Ipsec Terminology - HP A7533A - Brocade 4Gb SAN Switch Base Administrator's Manual

IPSec uses some terms that you should be familiar with before beginning your configuration. These are
standardized terms, but are included here for your convenience.
Table 86

IPSec terminology

Term Definition
AES Advanced Encryption Standard. FIPS 197 endorses the Rijndael encryption
algorithm as the approved AES for use by US Government organizations and
others to protect sensitive information. It replaces DES as the encryption
standard.
AES-XCBC Cipher Block Chaining. A key-dependent one-way hash function (MAC) used
with AES in conjunction with the Cipher-Block-Chaining mode of operation,
suitable for securing messages of varying lengths, such as IP datagrams.
AH Authentication Header - like ESP, AH provides data integrity, data source
authentication, and protection against replay attacks but does not provide
confidentiality.
DES Data Encryption Standard is the older encryption algorithm that uses a 56-bit
key to encrypt blocks of 64-bit plain text. Because of the relatively shorter key
length, it is not a secured algorithm and no longer approved for Federal use.
3DES Triple DES is a more secure variant of DES. It uses three different 56-bit keys to
encrypt blocks of 64-bit plain text. The algorithm is FIPS-approved for use by
Federal agencies.
ESP Encapsulating Security Payload is the IPSec protocol that provides
confidentiality, data integrity and data source authentication of IP packets, and
protection against replay attacks.
IKE IKE stands for Internet Key Exchange. IKE is defined in RFC 2407, RFC 2408
and RFC 2409. IKEv2 is defined in RFC 4306. IKE uses a Diffie-Hellman key
exchange to set up a shared session secret, from which cryptographic keys are
derived, and communicating parties are authenticated. The IKE protocol creates
a security association (SA) for both parties.
MD5 Message Digest 5, like SHA- 1 , is a popular one-way hash function used for
authentication and data integrity.
SHA Secure Hash Algorithm, like MD5, is a popular one-way hash function used for
authentication and data integrity.
MAC Message Authentication Code is a key-dependent, one-way hash function used
for generating and verifying authentication data.
HMAC A stronger MAC because it is a keyed hash inside a keyed hash.
SA Security Association is the collection of security parameters and authenticated
keys that are negotiated between IPSec peers.
The following limitations apply to the use of IPSec:
• IPv6, NAT, and AH are not supported.
• You can create only a single secure tunnel on a port; you cannot create a nonsecure tunnel on the same
port as a secure tunnel.
• IPSec-specific statistics are not supported.
To change the configuration of a secure tunnel, you must delete the tunnel and re-create it.
•
• Jumbo frames are not supported for IPSec.
• There is no RAS message support for IPSec.
• Only a single route is supported on an interface with a secure tunnel.
Fabric OS 6.1.x administrator guide 389