NonStop Networking Overview
IPv6: 3ffe:1200:190:2:21f:29ff:fe57:182e
IPv6: fe80::21f:29ff:fe57:182e
eth4 UP UP
IPv6: 3ffe:1200:190:1:21f:29ff:fe57:182f
IPv6: 3ffe:1200:190:2:21f2:9ff:fe57:182f
IPv6: fe80::21f:29ff:fe57:182f
eth3 UP UP
IPv6: 3ffe:1200:190:1:21f:29ff:fe57:182c
IPv6: 3ffe:1200:190:2:21f:29ff:fe57:182c
IPv6: fe80::21f:29ff:fe57:182c
eth2 UP UP
IPv6: 3ffe:1200:190:2:21f:29ff:fe57:182d
IPv6: 3ffe:1200:190:1:21f:29ff:fe57:182d
IPv6: fe80::21f:29ff:fe57:182d
.
.
.
Firewalls
A firewall is a system or group of systems that enforces an access control policy between two or
more networks. The actual means by which access control is accomplished varies widely, but in
principle, the firewall can be thought of as a pair of mechanisms: One which exists to block traffic,
and the other which exists to permit traffic. Some firewalls place a greater emphasis on blocking
traffic, while others emphasize permitting traffic. The most important thing to recognize about a
firewall is that it implements an access control policy. Before you install a firewall, you need to
know what kind of access you want to allow or deny. Also note that because the firewall is a
mechanism for enforcing policy, it imposes its policy on everything behind it. Administrators for
firewalls managing the connectivity for a large number of hosts have a heavy responsibility.
IP Security (IPSec)
Although IPSec is only supported in the CIP product, it is not supported on the IB CLIM.
The IP security architecture (IPSec) defines basic security mechanisms at the network level so they
can be available to all the layered applications. The security techniques adopted in IPSec have
been designed to be easily inserted in both IPv4 and IPv6.
IPSec security services are offered by means of two dedicated extension headers, the Authentication
Header (AH) and the Encapsulating Security Payload (ESP), and through the use of cryptographic
key management procedures and protocols.
The AH header was designed to ensure authenticity and integrity of the IP packet. It also provides
an optional anti-replay service. Its presence guards against illegal modification of the IP fixed
fields, packet spoofing and, optionally, against replayed packets. On the other hand, the ESP
header provides data encapsulation with encryption to ensure that only the destination node can
read the payload conveyed by the IP packet. ESP may also provide packet integrity and authenticity,
and an anti-replay service. The two headers can be used separately or they can be combined to
provide the desired security features for IP traffic.
Each header can be used in one of the two defined modalities: transport mode and tunnel mode.
While in transport mode the security headers provide protection primarily for upper layer protocols,
in tunnel mode the headers are applied to tunneled IP packets, thus providing protection to all
fields of the original IP header.
Both AH and ESP exploit the concept of security association (SA) to agree upon the security
algorithms, transforms and parameters shared by the sender and the receiver of a protected traffic
flow. Each IP node manages a set of SAs, with at least one SA for each secure communication.
The SAs currently active are stored inside a database, known as the security association database
(SAD). An entry in the SAD (for example, a security association) is uniquely identified by a triplet
consisting of a security parameter index (SPI), an IP destination address, and a security protocol
(AH or ESP) identifier. The security parameter index (SPI) is transmitted inside both the AH and
Firewalls 27