S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
35-6
Cisco MDS 9000 Family CLI Configuration Guide
OL-16184-01, Cisco MDS SAN-OS Release 3.x
Chapter 35 Configuring IPsec Network Security
Using IPsec
•
Data flow—A grouping of traffic, identified by a combination of source address and mask or prefix,
destination address mask or prefix length, IP next protocol field, and source and destination ports,
where the protocol and port fields can have any of these values. Traffic matching a specific
combination of these values is logically grouped together into a data flow. A data flow can represent
a single TCP connection between two hosts, or it can represent traffic between two subnets. IPsec
protection is applied to data flows.
•
Perfect forward secrecy (PFS)—A cryptographic characteristic associated with a derived shared
secret value. With PFS, if one key is compromised, previous and subsequent keys are not
compromised, because subsequent keys are not derived from previous keys.
•
Security Policy Database (SPD)—An ordered list of policies applied to traffic. A policy decides if
a packet requires IPsec processing, if it should be allowed in clear text, or if it should be dropped.
–
The IPsec SPDs are derived from user configuration of crypto maps.
–
The IKE SPD is configured by the user.
Supported IPsec Transforms and Algorithms
The component technologies implemented for IPsec include the following transforms:
•
Advanced Encrypted Standard (AES) is an encryption algorithm. It implements either 128 or 256
bits using Cipher Block Chaining (CBC) or counter mode.
•
Data Encryption Standard (DES) is used to encrypt packet data and implements the mandatory
56-bit DES-CBC. CBC requires an initialization vector (IV) to start encryption. The IV is explicitly
given in the IPsec packet.
•
Triple DES (3DES) is a stronger form of DES with 168-bit encryption keys that allow sensitive
information to be transmitted over untrusted networks.
Note
Cisco SAN-OS images with strong encryption are subject to United States government export
controls, and have a limited distribution. Images to be installed outside the United States require
an export license. Customer orders might be denied or subject to delay due to United States
government regulations. Contact your sales representative or distributor for more information,
or send e-mail to [email protected].
•
Message Digest 5 (MD5) is a hash algorithm with the HMAC variant. HMAC is a keyed hash variant
used to authenticate data.
•
Secure Hash Algorithm (SHA-1) is a hash algorithm with the Hash Message Authentication Code
(HMAC) variant.
•
AES-XCBC-MAC is a Message Authentication Code (MAC) using the AES algorithm.
Supported IKE Transforms and Algorithms
The component technologies implemented for IKE include the following transforms:
•
Diffie-Hellman (DH) is a public-key cryptography protocol that allows two parties to establish a
shared secret over an unsecure communications channel. Diffie-Hellman is used within IKE to
establish session keys. Group 1 (768-bit), Group 2 (1024-bit), and Group 5 (1536-bit) are supported.
•
Advanced Encrypted Standard (AES) is an encryption algorithm. It implements either 128 bits using
Cipher Block Chaining (CBC) or counter mode.