Ipsec Policies; Ike Policies - HP SN3000B Administrator's Manual
Brocade fabric os administrator's guide - supporting fabric os v7.0.1 (53-1002446-01, march 2012)
Hide thumbs
Also See for SN3000B:
- Troubleshooting manual (138 pages) ,
- Reference manual (70 pages) ,
- Quickspecs (21 pages)
Table of Contents
Advertisement
7
Management interface security
TABLE 43
Algorithm
3des_cbc
blowfish_cbc
aes128_cbc
aes256_cbc
null_enc
IPsec policies
An IPsec policy determines the security services afforded to a packet and the treatment of a packet
in the network. An IPsec policy allows classifying IP packets into different traffic flows and specifies
the actions or transformations performed on IP packets on each of the traffic flows. The main
components of an IPsec policy are: IP packet filter and selector (IP address, protocol, and port
information) and transform set.
IPsec traffic selector
The traffic selector is a traffic filter that defines and identifies the traffic flow between two systems
that have IPsec protection. IP addresses, the direction of traffic flow (inbound, outbound) and the
upper layer protocol are used to define a filter for traffic (IP datagrams) that is protected using
IPsec.
IPsec transform
A transform set is a combination of IPsec protocols and cryptographic algorithms that are applied
on the packet after it is matched to a selector. The transform set specifies the IPsec protocol, IPsec
mode and action to be performed on the IP packet. It specifies the key management policy that is
needed for the IPsec connection and the encryption and authentication algorithms to be used in
security associations when IKE is used as the key management protocol.
IPsec can protect either the entire IP datagram or only the upper-layer protocols using tunnel mode
or transport mode. Tunnel mode uses the IPsec protocol to encapsulate the entire IP datagram.
Transport mode handles only the IP datagram payload.
IKE policies
When IKE is used as the key management protocol, IKE policy defines the parameters used in IKE
negotiations needed to establish IKE SA and parameters used in negotiations to establish IPsec
SAs. These include the authentication and encryption algorithms, and the primary authentication
method, such as preshared keys, or a certificate-based method, such as RSA signatures.
170
Algorithms and associated authentication policies (Continued)
Encryption Level Policy
168-bit
ESP
64-bit
ESP
128-bit
ESP
256-bit
ESP
n/a
ESP
Description
Triple DES is a more secure variant of DES. It uses three different
56-bit keys to encrypt blocks of 64-bit plain text. The algorithm is
FIPS-approved for use by Federal agencies.
Blowfish is a 32-bit to 448-bit keyed, symmetric block cipher.
Advanced Encryption Standard is a 128- or 256-bit fixed block size
cipher.
A form of plaintext encryption.
Fabric OS Administrator's Guide
53-1002446-01
Advertisement
Table of Contents
