Полезная информация


Table of Contents

IP Security and Encryption Overview

IP Security and Encryption Overview

This chapter briefly describes the following security features and how they relate to each other:

Cisco Encryption Technology

Cisco Encryption Technology (CET) is a proprietary security solution introduced in Cisco IOS Release 11.2. It provides network data encryption at the IP packet level and implements the following standards:

For more information regarding CET, refer to the chapter "Configuring Cisco Encryption Technology."

IPSec Network Security

IPSec is a framework of open standards developed by the Internet Engineering Task Force (IETF) that provides security for transmission of sensitive information over unprotected networks such as the Internet. It acts at the network level and implements the following standards:

IPSec services are similar to those provided by CET. However, IPSec provides a more robust security solution and is standards-based. IPSec also provides data authentication and anti-replay services in addition to data confidentiality services, while CET provides only data confidentiality services.

For more information regarding IPSec, refer to the chapter "Configuring IPSec Network Security."

Comparison of IPSec to Cisco Encryption Technology

IPSec shares the same benefits as CET: both technologies protect sensitive data that travels across unprotected networks, and, like CET, IPSec security services are provided at the network layer, so you do not have to configure individual workstations, PCs, or applications. This benefit can provide a great cost savings. Instead of providing the security services you do not need to deploy and coordinate security on a per-application, per-computer basis, you can simply change the network infrastructure to provide the needed security services.

IPSec also provides the following additional benefits not present in CET:

Cisco and its partners, including Microsoft, are planning to offer IPSec across a wide range of platforms, including Cisco IOS software, the Cisco PIX Firewall, Windows 95, and Windows NT. Cisco is working closely with the IETF to ensure that IPSec is quickly standardized.
This support allows IPSec solutions to scale better than CET solutions, making IPSec preferable in many cases for use with medium-sized, large-sized, and growing networks, where secure connections between many devices is required.

These and other differences between IPSec and CET are described in the following sections.

Differences Between IPSec and Cisco Encryption Technology

Should you implement CET or IPSec network security in your network? The answer depends on your requirements.

If you require only Cisco router-to-Cisco router encryption, then you could run CET, which is a more mature, higher-speed solution.

If you require a standards-based solution that provides multivendor interoperability or remote client connections, then you should implement IPSec. Also, if you want to implement data authentication with or without privacy (encryption), then IPSec is the right choice.

If you want, you can configure both CET and IPSec simultaneously in your network, even simultaneously on the same device. A Cisco device can simultaneously have CET secure sessions and IPSec secure sessions, with multiple peers.

Table 20 compares Cisco Encryption Technology to IPSec.

Table 20: Cisco Encryption Technology vs. IPSec
Feature Cisco Encryption Technology IPSec


Cisco IOS Release 11.2 and later

Cisco IOS Release 11.3(3)T and later


Pre-IETF standards

IETF standard


Cisco router to Cisco router

All IPSec compliant implementations

Remote Access Solution


Client encryption will be available

Device Authentication

Manual between each peer at installation

IKE uses digital certificates as a type of "digital ID card" (when Certification Authority support is configured); also supports manually-configured authentication shared secrets and manually-configured public keys

Certificate Support


X509.V3 support; will support public key infrastructure standard when the standard is completed

Protected Traffic

Selected IP traffic is encrypted, based on extended access lists you define

Selected IP traffic is encrypted and/or authenticated, based on extended access lists; additionally, different traffic can be protected with different keys or different algorithms

Hardware Support

Encryption Service Adapter (ESA) for the Cisco 7200/7500

Support planned for later

Packet Expansion


Tunnel mode adds a new IP and IPSec header to the packet; transport mode adds a new IPSec header

Scope of Encryption

IP and ULP headers remain in the clear

In tunnel mode, both the IP and ULP headers are encrypted; in transport mode, IP headers remain in the clear but ULP headers are encrypted. (In tunnel mode, the inner IP header is also encrypted.)

Data authentication with or without encryption

Encryption only

Can configure data authentication and encryption to both occur, or can use AH header to provide data authentication without encryption

Internet Key Exchange (IKE) support



Redundant topologies

Concurrent redundant Cisco Encryption Technology peers not supported

Concurrent redundant IPSec peers supported

IPSec Performance Impacts

IPSec packet processing is slower than Cisco Encryption Technology packet processing for these reasons:

IPSec Interoperability with Other Cisco IOS Software Features

You can use Cisco Encryption Technology and IPSec together; the two encryption technologies can coexist in your network. Each router may support concurrent encryption links using either IPSec or Cisco encryption technology. A single interface can even support the use of IPSec or CET for protecting different data flows.

Internet Key Exchange Security Protocol

Internet Key Exchange (IKE) security protocol is a key management protocol standard that is used in conjunction with the IPSec standard. IPSec can be configured without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard.

For more information regarding IKE, refer to the chapter "Configuring Internet Key Exchange Security Protocol."

Certification Authority Interoperability

Certification Authority (CA) interoperability is provided in support of the IPSec standard. It permits Cisco IOS devices and CAs to communicate so that your Cisco IOS device can obtain and use digital certificates from the CA. Although IPSec can be implemented in your network without the use of a CA, using a CA provides manageability and scalability for IPSec.

For more information regarding CA interoperability, refer to the chapter "Configuring Certification Authority Interoperability."

Copyright 1989-1998 © Cisco Systems Inc.