Administrator Guide
Fabric OS Administrator’s Guide 269
53-1002920-02
Management interface security
8
IPsec protocols
IPsec ensures confidentiality, integrity, and authentication using the following protocols:
• Authentication Header (AH)
• Encapsulating Security Payload (ESP)
IPsec protocols protect IP datagram integrity using hash message authentication codes (HMAC).
Using hash algorithms with the contents of the IP datagram and a secret key, the IPsec protocols
generate this HMAC and add it to the protocol header. The receiver must have access to the secret
key in order to decode the hash.
IPsec protocols use a sliding window to assist in flow control, The IPsec protocols also use this
sliding window to provide protection against replay attacks in which an attacker attempts a denial
of service attack by replaying an old sequence of packets. IPsec protocols assign a sequence
number to each packet. The recipient accepts each packet only if its sequence number is within
the window. It discards older packets.
Security associations
A security association (SA) is the collection of security parameters and authenticated keys that are
negotiated between IPsec peers to protect the IP datagram. A security association database (SADB)
is used to store these SAs. Information in these SAs—IP addresses, secret keys, algorithms, and so
on—is used by peers to encapsulate and decapsulate the IPsec packets
An IPsec security association is a construct that specifies security properties that are recognized by
communicating hosts. The properties of the SA are the security protocol (AH or ESP), destination IP
address, and Security Parameter Index (SPI) number. SPI is an arbitrary 32-bit value contained in
IPsec protocol headers (AH or ESP) and an IPsec SA is unidirectional. Because most
communication is peer-to-peer or client-to-server, two SAs must be present to secure traffic in both
directions. An SA specifies the IPsec protocol (AH or ESP), the algorithms used for encryption and
authentication, and the expiration definitions used in security associations of the traffic. IKE uses
these values in negotiations to create IPsec SAs. You must create an SA prior to creating an
SA-proposal. You cannot modify an SA once it is created. Use the ipSecConfig
--flush manual-sa
command to remove all SA entries from the kernel SADB and re-create the SA. For more
information on the ipSecConfig command, refer to the Fabric OS Command Reference.
IPsec proposal
The IPsec sa-proposal defines an SA or an SA bundle. An SA is a set of parameters that define how
the traffic is protected using IPsec. These are the IPsec protocols to use for an SA, either AH or ESP,
and the encryption and authentication algorithms to use to protect the traffic. For SA bundles,
[AH, ESP] is the supported combination.
Authentication and encryption algorithms
IPsec uses different protocols to ensure the authentication, integrity, and confidentiality of the
communication. Encapsulating Security Payload (ESP) provides confidentiality, data integrity and
data source authentication of IP packets, and protection against replay attacks. Authentication
Header (AH) provides data integrity, data source authentication, and protection against replay
attacks, but unlike ESP, AH does not provide confidentiality.