Brocade Web Tools Administrator's Guide v6.2.0 (53-1001194-01, April 2009)

ManualsBrandsHP ManualsStorageHP DC SAN Backbone Director Switch

271

272

273

274

275

276

277

278

279

280

Web Tools Administrator’s Guide 243

53-1001194-01

IPSec Concepts

Internet Key Exchange (IKE) Concepts

Key exchange is used to authenticate the end points of an IP connection, and to determine security

policies for IP traffic over the connection. The initiating node proposes a policy based on the

following:

• An encryption algorithm to protect data.

• A hash algorithm to check the integrity of the authentication data.

• A Pseudo-Random Function (PRF) algorithm that can be used with the hash algorithm for

additional cryptographic strength.

• An authentication method requiring a digital signature, and optionally a certificate exchange.

• A Diffie-Hellman exchange that generates prime numbers used in establishing a shared secret

key.

Encryption algorithms

An encryption algorithm is used to encrypt messages used in the IKE negotiation. Table 20 lists the

available encryption algorithms. A brief description is provided. If you need further information,

please refer to the RFC.

Hash algorithms

Hash message authentication codes (HMAC) check data integrity through a mathematical

calculation on a message using a hash algorithm combined with a shared, secret key. The sending

computer uses the hash function and shared key to compute a checksum or code for the message,

and sends it to the receiving computer. The receiving computer must perform the same hash

function on the received message and shared key and compare the result. If the hash values are

different, it indicates that a third party may have tampered with the message in transit, and the

packet is rejected.

TABLE 20 Encryption algorithm options

Encryption Algorithm Description RFC Number

3des_cbc 3DES processes each block three times, using

a unique 56-bit key each time.

RFC 2451

null_enc No encryption is performed.

aes128_cbc Advanced Encryption Standard (AES) 128 bit

block cipher.

RFC 4869

aes256_cbc Advanced Encryption Standard (AES) 256 bit

block cipher.

RFC 4869

TABLE 21 Hash algorithm options

Hash Algorithm Description RFC/Publication Number

aes_xcbc Uses a cypher block and extended cypher block

chaining (CBC).

RFC 3566

hmac_md5 The MD5 computation produces a 128-bit

hash.

RFC 1321

hmac_sha1 The SHA1 computation produces a 160-bit

hash.

FIPS Pub 180-1