Ipsec policies, Ipsec traffic selector, Ipsec transform – Brocade Fabric OS Administrators Guide (Supporting Fabric OS v7.3.0) User Manual

Algorithms and associated authentication policies (Continued)

TABLE 56

Algorithm

Encryption Level Policy

Description

hmac_sha1

160-bit

AH, ESP

NOTE
The MD5 hash algorithm is blocked when FIPS mode is enabled

3des_cbc

168-bit

ESP

Triple DES is a more secure variant of DES. It uses three different 56-
bit keys to encrypt blocks of 64-bit plain text. The algorithm is FIPS-
approved for use by Federal agencies.

blowfish_cbc 64-bit

ESP

Blowfish is a 32-bit to 448-bit keyed, symmetric block cipher.

aes128_cbc 128-bit

ESP

Advanced Encryption Standard is a 128- or 256-bit fixed block size
cipher.

aes256_cbc 256-bit

ESP

null_enc

n/a

ESP

A form of plaintext encryption.

IPsec policies

An IPsec policy determines the security services afforded to a packet and the treatment of a packet in
the network. An IPsec policy allows classifying IP packets into different traffic flows and specifies the
actions or transformations performed on IP packets on each of the traffic flows. The main components
of an IPsec policy are: IP packet filter and selector (IP address, protocol, and port information) and
transform set.

IPsec traffic selector

The traffic selector is a traffic filter that defines and identifies the traffic flow between two systems that
have IPsec protection. IP addresses, the direction of traffic flow (inbound, outbound) and the upper
layer protocol are used to define a filter for traffic (IP datagrams) that is protected using IPsec.

IPsec transform

A transform set is a combination of IPsec protocols and cryptographic algorithms that are applied on
the packet after it is matched to a selector. The transform set specifies the IPsec protocol, IPsec mode
and action to be performed on the IP packet. It specifies the key management policy that is needed for
the IPsec connection and the encryption and authentication algorithms to be used in security
associations when IKE is used as the key management protocol.

IPsec can protect either the entire IP datagram or only the upper-layer protocols using tunnel mode or
transport mode. Tunnel mode uses the IPsec protocol to encapsulate the entire IP datagram.
Transport mode handles only the IP datagram payload.

IKE policies

When IKE is used as the key management protocol, IKE policy defines the parameters used in IKE
negotiations needed to establish IKE SA and parameters used in negotiations to establish IPsec SAs.
These include the authentication and encryption algorithms, and the primary authentication method,
such as preshared keys, or a certificate-based method, such as RSA signatures.

IPsec policies

248

Fabric OS Administrators Guide

53-1003130-01