
==Examples==
* L2 vpns: ehternet vlans, vpls
* L3 GRE, MPPLS IPsec

==IPsec==
* IPSec no need SP provisioning MPLS
* IPv4/IPv6 Only requirement
* IPsec: Site-to-Site, LAN

===IPsec Overview===
# data origion auth (sender?)
# integrity
# confidentiality
# anti-replay

PDNTSPA 7 layers
* L3 protocol (ssh encryption is application layer) 
* Encrypts and authenticate IP packets (symmetric cipher ecryption, keyd hasing for auth) (pki is asym)
* create p2p associations

====IPsec Tunnels====
* Tunnels are dynamically neogotiated with IKEv1/IKEv2 (manual key)
* IPsec use 2 data structure (Security Association SA, Security Parameter Index, SPI)


====ISAKMP & IKEv1====
* Negotiation protocol used to form SAs (UDP500)
* ISAKMP framework + IKEv1 implemenation

====Tunnel Nego====
* Phase 1: ISAKMP SA
* Phase 2: ESP/AH encryption methods, IPsec SA

====ISAKMP SA form====
# Auth method (PSK, RSA-Sig, RSA-Enc)
# Enc type (DES, 3DS, AES)
# Hash algo (MD5, SHA1)
# Diffie-Hellman group (1,2,5 ...)


====ESP/AH====
ESP and AH is transport protocol
Encasulated Security Header, Auth Header,
* AH ip procotol number 51 (auth, int)
* ESP ip procotol number 50 (auth, int, enc, anti-replay)


====SA refreshing====
* Lower time is picked
* Diffie-Hellman key exchange


===Control Plane vs Data Plane===
* udp 500 if not NAT device
* udp 4500 if NAT device
* or custom tcp port