Reference Guide

ManualsBrandsDell ManualsAccess PlatformsBrocade G620

251

252

253

254

255

256

257

258

259

260

TABLE 55 Algorithms and associated authentication policies (continued)

Algorithm Encryption Level Policy Description

NOTE

The MD5 hash

algorithm is blocked

when FIPS mode is

enabled

3des_cbc 168-bit ESP Triple DES is a more secure variant

of DES. It uses three different 56-

bit keys to encrypt blocks of 64-bit

plain text. The algorithm is FIPS-

approved for use by Federal

agencies.

blowfish_cbc 64-bit ESP Blowfish is a 32-bit to 448-bit

keyed, symmetric block cipher.

aes128_cbc 128-bit ESP Advanced Encryption Standard is a

128- or 256-bit fixed block size

cipher.

aes256_cbc 256-bit ESP

null_enc n/a ESP A form of plaintext encryption.

IPsec policies

An IPsec policy determines the security services afforded to a packet and the treatment of a packet in the network. An IPsec policy

allows classifying IP packets into different traffic flows and specifies the actions or transformations performed on IP packets on each of

the traffic flows. The main components of an IPsec policy are: IP packet filter and selector (IP address, protocol, and port information)

and transform set.

IPsec traffic selector

The traffic selector is a traffic filter that defines and identifies the traffic flow between two systems that have IPsec protection. IP

addresses, the direction of traffic flow (inbound, outbound) and the upper layer protocol are used to define a filter for traffic (IP

datagrams) that is protected using IPsec.

IPsec transform

transform set

is a combination of IPsec protocols and cryptographic algorithms that are applied on the packet after it is matched to a

selector. The transform set specifies the IPsec protocol, IPsec mode and action to be performed on the IP packet. It specifies the key

management policy that is needed for the IPsec connection and the encryption and authentication algorithms to be used in security

associations when IKE is used as the key management protocol.

IPsec can protect either the entire IP datagram or only the upper-layer protocols using tunnel mode or transport mode. Tunnel mode

uses the IPsec protocol to encapsulate the entire IP datagram. Transport mode handles only the IP datagram payload.

IKE policies

When IKE is used as the key management protocol, IKE policy defines the parameters used in IKE negotiations needed to establish IKE

SA and parameters used in negotiations to establish IPsec SAs. These include the authentication and encryption algorithms, and the

primary authentication method, such as preshared keys, or a certificate-based method, such as RSA signatures.

Configuring Security Policies

Brocade Fabric OS Administration Guide, 8.0.1

53-1004111-02 251