Administrator Guide

ManualsBrandsDell ManualsserversDell Brocade 300

261

262

263

264

265

266

267

268

269

270

270 Fabric OS Administrator’s Guide

53-1002920-02

Management interface security

In AH and ESP, hmac_md5 and hmac_sha1 are used as authentication algorithms. Only in ESP,

3des_cbc, blowfish_cbc, aes256_cbc and null_enc are used as encryption algorithms. Use

Table 54 when configuring the authentication algorithm.

IPsec policies

An IPsec policy determines the security services afforded to a packet and the treatment of a packet

in the network. An IPsec policy allows classifying IP packets into different traffic flows and specifies

the actions or transformations performed on IP packets on each of the traffic flows. The main

components of an IPsec policy are: IP packet filter and selector (IP address, protocol, and port

information) and transform set.

IPsec traffic selector

The traffic selector is a traffic filter that defines and identifies the traffic flow between two systems

that have IPsec protection. IP addresses, the direction of traffic flow (inbound, outbound) and the

upper layer protocol are used to define a filter for traffic (IP datagrams) that is protected using

IPsec.

IPsec transform

A transform set is a combination of IPsec protocols and cryptographic algorithms that are applied

on the packet after it is matched to a selector. The transform set specifies the IPsec protocol, IPsec

mode and action to be performed on the IP packet. It specifies the key management policy that is

needed for the IPsec connection and the encryption and authentication algorithms to be used in

security associations when IKE is used as the key management protocol.

IPsec can protect either the entire IP datagram or only the upper-layer protocols using tunnel mode

or transport mode. Tunnel mode uses the IPsec protocol to encapsulate the entire IP datagram.

Transport mode handles only the IP datagram payload.

TABLE 54 Algorithms and associated authentication policies

Algorithm Encryption Level Policy Description

hmac_md5 128-bit AH, ESP A stronger MAC because it is a keyed hash inside a keyed hash. When

MD5 or SHA-1 is used in the calculation of an HMAC; the resulting MAC

algorithm is termed HMAC-MD5 or HMAC-SHA-1 accordingly.

NOTE: The MD5 hash algorithm is blocked when FIPS mode is

enabled

hmac_sha1 160-bit AH, ESP

3des_cbc 168-bit ESP Triple DES is a more secure variant of DES. It uses three different

56-bit keys to encrypt blocks of 64-bit plain text. The algorithm is

FIPS-approved for use by Federal agencies.

blowfish_cbc 64-bit ESP Blowfish is a 32-bit to 448-bit keyed, symmetric block cipher.

aes128_cbc 128-bit ESP Advanced Encryption Standard is a 128- or 256-bit fixed block size

cipher.

aes256_cbc 256-bit ESP

null_enc n/a ESP A form of plaintext encryption.