IBM Books

Using and Configuring Features Version 3.3

Using and Configuring Encryption Protocols

Note:Encryption support is optional and must be added to your software load using the load add command. See the CONFIG process load command in Access Integration Services Software User's Guide.

The use of multiple encryption (using encryption at both the IP Security Layer and at the Frame Relay or PPP data-Link Layer) within the router is restricted by U.S.A. Government export regulations. It is only supported in software loads that are under strict export control (software loads that support RC4 with 128 bit keys and Triple DES).

The objective of encryption is to transform data into an unreadable form to ensure privacy. The encrypted data needs to be decrypted to get the original data.

The 2212 supports:

PPP Encryption Using Encryption Control Protocol

The Encryption Control Protocol (ECP) is used in the router to negotiate the use of encryption on the point-to-point links communicating using PPP protocol. The Encryption Control Protocol provides a generalized mechanism to negotiate which encryption and decryption algorithms will be used over a PPP link. Different encryption algorithms can be negotiated in each direction of the PPP link.

A method of encryption and decryption is called an encryption algorithm. Encryption algorithms use a key to control encryption and decryption. Unlike compression, the router encrypts in both directions of the link, because encrypting in only one direction is a security risk. The link will be terminated whenever ECP cannot negotiate encryption algorithms in both directions.

Configuring ECP Encryption for PPP

To configure the device to use encryption at the data link layer, you should:

  1. Set the encryption keys for remote devices and local PPP interfaces.

    Set the encryption key for the remote device using the add ppp-user command at the Config> prompt. See the Add command in the chapter "Configuring the CONFIG Process" in Access Integration Services Software User's Guide for a description of the command syntax and options.

    Set the encryption key for the local PPP interface using the enable ecp command (see the talk 6 PPP Config> enable command in the Access Integration Services Software User's Guide).

  2. Configure individual PPP links to use Encryption Control Protocol (ECP) by using the enable ecp command at the PPP Config> prompt.

  3. Enable PAP, CHAP, or SPAP.

You can also disable encryption, change the encryption key for a user, list the status of encryption, or set the name that the device uses when requesting encryption. For information about:

Monitoring ECP Encryption for PPP

You can monitor the various encryption settings on the interfaces by:

  1. Accessing the monitoring prompt using the talk 5 command.
  2. Selecting the interface you want to monitor using the network command. This command puts you at the PPP n> prompt, in which n represents the network number. Refer to "Configuring and Monitoring Point-to-Point Protocol Interfaces" in the Access Integration Services Software User's Guide for instructions about using the network command.

From this prompt, you can:

Microsoft Point-to-Point Encryption (MPPE)

Microsoft Point-to-Point Encryption (MPPE) provides a way for remotely-attached Windows workstations known as Microsoft Dial-Up Networking (DUN) clients to encrypt data that is transmitted over a PPP link between themselves and the 2212. MPPE can also be used to encrypt data being transmitted over a PPP link from router to router. MPPE is always negotiated in both directions.

MPPE uses secret key algorithms to perform encryption. In secret key algorithms, the same key is used for encryption and decryption. This key is not configured by the user, but is generated in the process of the negotiation of MPPE between the sending and the receiving workstations. To use MPPE, you must configure the authentication protocol Microsoft Challenge/Handshake Authentication Protocol (MS-CHAP).

If the PPP interface is authenticated with MS-CHAP, the router goes into a "Microsoft mode", in which it will negotiate only MPPC if compresssion is enabled and negotiate only MPPE if encryption is enabled. In "Microsoft mode", the router ignores the priority list of compression algorithms and disables ECP negotiation.

Configuring MPPE

To configure MPPE, you should perform these steps for each interface:

  1. Configure MS-CHAP. In the Access Integration Services Software User's Guide, see "Microsoft PPP CHAP Authentication (MS-CHAP)" and "Configuring and Monitoring Point-to-Point Protocol Interfaces" for information about using and configuring MS-CHAP.

  2. If you are configuring a router-to-router connection, set the name for the local PPP interface using the set name command (see the PPP Config> set name command in the Access Integration Services Software User's Guide).

  3. If you want data compression, enable MPPC using the talk 6 enable ccp command at the PPP Config> prompt. MPPE does not require data compression.

  4. Enable MPPE. Use the enable mppe command at the PPP Config> prompt (see the PPP Config> enable command in the Access Integration Services Software User's Guide).

  5. Restart the router to activate the configuration.

You can also disable MPPE and list the MPPE options.

Monitoring MPPE

Bring up the PPP> prompt as described in Monitoring ECP Encryption for PPP. Use the list mppe command to see the MPPE data statistics and the list control ccp command to see the MPPE status. Examples of the outputs of these commands are displayed in "Configuring and Monitoring Point-to-Point Protocol Interfaces" in the Access Integration Services Software User's Guide.

Configuring Encryption on Frame Relay Interfaces

Note:Frame relay uses a proprietary encryption scheme.

Data encryption is supported on all interfaces on which you have enabled encryption. You can configure individual circuits on an encryption-enabled interface to perform or not perform encryption as desired.

To configure the device to use encryption on frame relay links:

  1. Access the frame relay configuration prompt using the talk 6 command.

  2. Select the frame relay interface that you want to be encryption-capable using the net # command

  3. Enable encryption on the frame relay interface using the enable encryption command. See the Frame Relay configuration commands in the Access Integration Services Software User's Guide.

  4. Add encryption--capable permanent virtual circuits and define the encryption key for each of the PVCs using the add permanent-virtual-circuit command. See the Frame Relay configuration commands in the Access Integration Services Software User's Guide.

  5. Repeat steps 1 through 4 for each encryption-capable interface you are configuring.
Note:If encryption is enabled for a FR permanent virtual circuit then data will not flow over the circuit unless encryption is successfully negotiated with the device at the other end of the virtual circuit. Encryption is not supported for orphan circuits since you must configure the PVC in order to enter the encryption key.

You can also disable encryption for an interface, change the encryption settings for a PVC or list the status of encryption. For information about

Monitoring Encryption on Frame Relay Interfaces

You can monitor the various encryption settings on the interfaces by:

  1. Accessing the monitoring prompt using the talk 5 command.
  2. Selecting the interface you want to monitor using the network # command. This command puts you at the FR x> prompt.

From this prompt, you can list the current encryption state for an interface, a PVC, or a circuit. See the Frame Relay Monitoring list command in the Access Integration Services Software User's Guide.

[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]