Using Ipsec With The Rackswitch G8000; Setting Up Authentication - IBM RackSwitch G8000 Application Manual

Using IPsec with the RackSwitch G8000

Setting up Authentication

204
RackSwitch G8000: Application Guide
Both ESP and AH rely on security associations. A security association (SA) is the
bundle of algorithms and parameters (such as keys) that encrypt and authenticate a
particular flow in one direction.
IPsec supports the fragmentation and reassembly of IP packets that occurs when
data goes to and comes from an external device. The RackSwitch G8000 acts as an
end node that processes any fragmentation and reassembly of packets but does not
forward the IPsec traffic. The IKEv2 key must be authenticated before you can use
IPsec.
The security protocol for the session key is either ESP or AH. Outgoing packets are
labeled with the SA SPI (Security Parameter Index), which the remote device will
use in its verification and decryption process.
Every outgoing IPv6 packet is checked against the IPsec policies in force. For each
outbound packet, after the packet is encrypted, the software compares the packet
size with the MTU size that it either obtains from the default minimum maximum
transmission unit (MTU) size (1500) or from path MTU discovery. If the packet size
is larger than the MTU size, the receiver drops the packet and sends a message
containing the MTU size to the sender. The sender then fragments the packet into
smaller pieces and retransmits them using the correct MTU size.
The maximum traffic load for each IPsec packet is limited to the following:
• IKEv2 SAs: 5
• IPsec SAs: 10 (5 SAs in each direction)
• SPDs: 20 (10 policies in each direction)
IPsec is implemented as a software cryptography engine designed for handling
control traffic, such as network management. IPsec is not designed for handling
data traffic, such as a VPN.
Before you can use IPsec, you need to have key policy authentication in place.
There are two types of key policy authentication:
• Preshared key (default)
The parties agree on a shared, secret key that is used for authentication in an
IPsec policy. During security negotiation, information is encrypted before
transmission by using a session key created by using a Diffie-Hellman
calculation and the shared, secret key. Information is decrypted on the receiving
end using the same key. One IPsec peer authenticates the other peer's packet
by decryption and verification of the hash inside the packet (the hash inside the
packet is a hash of the preshared key). If authentication fails, the packet is
discarded.
• Digital certificate (using RSA algorithms)
The peer being validated must hold a digital certificate signed by a trusted
Certificate Authority and the private key for that digital certificate. The side
performing the authentication only needs a copy of the trusted certificate
authorities digital certificate. During IKEv2 authentication, the side being
validated sends a copy of the digital certificate and a hash value signed using the
private key. The certificate can be either generated or imported.
Note: During the IKEv2 negotiation phase, the digital certificate takes precedence
over the preshared key.