Authentication And Encryption Algorithms; Ip Sec Policies; Table 46 Algorithms And Associated Authentication Policies - HP StoreFabric SN6500B Administrator's Manual

7
Management interface security
these values in negotiations to create IP sec SAs. You must create an SA prior to creating an
SA-proposal. You cannot modify an SA once it is created. Use the IP secConfig --flush manual-sa
command to remove all SA entries from the kernel SADB and re-create the SA. For more
information on the IP secConfig command, refer to the Fabric OS Command Reference.
IP sec proposal
The IP sec sa-proposal defines an SA or an SA bundle. An SA is a set of parameters that define how
the traffic is protected using IP sec. These are the IP sec protocols to use for an SA, either AH or
ESP, and the encryption and authentication algorithms to use to protect the traffic. For SA bundles,
[AH, ESP] is the supported combination.

Authentication and encryption algorithms

IP sec uses different protocols to ensure the authentication, integrity, and confidentiality of the
communication. Encapsulating Security Payload (ESP) provides confidentiality, data integrity and
data source authentication of IP packets, and protection against replay attacks. Authentication
Header (AH) provides data integrity, data source authentication, and protection against replay
attacks, but unlike ESP, AH does not provide confidentiality.
In AH and ESP, hmac_md5 and hmac_sha1 are used as authentication algorithms. Only in ESP,
3des_cbc, blowfish_cbc, aes256_cbc and null_enc are used as encryption algorithms. Use
Table 46
TABLE 46
Algorithm
hmac_md5
hmac_sha1
3des_cbc
blowfish_cbc
aes128_cbc
aes256_cbc
null_enc

IP sec policies

An IP sec policy determines the security services afforded to a packet and the treatment of a
packet in the network. An IP sec policy allows classifying IP packets into different traffic flows and
specifies the actions or transformations performed on IP packets on each of the traffic flows. The
main components of an IP sec policy are: IP packet filter and selector (IP address, protocol, and
port information) and transform set.
234
when configuring the authentication algorithm.
Algorithms and associated authentication policies
Encryption Level Policy
128-bit AH, ESP
160-bit AH, ESP
168-bit ESP
64-bit ESP
128-bit ESP
256-bit ESP
n/a ESP
Description
A stronger MAC because it is a keyed hash inside a keyed hash. When
MD5 or SHA-1 is used in the calculation of an HMAC; the resulting MAC
algorithm is termed HMAC-MD5 or HMAC-SHA-1 accordingly.
NOTE: The MD5 hash algorithm is blocked when FIPS mode is
enabled
Triple DES is a more secure variant of DES. It uses three different
56-bit keys to encrypt blocks of 64-bit plain text. The algorithm is
FIPS-approved for use by Federal agencies.
Blowfish is a 32-bit to 448-bit keyed, symmetric block cipher.
Advanced Encryption Standard is a 128- or 256-bit fixed block size
cipher.
A form of plaintext encryption.
Fabric OS Administrator's Guide
53-1002745-02