Manualshelf

Brocade Web Tools Administrator's Guide - Supporting Fabric OS v7.0.0 (53-1002152-01, March 2012)

ManualsBrandsHP ManualsComputer AccessoriesHP SN8000B 16Gb 32-port Fibre Channel Blade
231232233234235236237238239240
Web Tools Adminstrator’s Guide 203
53-1002152-01
IPsec concepts
16
Endpoint to Gateway
Endpoint to Endpoint
In an endpoint to endpoint configuration, both endpoints implement IPsec. Transport mode is
commonly used in endpoint to endpoint configurations, and only a single pair of addresses is used.
Typically, this kind of configuration would be used for direct communication between hosts. There
are two drawbacks to consider:
If network address translation (NAT) is used on the connection, one or both endpoints may be
behind a NAT node. If that is the case, UDP must be used to encapsulate the tunneled packets.
Port numbers in the UDP headers can then be used to identify the endpoint behind the NAT
node.
Packets cannot be inspected or modified in transit. This means that QoS, traffic shaping, and
firewall applications cannot access the packets, and does not work.
Gateway to Gateway
In a gateway to gateway configuration, IPsec protection is implemented between network nodes.
Tunnel mode is commonly used in a gateway to gateway configuration. A tunnel endpoint
represents a set of IP addresses associated with actual endpoints that use the tunnel. IPsec is
transparent to the actual endpoints.
Endpoint to Gateway
In an endpoint to gateway configuration, a protected endpoint connects through an IPsec protected
tunnel. This can be used as a virtual private network (VPN) for connecting a roaming computer, like
a service laptop, to a protected network.
Internet Key Exchange concepts
Internet Key Exchange (IKE) is used to authenticate the end points of an IP connection, and to
determine security policies for IP traffic over the connection. The initiating node proposes a policy
based on the following:
An encryption algorithm to protect data.
A hash algorithm to check the integrity of the authentication data.
A Pseudo-Random Function (PRF) algorithm that can be used with the hash algorithm for
additional cryptographic strength.
An authentication method requiring a digital signature, and optionally a certificate exchange.
A Diffie-Hellman exchange that generates prime numbers used in establishing a shared secret
key.