Deployment Guide
IPsec protocols use a sliding window to assist in flow control, The IPsec protocols also use this sliding
window to provide protection against replay attacks in which an attacker attempts a denial of service
attack by replaying an old sequence of packets. IPsec protocols assign a sequence number to each
packet. The recipient accepts each packet only if its sequence number is within the window. It discards
older packets.
Security associations
A security association (SA) is the collection of security parameters and authenticated keys that are
negotiated between IPsec peers to protect the IP datagram. A security association database (SADB) is
used to store these SAs. Information in these SAs--IP addresses, secret keys, algorithms, and so on--is
used by peers to encapsulate and decapsulate the IPsec packets
An IPsec security association is a construct that specifies security properties that are recognized by
communicating hosts. The properties of the SA are the security protocol (AH or ESP), destination IP
address, and Security Parameter Index (SPI) number. SPI is an arbitrary 32-bit value contained in IPsec
protocol headers (AH or ESP) and an IPsec SA is unidirectional. Because most communication is peer-
to-peer or client-to-server, two SAs must be present to secure traffic in both directions. An SA specifies
the IPsec protocol (AH or ESP), the algorithms used for encryption and authentication, and the
expiration definitions used in security associations of the traffic. IKE uses these values in negotiations to
create IPsec SAs. You must create an SA prior to creating an SA-proposal. You cannot modify an SA
once it is created. Use the ipSecConfig --flush manual-sa command to remove all SA entries from the
kernel SADB and re-create the SA.
IPsec proposal
The IPsec sa-proposal defines an SA or an SA bundle. An SA is a set of parameters that define how the
traffic is protected using IPsec. These are the IPsec protocols to use for an SA, either AH or ESP, and
the encryption and authentication algorithms to use to protect the traffic.
For SA bundles, [AH, ESP] is the supported combination.
Authentication and encryption algorithms
IPsec uses different protocols to ensure the authentication, integrity, and confidentiality of the
communication. Encapsulating Security Payload (ESP) provides confidentiality, data integrity and data
source authentication of IP packets, and protection against replay attacks. Authentication Header (AH)
provides data integrity, data source authentication, and protection against replay attacks, but unlike
ESP, AH does not provide confidentiality.
In AH and ESP, hmac_md5 and hmac_sha1 are used as authentication algorithms. Only in ESP,
3des_cbc, blowfish_cbc, aes256_cbc and null_enc are used as encryption algorithms. Use Table 56
when configuring the authentication algorithm.
Algorithms and associated authentication policies TABLE 56
Algorithm Encryption Level Policy Description
hmac_md5 128-bit AH, ESP A stronger MAC because it is a keyed hash inside a keyed hash.
When MD5 or SHA-1 is used in the calculation of an HMAC; the
resulting MAC algorithm is termed HMAC-MD5 or HMAC-SHA-1
accordingly.
Security associations
Fabric OS Administrators Guide 247
53-1003130-01