Table of Contents
Advertisement
Chapter 30
Configuring IPsec Network Security
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m .
•
•
•
•
•
•
Supported IPsec Transforms and Algorithms
The component technologies implemented for IPsec include the following transforms:
•
•
OL-6973-03, Cisco MDS SAN-OS Release 2.x
Lifetime—A lifetime counter (in seconds and bytes) is maintained from the time the SA is
–
created. When the time limit expires the SA is no longer operational and, if required, is
automatically renegotiated (rekeyed).
Mode of operation—Two modes of operation are generally available for IPsec: tunnel mode and
–
transport mode. The Cisco SAN-OS implementation of IPsec only supports the tunnel mode.
The IPsec tunnel mode encrypts and authenticates the IP packet, including its header. The
gateways encrypt traffic on behalf of the hosts and subnets.
The Cisco SAN-OS implementation of IPsec does not support transport mode.
Note
The term tunnel mode is different from the term tunnel used to indicate secure
communication path between two peers, such as two switches connected by an FCIP link.
Anti-replay—A security service where the receiver can reject old or duplicate packets in order to
protect itself against replay attacks. IPsec provides this optional service by use of a sequence number
combined with the use of data authentication.
Data authentication—Data authentication can refer either to integrity alone or to both integrity and
authentication (data origin authentication is dependent on data integrity).
Data integrity—Verifies that data has not been altered.
–
Data origin authentication—Verifies that the data was actually sent by the claimed sender.
–
Data confidentiality—A security service where the protected data cannot be observed.
Data flow—A grouping of traffic, identified by a combination of source address/mask, destination
address/mask, IP next protocol field, and source and destination ports, where the protocol and port
fields can have the values of any. Traffic matching a specific combination of these values is logically
grouped together into a data flow. A data flow can represent a single TCP connection between two
hosts, or it can represent traffic between two subnets. IPsec protection is applied to data flows.
Perfect forward secrecy (PFS)—A cryptographic characteristic associated with a derived shared
secret value. With PFS, if one key is compromised, previous and subsequent keys are not
compromised, because subsequent keys are not derived from previous keys.
Security Policy Database (SPD)—an ordered list of policies applied to traffic. A policy decides if a
packet requires IPsec processing, if should be allowed in clear text, or if it should be dropped.
The IPsec SPDs are derived from user configuration of crypto maps.
–
The IKE SPD is configured by the user.
–
Advanced Encrypted Standard (AES) is an encryption algorithm. It implements either 128 or 256
bits using Cipher Block Chaining (CBC) or counter mode.
Data Encryption Standard (DES) is used to encrypt packet data and implements the mandatory
56-bit DES-CBC. CBC requires an initialization vector (IV) to start encryption. The IV is explicitly
given in the IPsec packet.
Supported IPsec Transforms and Algorithms
Cisco MDS 9000 Family Configuration Guide
30-5
Advertisement
Table of Contents
