Ipsec On The Omniswtich - OmniSwitch os6900 Network Configuration Manual

Configuring IPsec
Authentication Algorithms
•
HMAC-MD5 - An algorithm that produces a 128-bit hash (also called a digital signature or message
digest) from a message of arbitrary length and a 16-byte key. The resulting hash is used, like a finger-
print of the input, to verify content and source authenticity and integrity.
•
HMAC-SHA1 - An algorithm that produces a 160-bit hash from a message of arbitrary length and a
20-byte key. It is generally regarded as more secure than MD5 because of the larger hashes it produces.
•
AES-XCBC-MAC-96 - An algorithm that uses AES [AES] in CBC mode [MODES] with a set of
extensions [XCBC-MAC-1] to overcome the limitations of the classic CBC-MAC algorithm. It uses
the AES block cipher with an increased block size and key length (128 bits) which enables it to with-
stand continuing advances in crypto-analytic techniques and computational capability. Its goal is to
ensure that the datagram is authentic and cannot be modified in transit.
Unlike ESP, AH does not encrypt the data. Therefore, it has a much simpler header than ESP. The figure
below shows an AH-protected IPv6 packet.
Next Header(8 bits)
AH is identified by a value of 51 in the IPv6 header. The Next header field indicates the value of the upper
layer protocol being protected (for example, UDP or TCP) in the transport mode. The payload length field
in the AH header indicates the length of the header. The SPI, in combination with the source and destina-
tion addresses, helps distinguish multiple SAs configured for the same source and destination combina-
tion. The AH header provides a means to verify data integrity. It is similar to the integrity check provided
by the ESP header with one key difference. The ESP integrity check only verifies the contents of the ESP
payload. AH's integrity check also includes portions of the packet header as well.

IPsec on the OmniSwtich

IPsec allows the following 3 types of actions to be performed on an IPv6 datagram that matches the filters
defined in the security policy:
•
The IPv6 datagram can be subjected to IPsec processing, i.e. encrypted, and/or authenticated via ESP
and AH protocols.
•
The IPv6 datagram can be discarded.
•
The IPv6 datagram can be permitted to pass without being subjected to any IPsec processing.
The system decides which packets are processed and how they are processed by using the combination of
the policy and the SA. The policy is used to specificy which IPsec protocols are used such as AH or ESP
while the SA specifies the algorithms such as AES and HMAC-MD5.
OmniSwitch AOS Release 7 Network Configuration Guide
Payload Length(8 bits)
Security association identifier (SPI) (32 bits)
Sequence Number (32 bits)
Authentication Data (Variable)
(Integrity Check Value)
IP Packet protected by AH
Reserved (16 bits)
June 2013
IPsec Overview
page 18-7