Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
31323334353637383940
Phase 1
During Phase 1, the IKE peers establish the IKE SA.
Phase 2
During Phase 2, the IKE peers establish the IPsec SAs.
IKEv1 can use one of two methods, or exchange modes, to establish the IKE SA:
Main Mode
Aggressive Mode
In Main Mode negotiations, the IKE peers select IKE parameters (configured in IKE policies)
based on the remote system’s IP address in the IP packet header. The IKE peers exchange ID
information after they establish a secure, encrypted communication channel.
In Aggressive Mode negotiations, the IKE initiator sends ID information in the first packet. This
enables the IKE responder to select IKE parameters, such as the encryption information, based
on ID information instead of the IKE peers IP address extracted from the IP packet header.
Aggressive Mode is quicker and requires the peers to exchange fewer packets, but is less secure
because the peers exchange identity information in clear text.
The IKEv1 protocol specification requires Main Mode support; Aggressive Mode support is
optional. Aggressive Mode is required when IKE is used with autoconfiguration clients because
these clients do not have fixed IP addresses. Aggressive Mode enables IKE to select IKE parameters
without using the remote address in the IP packet header.
TIP: Most IPsec IKEv1 implementations, including HP-UX IPSec, use Main Mode by default.
The IKEv1 Phase 1 negotiation is also referred to as a Main Mode (MM ) or an Aggressive Mode
(AM ) negotiation, depending on the exchange type used.
Generating Shared Keys: Diffie-Hellman
IKE and IPsec SAs use shared keys to encrypt and authenticate communication. To be effective,
a shared key must be kept private, so other parties cannot decrypt the data or generate a valid
authentication code for modified data. This creates a challenge: How do the two parties agree
on the same shared key? How can you distribute the same key to both parties without exposing
it to other parties listening on the network?
One method for distributing shared keys is to use the Diffie-Hellman algorithm to dynamically
generate shared keys. The Diffie-Hellman algorithm enables two parties to establish a shared,
secret value while exchanging information over a nonsecure channel.
The Diffie-Hellman algorithm is based on the principle that (x^a)^b and (x^b)^a are both equivalent
to x^(a*b). With Diffie-Hellman key generation, each party generates two numbers: one public
and one private. These values are based on a selected, well-known numeric base, or
Diffie-Hellman group. The two parties first select the same Diffie-Hellman group (Step 1 in
Figure 1-12). The two parties each select a public value and generate a mathematically related
private value (Step 2 in Figure 1-12). The two parties exchange public values (Step 3 in Figure 1-12).
This exchange can occur via a nonsecure channel. Each party then uses its private value and the
other party’s public value to generate a new value (Step 4 in Figure 1-12). Because of the
mathematical properties of the numbers, each party generates the same value, which can then
be used as a shared key or use as a base value to generate multiple shared keys.
IPsec Protocol Suite 39