Ipsec For Ipv6 Routing Protocols; Protocols And Standards; Fips Compliance; Configuring Ipsec - HP 5500 HI Series Configuration Manual

IPsec for IPv6 routing protocols

You can use IPsec to protect routing information and defend against attacks for these IPv6 routing
protocols: OSPFv3, IPv6 BGP, and RIPng. IPsec enables these IPv6 routing protocols to encapsulate
outbound protocol packets and de-encapsulate inbound protocol packets with the AH or ESP protocol.
If an inbound protocol packet is not IPsec protected, or fails to be de-encapsulated, for example, due to
decryption or authentication failure, the routing protocol discards that packet.
You must manually configure SA parameters in an IPsec policy for IPv6 routing protocols. The IKE key
exchange mechanism is applicable only to one-to-one communications. IPsec cannot implement
automatic key exchange for one-to-many communications on a broadcast network, where routers must
use the same SA parameters (SPI and key) to process packets for a routing protocol.

Protocols and standards

Protocols and standards relevant to IPsec are as follows:
RFC 2401, Security Architecture for the Internet Protocol
•
RFC 2402, IP Authentication Header
•
RFC 2406, IP Encapsulating Security Payload
•
• RFC 4552, Authentication/Confidentiality for OSPFv3

FIPS compliance

The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features,
commands, and parameters might differ in FIPS mode (see

Configuring IPsec

IPsec can be implemented based on ACLs or applications:
• ACL-based IPsec uses ACLs to identify the data flows to be protected. To implement ACL-based IPsec,
configure IPsec policies, reference ACLs in the policies, and apply the policies to physical interfaces
(see "Implementing ACL-based
implementing IPsec flexibly.
Application-based IPsec protects the packets of a service. This IPsec implementation method can be
•
used to protect IPv6 routing protocols. It does not require any ACL, nor does it depend on the
routing mechanism. To configure service-based IPsec, configure manual IPsec policies and bind the
policies to an IPv6 routing protocol. See

Implementing ACL-based IPsec

ACL-based IPsec can be used to protect the data flow between the local device and the peer end of the
IPsec tunnel, rather than the forwarded data flow.

Feature Restrictions

The device provides IPsec protection only for traffic that is generated by the device and traffic that is
destined for the device. You cannot use IPsec to protect user traffic. In the ACL that is used to identify IPsec
IPsec"). By using ACLs, you can customize IPsec policies as needed,
"Configuring IPsec for IPv6 routing
270
"Configuring FIPS") and non-FIPS mode.
protocols."