HP-UX IPSec Version A.03.00 Administrator's Guide
ESP The ESP (Encapsulating Security Payload) protocol provides confidentiality (encryption), data
authentication, and an anti-replay service for IP packets. When used in tunnel mode, ESP also
provides limited traffic flow confidentiality.
filter The parameters in an IPsec policy that HP-UX IPSec uses to select the policy applied to an IP
packet. The parameters are the source and destination IP addresses, protocol, and source and
destination port numbers.
HMAC Hashed Message Authentication Code. See also MAC.
IKE The Internet Key Exchange (IKE) protocol is used before the ESP or AH protocol exchanges to
determine which encryption and/or authentication services will be used. IKE also manages the
distribution and update of the symmetric (shared) encryption keys used by ESP and AH.
The IKE protocol is a hybrid of three other protocols: ISAKMP (Internet Security Association
and Key Management Protocol), Oakley, and Versatile Secure Key Exchange Mechanism for
Internet protocol (SKEME) . ISAKMP provides a framework for authentication and key exchange,
but does not define the actual key exchange. (ISAKMP) defines most of the message format,
with non-specific key-exchange information fields). The Oakley Key Determination protocol
and SKEME protocol define key exchange techniques.
IKE SA A security association (SA), or security session, for IKE. An IKE SA is a secure, encrypted
security session primarily used to negotiate IPsec SAs. An IKE SA must exist before IPsec SAs
can be negotiated.
IKE SA IKE Security Association. An IKE SA is a bidirectional, secure communication channel that IKE
uses to negotiate IPsec SAs.
IKEv1 can establish IKE SAs using either Main Mode or Aggressive Mode negotiations.
Also referred to as IKE Phase One SA, ISAKMP SA, ISAKMP/MM SA, Aggressive Mode SA,
Main Mode SA.
IKEv1 Version 1 of the IKE protocol. IKEv1 is defined in RFCs 2407, 2408, and 2409.
IKEv2 Version 2 of the IKE protocol. IKEv2 is defined in RFC 4306.
IPsec policy IPsec policies specify the rules according to which data is transferred securely. IPsec policies
generally contain packet filter information and an action. The packet filter is used to select a
policy for a packet and the action is applied to the packets using the policy.
IPsec SA A security association (SA), or security session, for IPsec. An IPsec SA also specifies encryption
and authentication methods, encryption keys and lifetimes. Also referred to as IPsec/QM SA,
Phase 2 SA, Quick Mode SA, QM SA.
IPsec SA IPsec Security Association. An IPsec SA is a uni-directional, secure communication channel.
The IPsec SA operating parameters include the IPsec protocol used (ESP or AH), the mode
(transport or tunnel), the cryptographic algorithms (such as AES and SHA-1), the cryptographic
keys, the SA lifetime, and the endpoints (IP addresses, protocol and port numbers). IKE
establishes IPsec SAs using Quick Mode negotiations. Also referred to as IKE Phase Two SA,
IPsec SA, Quick Mode SA.
IPsec/QM SA See IPsec SA..
ISAKMP HP supports the Internet Security Association and Key Management Protocol (ISAKMP) in
conjunction with the Oakley Key Exchange Protocol to establish an authenticated key exchange.
ISAKMP defines procedures and packet formats to establish a security association between
two negotiating entities.
ISAKMP SA See IKE SA..
MAC A message authentication code (MAC) is an authentication tag, also called a checksum, derived
by application of an authentication scheme, together with a secret key, to a message. MACs are
computed and verified with the same key so they can only be verified by the intended receiver,
unlike digital signatures.
Hash function-based MACs (HMACS) use a key or keys in conjunction with a hash function
to produce a checksum that is appended to the message. An example is the keyed-MD5 method
of message authentication.
MACs can also be derived from block ciphers.
250 Glossary