beautypg.com

General considerations, Interface and area ipsec considerations – Brocade FastIron Ethernet Switch Layer 3 Routing Configuration Guide User Manual

Page 341

background image

• ESP security protocol
• Authentication
• HMAC-SHA1-96 authentication algorithm
• Security parameter index (SPI)
• A 40-character key using hexadecimal characters
• An option for not encrypting the keyword when it appears in show command output
• Key rollover timer
• Specifying the key add remove timer

NOTE
In the current release, certain keyword parameters must be entered even though only one keyword
choice is possible for that parameter. For example, the only authentication algorithm in the current
release is HMAC-SHA1-96, but you must nevertheless enter the keyword for this algorithm. Also, ESP
currently is the only authentication protocol, but you must still enter the esp keyword. This section
describes all keywords.

General considerations

The IPsec component generates security associations and security policies based on certain user-
specified parameters. The parameters are described with the syntax of each command in this section.
User-specified parameters and their relation to system-generated values are as follows:

Security association: based on your entries for security policy index (SPI), destination address, and

security protocol (currently ESP), the system creates a security association for each interface or
virtual link.

Security policy database: based on your entries for SPI, source address, destination addresses,

and security protocol , the system creates a security policy database for each interface or virtual link.

• You can configure the same SPI and key on multiple interfaces and areas, but they still have unique

IPsec configurations because the SA and policies are added to each separate security policy
database (SPD) that is associated with a particular interface. If you configure an SA with the same
SPI in multiple places, the rest of the parameters associated with the SA—such as key, cryptographic
algorithm, and security protocol, and so on—must match. If the system detects a mismatch, it
displays an error message.

• IPsec authentication for OSPFv3 requires the use of multiple SPDs, one for each interface. A virtual

link has a separate, global SPD. The authentication configuration on a virtual link must be different
from the authentication configuration for an area or interface, as required by RFC4552. The interface
number is used to generate a non-zero security policy database identifier (SPDID), but for the global
SPD for a virtual link, the system-generated SPDID is always zero. As a hypothetical example, the
SPD for interface eth 1/1 might have the system-generated SPDID of 1, and so on.

• If you change an existing key, you must also specify a different SPI value. For example, in an

interface context where you intend to change a key, you must type a different SPI value—which
occurs before the key parameter on the command line—before you type the new key.

• The old key is active for twice the current configured key-rollover-interval for the inbound direction. In

the outbound direction, the old key remains active for a duration equal to the key-rollover-interval. If
the key-rollover-interval is set to 0, the new key immediately takes effect for both directions.

Interface and area IPsec considerations

This section describes the precedence of interface and area IPsec configurations.

If you configure an interface IPsec by using the ipv6 ospf authentication command in the context of a
specific interface, that interface’s IPsec configuration overrides the area configuration of IPsec.

General considerations

FastIron Ethernet Switch Layer 3 Routing Configuration Guide

341

53-1003087-04

See also other documents in the category Brocade Computer Accessories: