Manualshelf

HP-UX IPSec vA.03.00 Performance and Sizing White Paper

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
12345678910
Table Of Contents
8
When using IKE (IKEv1 or IKEv2) for dynamic keys, HP-UX IPSec must negotiate the following security
sessions, or Security Associations (SAs), with the remote system before it can transmit user data:
1. Internet Key Exchange (IKE) SA.
2. IPsec SAs.
IKE SAs
The IKE SA is the initial (“bootstrap”) or master SA. The systems use the IKE SA to verify system
identities and to establish initial values for shared cryptography keys using a Diffie-Hellman
exchange. A Diffie-Hellman exchange allows two parties to publicly exchange values based on prime
numbers and then calculate the same, shared, secret value. IPsec then uses this value to generate
cryptographic keys to encrypt the remainder of the IKE dialogue, and the systems use the IKE SA as a
secure channel to negotiate IPsec SAs.
IPsec SAs
IPsec SAs are used to securely transmit user data. Because one IPsec SA is required for each direction
of data traffic (inbound and outbound), IPsec SAs are used and negotiated in pairs. IPsec can derive
the cryptography keys it uses to encrypt and authenticate the data from the initial key values
established in the IKE SA.
Comparison of SA Negotiation Time of IKEv1 and IKEv2
IKEv2 is the new version of the IKE protocol. Compared to IKEv1, the IKEv2 is lighter and more
efficient in the IKE SA negotiation.
The time required for HP-UX IPSec to negotiate IKE SAs and a pair of IPsec SAs between two HP-UX
IPSec hosts using IKEv1 and IKEv2 is shown in the following table:
IKE SA type Negotiation time (seconds)
IKEv1 1.027
IKEv2 0.017
The time required to negotiate a pair of SAs using IKEv1 is mostly at the expense of the IKE SA
negotiation. After the first pair of IPSec SAs, the subsequent IPSec SA negotiation is very efficient as
shown in Figure 7. Figure 7 shows the time to set up various numbers of SAs between two HP-UX
IPSec ho
sts using IKEv1 and IKEv2.
With Perfect Forward Secrecy (PFS), the exposure of one key permits access only to data protected by
that key. In other words, the exposure of the Diffie-Hellman value negotiated in the IKE SA cannot be
used by an intruder to determine the cryptography keys used for the IPSec. The feature of PFS does
not increase the number of messages exchanged but there is more information in the payload of the
IKE messages. Enabling the PFS will result in more calculation. Figure 7 also presents the case when
PFS is enabled for both IKEv1 and IKEv2.