HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)
ESP The ESP (Encapsulating Security Payload) protocol provides confidentiality (encryption), data
authentication, and an anti-replay service for IP packets. When used in tunnel mode, ESP also
provides limited traffic flow confidentiality.
filter The parameters in an IPsec policy that HP-UX IPSec uses to select the policy applied to an IP
packet. The parameters are the source and destination IP addresses, protocol, and source and
destination port numbers.
HMAC Hashed Message Authentication Code. See also MAC.
IKE The Internet Key Exchange (IKE) protocol is used before the ESP or AH protocol exchanges to
determine which encryption and/or authentication services will be used. IKE also manages the
distribution and update of the symmetric (shared) encryption keys used by ESP and AH.
The IKE protocol is a hybrid of three other protocols: ISAKMP (Internet Security Association and
Key Management Protocol), Oakley, and Versatile Secure Key Exchange Mechanism for Internet
protocol (SKEME) . ISAKMP provides a framework for authentication and key exchange, but does
not define the actual key exchange. (ISAKMP) defines most of the message format, with non-specific
key-exchange information fields). The Oakley Key Determination protocol and SKEME protocol
define key exchange techniques.
IKE SA A security association (SA), or security session, for IKE. An IKE SA is a secure, encrypted security
session primarily used to negotiate IPsec SAs. An IKE SA must exist before IPsec SAs can be
negotiated.
IKE SA IKE Security Association. An IKE SA is a bidirectional, secure communication channel that IKE
uses to negotiate IPsec SAs.
IKEv1 can establish IKE SAs using either Main Mode or Aggressive Mode negotiations.
Also referred to as IKE Phase One SA, ISAKMP SA, ISAKMP/MM SA, Aggressive Mode SA,
Main Mode SA.
IKEv1 Version 1 of the IKE protocol. IKEv1 is defined in RFCs 2407, 2408, and 2409.
IKEv2 Version 2 of the IKE protocol. IKEv2 is defined in RFC 4306.
IPsec policy IPsec policies specify the rules according to which data is transferred securely. IPsec policies
generally contain packet filter information and an action. The packet filter is used to select a
policy for a packet and the action is applied to the packets using the policy.
IPsec SA A security association (SA), or security session, for IPsec. An IPsec SA also specifies encryption
and authentication methods, encryption keys and lifetimes. Also referred to as IPsec/QM SA,
Phase 2 SA, Quick Mode SA, QM SA.
IPsec SA IPsec Security Association. An IPsec SA is a uni-directional, secure communication channel. The
IPsec SA operating parameters include the IPsec protocol used (ESP or AH), the mode (transport
or tunnel), the cryptographic algorithms (such as AES and SHA-1), the cryptographic keys, the
SA lifetime, and the endpoints (IP addresses, protocol and port numbers). IKE establishes IPsec
SAs using Quick Mode negotiations. Also referred to as IKE Phase Two SA, IPsec SA, Quick
Mode SA.
IPsec/QM SA See IPsec SA..
ISAKMP HP supports the Internet Security Association and Key Management Protocol (ISAKMP) in
conjunction with the Oakley Key Exchange Protocol to establish an authenticated key exchange.
ISAKMP defines procedures and packet formats to establish a security association between two
negotiating entities.
ISAKMP SA See IKE SA..
MAC A message authentication code (MAC) is an authentication tag, also called a checksum, derived
by application of an authentication scheme, together with a secret key, to a message. MACs are
computed and verified with the same key so they can only be verified by the intended receiver,
unlike digital signatures.
Hash function-based MACs (HMACS) use a key or keys in conjunction with a hash function to
produce a checksum that is appended to the message. An example is the keyed-MD5 method of
message authentication.
MACs can also be derived from block ciphers.
215