Manualshelf

HP-UX IPSec vA.02.00 Performance and Sizing White Paper

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
11121314151617181920
Table Of Contents
12
Security Association Measurements
You can use HP-UX IPSec with static, manually configured cryptography keys to encrypt and
authenticate data. However, most installations use HP-UX IPSec with the Internet Key Exchange (IKE)
protocol, which generates and manages dynamic keys for data encryption and authentication.
When using IKE for dynamic keys, HP-UX IPSec must negotiate the following security sessions, or
Security Associations (SAs) with the remote system before it can transmit user data:
1. One Internet Security Association and Key Management (ISAKMP) Main Mode SA (ISAKMP/MM
SA)
2. One pair of IPsec Quick Mode SAs (IPsec/QM SAs)
ISAKMP/MM SA
The ISAKMP/MM SA is the initial (“bootstrap”) or master SA. The systems use the ISKAMP/MM SA to
verify system identities and to establish initial values for shared cryptography keys using a Diffie-
Hellman exchange. A Diffie-Hellman exchange allows two parties to publicly exchange values based
on prime numbers and then calculate the same, shared, secret value. IPsec then uses this value to
generate cryptographic keys to encrypt the remainder of the IKE dialogue, and the systems use the
ISAKMP/MM SA as a secure channel to negotiate IPsec/QM SAs.
IPsec/QM SAs
IPsec/QM SAs are used to securely transmit user data. Because one IPsec/QM SA is required for
each direction of data traffic (inbound and outbound), IPsec/QM SAs are used and negotiated in
pairs. IPsec can derive the cryptography keys it uses to encrypt and authenticate the data from the
initial key values established in the ISAKMP/MM SA.
Test Configuration
The data in this section was derived from tests performed on a system with the following
configuration:
A-Class
1-way (one CPU)
550MHz processors
512MB memory
100Base-T cards
HP-UX IPSec Version J4256AA A.01.05
OS Version HPUXEng64RT B.11.11 (HP-UX 11i)
netperf version 2.1
IKE authentication method: preshared keys
SA Negotiation Times
The time required for HP-UX IPSec to negotiate ISAKMP/MM SAs and IPsec/QM SAs is shown in the
table below:
SA Type Negotiation Time (seconds)
ISAKMP/MM 0.509
IPsec/QM (pair) 0.004