Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
41424344454647484950
Summary
This section contains a list of the key IPsec protocol terms and concepts.
ESP
The ESP protocol encrypts and authenticates IP data using shared cryptography keys.
AH
The AH protocol authenticates IP data and the static fields of the IP header using shared
cryptography keys.
Transport Mode and Tunnel Mode
ESP and AH can be used in transport mode or tunnel mode. In transport mode, the ESP or AH
header is inserted after the IP header. In tunnel mode, IPsec encapsulates the original IP packet
in a new IP packet, and IPsec inserts the ESP or AH header in front of the original IP header.
IKE
The IKE protocol provides dynamic keying for ESP and AH. The alternative to IKE is to use
manual keys for ESP and AH. You must configure preshared keys or certificates for IKE
authentication.
There are two versions of the IKE protocol: IKEv1 and IKEv2. HP-UX IPSec supports both
versions.
The IKEv1 protocol defines two methods for establishing IKE SAs: Main Mode and Quick
Mode. HP-UX IPSec supports both methods.
Manual Keys
Manual keys are an alternative to IKE and require more administrative overhead to configure
IKE. Manual keys also expose encryption keys for long periods of time, which increase the
opportunities for third parties to determine the keys.
Security Association (SA)
An SA is a secure communications channel and its operating parameters. An IPsec SA must
exist to use ESP or AH, and an IKE SA must exist to establish IPsec SAs. Because an IKE SA
is required to create an IPsec SA, the IKEv2 protocol also refers to IPsec SAs as “child SAs.
Key Types
HP-UX uses four types of cryptography keys:
Preshared keys. IKE uses the preshared key to authenticate the identity of the remote
system for IKE. HP-UX supports ASCII keys for preshared keys. The system administrators
must distribute the keys using a secure, out-of-band communications channel, such as a
face-to-face meeting, phone call, or secure mail.
Public/private keys. As an alternative to IKE preshared key authentication, IKE can use
RSA signatures from a public/private key pair to authenticate the identity of the remote
system. The public keys are distributed using certificates.
Dynamic keys. IKE generates dynamic keys for the AES, 3DES, MD5, SHA-1, and SHA-2
algorithms used by the ESP and AH protocols. IKE also generates dynamic keys to
authenticate and encrypt IKE packets. See Table 5 (page 68) for algorithm key lengths.
Manual keys. As an alternative to IKE, you can manually configure the MD5, SHA-1 and
SHA-2, keys used for ESP and AH. The system administrators must distribute the keys
using a secure, out-of-band communications channel.
IPsec protocol suite 41