Manualshelf

HP-UX IPSec version A.02.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
51525354555657585960
HP-UX IPSec Overview
IPsec Protocol Suite
Chapter 1 53
The IKE protocol provides dynamic keying for ESP and AH. The
alternative to IKE is to use manual keys for ESP and AH. You must
configure preshared keys or certificates for IKE authentication.
Manual Keys
Manual keys are an alternative to IKE and require more
administrative overhead to configure IKE. Manual keys also expose
encryption keys for long periods of time, which increase the
opportunities for third parties to determine the keys.
Security Association (SA)
An SA is a secure communications channel and its operating
parameters. An IPsec SA must exist to use ESP or AH, and an IKE
SA must exist to establish IPsec SAs. IKE supports two methods for
establishing IKE SAs: Aggressive Mode and Main Mode.
Key Types
HP-UX uses four types of cryptography keys:
Preshared keys. IKE uses the preshared key to authenticate
the identity of the remote system for IKE. HP-UX supports
ASCII keys for preshared keys. The system administrators must
distribute the keys using a secure, out-of-band communications
channel, such as a face-to-face meeting, phone call, or secure
mail.
Public/private keys. As an alternative to IKE preshared key
authentication, IKE can use RSA signatures from a
public/private key pair to authenticate the identity of the remote
system. The public keys are distributed using certificates.
Dynamic keys. IKE generates dynamic keys for the AES,
3DES, DES, MD5 and SHA1 algorithms used by the ESP and AH
protocols. IKE also generates dynamic keys to authenticate and
encrypt IKE packets. See Table 4-2 on page 109 for algorithm key
lengths.
Manual keys. As an alternative to IKE, you can manually
configure the AES, DES, 3DES, MD5 and SHA1 keys used for
ESP and AH. The system administrators must distribute the
keys using a secure, out-of-band communications channel.