Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
41424344454647484950
Perfect Forward Secrecy
For efficiency, IKEv2 and IKEv1 can reuse an IKE SA to negotiate multiple IPsec SA pairs.
For additional security, you can enable the Perfect Forward Secrecy (PFS) feature. With PFS, the
compromise (exposure) of one key exposes only the data protected by that key. When PFS is
enabled, the IKE peers perform a Diffie-Hellman exchange and generate new keying material
for each IPsec SA pair.
IPsec Re-keying
The IPsec protocol suite also enables IKE to dynamically negotiate new IPsec keys rather than
exposing the same key for long periods. You can configure key lifetimes based on time or number
of bytes sent.
Manual Keys
Manual keys are an alternative to IKE. Instead of using IKE to dynamically generate and
distribute cryptography keys for ESP and AH, the cryptography keys are static and manually
distributed using an out-of-band key exchange. Because manual keys are static, using them is
less secure than using IKE. Manual keys are typically used only when the remote system does
not support IKE.
Summary
This section contains a list of the key IPsec protocol terms and concepts.
ESP
The ESP protocol encrypts and authenticates IP data using shared cryptography keys.
AH
The AH protocol authenticates IP data and the static fields of the IP header using shared
cryptography keys.
Transport Mode and Tunnel Mode
ESP and AH can be used in transport mode or tunnel mode. In transport mode, the ESP or
AH header is inserted after the IP header. In tunnel mode, IPsec encapsulates the original
IP packet in a new IP packet, and IPsec inserts the ESP or AH header in front of the original
IP header.
IKE
The IKE protocol provides dynamic keying for ESP and AH. The alternative to IKE is to use
manual keys for ESP and AH. You must configure preshared keys or certificates for IKE
authentication.
There are two versions of the IKE protocol: IKEv1 and IKEv2. HP-UX IPSec supports both
versions.
The IKEv1 protocol defines two methods for establishing IKE SAs: Main Mode and Quick
Mode. HP-UX IPSec supports both methods.
Manual Keys
Manual keys are an alternative to IKE and require more administrative overhead to configure
IKE. Manual keys also expose encryption keys for long periods of time, which increase the
opportunities for third parties to determine the keys.
IPsec Protocol Suite 41