Manualshelf

NonStop Networking Overview

ManualsBrandsHP ManualsServerHP Integrity NonStop H-Series
21222324252627282930
ESP headers since it is used to choose the right SA to be applied for decrypting and authenticating
the packet.
In unicast transmissions, the SPI is normally chosen by the destination node and sent back to the
sender when the communication is set up. In multicast transmissions, the SPI must be common to
all the members of the multicast group. Each node must be able to correctly identify the right SA
by combining the SPI with the multicast address. The negotiation of a SA (and the related SPI) is
an integral part of the protocol for the exchange of security keys.
Specific security requirements are defined at each node usually by means of an ordered list of
admission rules (or policies), which form the node’s security policy database (SPD). The protection
provided to each incoming and outgoing traffic flow is verified by consulting the SPD. In general,
packets are selected for one of three processing modes based on IP and transport layer header
information matched against entries in the SPD. Each packet is either afforded IPSec security
services, discarded, or allowed to bypass IPSec, based on the applicable policies found in the
database.
IPv6
The IPv6 protocol extends the IP address to 128 bits compared to the 32 bits of IPv4 addresses.
The NonStop TCP/IPv6 subsystem provides IPv6 functionality on the Integrity NonStop system using
three modes of operation: pure IPv6, in which the system supports only IPv6 communications,
DUAL, in which the system supports both IPv4 and IPv6 communications, and pure IPv4, in which
the system provides only IPv4 communications. The CIP subsystem also supports IPv6 with an
attribute in the Provider object, which can be set to either INET (IPv4) or DUAL.
Much of the Internet consists of IPv4 networks; an IPv6-enabled system can communicate across
IPv4 networks by using tunneling. IPv6 tunneling requires an IPv4 address on both ends of the
communication; IPv6 packets are then encapsulated in IPv4 packets so that they can be transmitted
across an IPv4 network. The IPv6-aware host or router decapsulates the IPv6 datagrams, forwarding
them as needed. IPv6 tunneling eases IPv6 deployment by maintaining compatibility with the large
existing base of IPv4 hosts and routers. Figure 9 depicts an IPv6 tunneling scenario.
Figure 9 IPv6 Tunneling
For more information about IPv6, see the TCP/IPv6 Configuration and Management Manual.
28 Networking Concepts