Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
21222324252627282930
1 HP-UX IPSec Overview
This chapter describes HP-UX IPSec features and topologies. It contains the following sections:
“Features” (page 29)
“IPsec Protocol Suite” (page 32)
“HP-UX IPSec Topologies” (page 43)
Features
The IP security (IPsec) protocol suite was defined by the Internet Engineering Task Force (IETF)
to provide security for IP networks. HP-UX IPSec is the HP implementation of IPsec. HP-UX
IPSec provides the following security services for IP networks:
Data integrity and authentication
The IPsec Authentication Header (AH ) provides data integrity and authentication to prevent
unauthorized creation, modification, or deletion of transmitted data. The AH header also
includes a sequence number for replay protection. HP-UX IPSec can also verify that the
claimed sender is the actual sender. The AH does not provide privacy—the IP data is not
encrypted.
Data Privacy
The IPsec Encapsulating Security Payload (ESP ) encrypts IP data to provide data privacy.
ESP also provides data authentication and integrity. The ESP header also includes a sequence
number for replay protection. On gateways, IPsec can also be used to encapsulate and encrypt
the original IP packet to protect the identity of the end source and destination IP addresses.
Application-transparent security
You do not need to rewrite or reconfigure applications to use HP-UX IPSec. IPsec security
headers are inserted between the standard IP protocol header and the upper-layer data (such
as a TCP packet). Any network service that uses IP (such as telnet , FTP , sendmail , or
IGMP ) or user applications that use IP (BSD Socket or XTI Streams applications) can use
IPsec without modification.
IPsec traffic can also pass transparently through existing IP routers.
High-speed encryption
HP-UX IPSec uses assembly-language implementations of encryption algorithms that are
optimized specifically for PA-RISC and IntelItanium® 2 processors. For example, throughput
for ESP encryption using 128-bit Advanced Encryption Standard (AES) can be as high as
91.95 Mb/s in a 100 Mbs network topology. In addition, all HP-UX IPSec data processing
(data encryption and decryption, and data authentication) is performed by kernel
components.
For more information about HP-UX IPSec performance, refer to the HP-UX IPSec Performance
and Sizing White Paper , available at the following URL:
http:/docs.hp.com/en/internet.html#HP-UX%20IPsec
Dynamic encryption key management
HP-UX IPSec supports the Internet Key Exchange (IKE ) protocol, part of the IPsec protocol
suite, to establish and manage dynamic cryptographic keys. Using dynamic keys (keys that
change) to encrypt and authenticate data provides additional security.
There are two versions of the IKE protocol (IKE version 1 and IKE version 2). HP-UX IPSec
supports both versions. For more information, see “Internet Key Exchange (IKE)” (page 38).
Features 29