Alcatel-Lucent 5620 Service Aware

Manager (SAM) — including element,

network and OSS management inter-

faces. As a result, the cost and com-

plexity of managing stand-alone

VPN appliances is greatly reduced

and service providers can offer

unified VPN services with end-to-end

service continuity.

Comprehensive network-basedIPSec security deploymentoptions

The integrating and vir tualized

IPSec services on the SR allow service

providers to blend service offerings

by combining the capabilities of the

IPSec-ISA with the comprehensive

range of Layer 2 and Layer 3 IP/MPLS

service capabilities of the SR. For

example, service providers can simul-

taneously map traffic into different

VPNs, such as IPSec VPN, Layer 3 VPN

or Layer 2 VPN, on the SR. IPSec VPN

security can be enabled on any SR

port, to any subscriber, regardless of

media type. Layer 2 traffic can be

encrypted into an IPSec tunnel with

generic routing encapsulation (GRE)

service distribution point (SDP), using

VSM. The different service deployment

options are described in Table 1.

HIGHLY SCALA BLE IPSEC-ISA DEPLOYMENT OPTIONS DESCRIPTION

1. Remote-Access VPN Concentrator (RAC) • Integrated remote access VPNs are a significant source of revenue for many wireline and wireless serviceproviders

• The IPSec-ISA allows businesses and users to add, remove and change sites quickly and easily, usingintegrated security-survival capabilities from their service providers

2. Site-to-site secure and encrypted IPSec VPNs • Integrated site-to-site VPNs allow businesses to share secure and encrypted VPN traffic among multiple sites

3. Network-to-network encrypted VPN security • With increasing demand for IP Multimedia Subsystem (IMS), triple play and premium business services,network-to-network security between partner carrier networks has become imperative, requiring scalable,high-performance IPSec VPNs for traffic or content encryption

4. Mobile backhaul secure and encrypted traffic • Wireless backhaul traffic may need to traverse partner or vulnerable wireline metro networks. Network-basedintegrated IPSec security can be used to provide secure connectivity for wireless backhaul traffic

Table 1. IPSec-ISA flexible deploymen t options



Alcatel-Lucent Service Router IPSec-ISA | Data Sheet 3

Technical specifications

Dimensions

• Height: 1.3 cm (0.5 in.)

• Width: 17.1 cm (6.7 in.)

• Depth: 17.8 cm (7.0 in.)

• Weight: 0.45 kg (1.0 lb)

Environmental specifications• Operating temperature:

0°C to 40°C (32°F to 104°F)

• Relative humidity: 15% to 85%(non-condensing)

• Altitude: 3048 m (10,000 ft)

Regulatory agency standards

• Safety: UL 60950-1; CAN 60950-1;EN 60950-1; CE Mark

• EMC: EN 55022

• EMI: FCC Part 15, Class A;EN 55022

Minimum platformrequirements

• IPSec-ISA requires IOM-2

• Supported chassis:

¬ 7750 SR-7, 7750 SR-12

• Minimum operating system:

¬ For SR chassis: Service RouterOperating System (SR OS)Release 6.1 or higher

¬ For IPSec-ISA Adapter: SR OSRelease 6.1 or higher

IPSec-ISA per ISA, per IOMand per chassis throughput

• 5 Gb/s full-duplex encryption anddecryption, or 10 Gb/s of eitherencryption or decryption per ISA

• 10 Gb/s full-duplex encryptionand decryption, or 20 Gb/s ofeither encryption or decryptionper IOM

• 20 Gb/s full-duplex encryptionand decryption, or 40 Gb/s ofeither encryption or decryptionper supported 7750 SR

IPSec VPN concurrent sessionscalability per ISA, per IOMand per chassis

Hardware:

• Up to 16,000 concurrent IPSecsessions per IPSec-ISA

• Up to 32,000 concurrent IPSecsessions per IOM

• Up to 64,000 concurrent IPSecsessions per 7750 SR chassis

Software (SR OS Release 6.1):

• Up to 8000 concurrent IPSecsessions per IPSec-ISA

• Up to 32,000 concurrent IPSecsessions per IOM

• Up to 32,000 concurrent IPSecsessions per 7750 SR chassis

IPSec VPN session setup rate

• Up to 172 sessions per second persupported 7750 SR

Integrated services

• IPSec VPN, GRE, VPRN, InternetEnhanced Services, Virtual PrivateLAN Service, Virtual Leased Line

Encryption methods

• DES, 3DES, AES-128, AES-192and AES-256

Authentication andhashing methods

• HMAC-MD5, HMAC-SHA1

Key distribution methods

• IKE shared secret with PFS

support• Manual exchange

IPSec encapsulation methods

• ESP with authentication, intunnel mode

Key generation algorithms

• Diffie-Hellman

Key managementauthentication methods

• Pre-shared keys

Network/elementmanagement

• Fully supported andprovisioned by 5620 SAM

• Command line interface

Statistics and accountingsupport

• Interface-level IPSec tunnelcumulative statistics

• Debugging stats for IKE andother systems

OAM

• Ping, trace-route, servicemirroring, IPSec Dead PeerDetection, BFD

IPSec service resiliency

• Dead Peer Detection for IPSectunnel

• Primary and backup IPSec-ISAon same line card IOM ordifferent line card IOM

• Multiple IPSec tunnels per VPRN

• Dynamic routing

• BFD for underlying IP path

Platform level redundancyand availability

• 4:1 redundant IPSec-ISAs persupported 7750 SR

• In-service insertion and removal

of IPSec-ISA

End-user clients verified

• Windows 2000/XP, Linux,Forticlient

MIBs

• Timetra MIB

End-user system or networkelements verified

• Multiple non Alcatel-Lucentnetwork appliances supported

• Full list available upon request

Key IPSec RFC(s) supported

• RFC 2401 – Security Architecturefor the Internet Protocol

• RFC 3706 – IKE Dead PeerDetection

• RFC 3947 – Negotiation of NAT-Traversal in the IKE

• RFC 3948 – UDP Encapsulationof IPSec ESP Packets

Ordering information

• 3HE03080AA ISA – 7750 SRIPSec – ISA



www.alcatel-lucent.com Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logoare trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners.The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibilityfor inaccuracies contained herein. Copyright © 2008 Alcatel-Lucent. All rights reserved.CAR4688080911 (09)

Documents

Ipsec Isa Ds