 The nps IKEv2 engine is a full-featured implementation of the Internet Key Exchange ( IKE ) protocol as defined by the IETF which is used to provide key negotiation and management services on behalf of IPSec. nps IKEv2 has been designed for use in VPN clients and servers, high performance routers and other network devices requiring security. By starting from the ground up with a design not assuming a particular operating system the porting process has been greatly simplified.
Features Include:
Product Overview The nps IKEv2 engine is a full-featured implementation of the IKE protocol as specified in draft-ietf-ipsec-ikeve2-08. With the ability to peer with many IKE peers as both initiator and responder, the engine is suitable for use in both client/server and peer-to-peer applications. Security Associations are negotiated on behalf of one or more external entities, normally instances of IPSec. SA parameters are negotiated based on flexible policy semantics which can map identity, traffic selectors or peer addresses to policy instances. Authentication can use pre-shared keys, EAP or signatures on a per-peer basis with multiple options for mapping identities to public keys. Public keys can be used for authentication with or without using certificates. For VPN applications requiring dynamic address allocation, configuration request/response is supported along with multiple attribute types. NAT detection notify payloads are also supported to allow creation of UDP encapsulated SAs for NAT traversal. The engine also makes use of an externally provided certificate
library. The defined certificate API makes no assumption about how
chains are processed, thus allowing the use of any style of PKI
(or none) required by an implementation. Implementation The nps IKE v2 engine is implemented as a set of "C" modules and a porting "h" file. Unlike other products, it is not designed for a specific operating system. Instead, only a limited set of system functionality is required. A wide variety of scheduling, memory management and buffer management policies can be easily accommodated. For high-performance systems, the engine makes no assumption about the locality of crypto processing. These CPU intensive operations can reside locally or on dedicated hardware. When signing an authentication payload with a private key, the key can be resident within the engine or can be referenced via token for maximum security. The module and other components of the nsp-IKEv2 engine have been ported to a big and little ENDIAN, CISC and RISC processors and a number of operating systems. The environment can be compiled using a variety of compilers. The Porting Process Porting the nps IKE v2 engine is a straightforward process. The main porting file contains definitions related to compiler and target processor issues such as byte ordering and function prototype usage. Maximum resource usage by type and allocation calls is also defined here. The porting file also allows customization of debug information and event tracing which can be enabled or disabled dynamically. Porting requires that the environment provides mapping of input/output functions and periodic execution of a tie routine. During initialization, and module initialization function is called and the environment loads all initial operating parameters and a router enable function is called. Subsequently, all management action can occur dynamically, without restarting the module. License CreekSide Networks' IKE is sold on a one time License, product specific and is Royalty Free. For a price quote please contact our Sales office at the number or email address below. |
||
tel. (239) 415-6631 | fax. (239) 415-6632 | info@creeksidenet.com
| |
||
