Brocade Communications Systems 53-1001763-02 사용자 설명서
168
Fabric OS Administrator’s Guide
53-1001763-02
Management interface security
7
IPsec policies
An IPsec policy determines the security services afforded to a packet and the treatment of a packet
in the network. An IPsec policy allows classifying IP packets into different traffic flows and specifies
the actions or transformations performed on IP packets on each of the traffic flows. The main
components of an IPsec policy are: IP packet filter and selector (IP address, protocol, and port
information) and transform set.
in the network. An IPsec policy allows classifying IP packets into different traffic flows and specifies
the actions or transformations performed on IP packets on each of the traffic flows. The main
components of an IPsec policy are: IP packet filter and selector (IP address, protocol, and port
information) and transform set.
IPsec traffic selector
The traffic selector is a traffic filter that defines and identifies the traffic flow between two systems
that have IPsec protection. IP addresses, the direction of traffic flow (inbound, outbound) and the
upper layer protocol are used to define a filter for traffic (IP datagrams) that is protected using
IPsec.
that have IPsec protection. IP addresses, the direction of traffic flow (inbound, outbound) and the
upper layer protocol are used to define a filter for traffic (IP datagrams) that is protected using
IPsec.
IPsec transform
A transform set is a combination of IPsec protocols and cryptographic algorithms that are applied
on the packet after it is matched to a selector. The transform set specifies the IPsec protocol, IPsec
mode and action to be performed on the IP packet. It specifies the key management policy that is
needed for the IPsec connection and the encryption and authentication algorithms to be used in
security associations when IKE is used as the key management protocol.
on the packet after it is matched to a selector. The transform set specifies the IPsec protocol, IPsec
mode and action to be performed on the IP packet. It specifies the key management policy that is
needed for the IPsec connection and the encryption and authentication algorithms to be used in
security associations when IKE is used as the key management protocol.
IPsec can protect either the entire IP datagram or only the upper-layer protocols. The appropriate
modes are called tunnel mode and transport mode. In tunnel mode the IP datagram is fully
encapsulated by a new IP datagram using the IPsec protocol. In transport mode only the payload of
the IP datagram is handled by the IPsec protocol; it inserts the IPsec header between the IP header
and the upper-layer protocol header.
modes are called tunnel mode and transport mode. In tunnel mode the IP datagram is fully
encapsulated by a new IP datagram using the IPsec protocol. In transport mode only the payload of
the IP datagram is handled by the IPsec protocol; it inserts the IPsec header between the IP header
and the upper-layer protocol header.
TABLE 41
Algorithms and associated authentication policies
Algorithm
Encryption Level
Policy
Description
hmac_md5
128-bit
AH, ESP
A stronger MAC because it is a keyed hash inside a keyed hash.
When MD5 or SHA-1 is used in the calculation of an HMAC; the
resulting MAC algorithm is termed HMAC-MD5 or HMAC-SHA-1
accordingly.
NOTE: The MD5 hash algorithm is blocked when FIPS mode is
When MD5 or SHA-1 is used in the calculation of an HMAC; the
resulting MAC algorithm is termed HMAC-MD5 or HMAC-SHA-1
accordingly.
NOTE: The MD5 hash algorithm is blocked when FIPS mode is
enabled
hmac_sha1
160-bit
AH, ESP
3des_cbc
168-bit
ESP
Triple DES is a more secure variant of DES. It uses three
different 56-bit keys to encrypt blocks of 64-bit plain text. The
algorithm is FIPS-approved for use by Federal agencies.
different 56-bit keys to encrypt blocks of 64-bit plain text. The
algorithm is FIPS-approved for use by Federal agencies.
blowfish_cbc
64-bit
ESP
Blowfish is a 32-bit to 448-bit keyed, symmetric block cipher.
aes128_cbc
128-bit
ESP
Advanced Encryption Standard is a 128- or 256-bit fixed block
size cipher.
size cipher.
aes256_cbc
256-bit
ESP
null_enc
n/a
ESP
A form of plaintext encryption.