HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

141

142

143

144

145

146

147

148

149

150

Table 16 Supported IPsec RFCs (continued)

RFC TitleRFC Number

The AES-CBC Cipher Algorithm and Its Use with IPsecRFC 3602

Mobility Support in IPv6RFC 3775

Using IPsec to Protect Mobile IPv6 Signaling Between Mobile Nodes and Home AgentsRFC 3776

Algorithms for Internet Key Exchange version 1 (IKEv1)RFC 4109

Security Architecture for the Internet ProtocolRFC 4301

IP Authentication HeaderRFC 4302

IP Encapsulating Security Payload (ESP)RFC 4303

Internet Key Exchange (IKEv2)RFC 4306

Cryptographic Algorithms for Use in the Internet Key ExchangeRFC 4307

Cryptographic Suites for IPsec (Suite "VPN-A" only)RFC 4308

Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload

(ESP) and Authentication Header (AH)

RFC 4835

The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIXRFC 4945

Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsecRFC 4868

RFC 3775 IKE Identity Payload Requirement

RFC 3775, Mobility Support in IPv6 , section 5.1, Binding Updates to Home Agents , contains the

following mandatory specification for IKE identities:

The ID_IPV6_ADDR Identity Payload MUST NOT be used in IKEv1 phase 1.

RFC 3776 Mandatory Support

RFC 3776, Using IPsec to Protect Mobile IPv6 Signaling Between Mobile Nodes and Home Agents

, section 4.1, Mandatory Support contains the following mandatory support specifications for

securing Mobile IPv6 packets.

The following requirements apply to both home agents and mobile nodes:

• Manual configuration of IPsec security associations MUST be supported. The

configuration of the keys is expected to take place out-of-band, for instance at

the time the mobile node is configured to use its home agent.

• Automatic key management with IKE [4] MAY be supported. Only IKEv1 is

discussed in this document. Other automatic key management mechanisms

exist and will appear beyond IKEv1, but this document does not address the

issues related to them.

• ESP encapsulation of Binding Updates and Acknowledgements between the

mobile node and home agent MUST be supported and MUST be used.

• ESP encapsulation of the Home Test Init and Home Test messages tunneled

between the mobile node and home agent MUST be supported and SHOULD

be used.

• ESP encapsulation of the ICMPv6 messages related to prefix discovery MUST

be supported and SHOULD be used.

• ESP encapsulation of the payload packets tunneled between the mobile node

and home agent MAY be supported and used.

• If multicast group membership control protocols or stateful address

autoconfiguration protocols are supported, payload data protection MUST be

supported for those protocols.

142 Product Specifications