Ip sec traffic selector, Ip sec transform, Ike policies – Dell POWEREDGE M1000E User Manual

Fabric OS Administrator’s Guide

235

53-1002745-02

Management interface security

7

IP sec traffic selector

The traffic selector is a traffic filter that defines and identifies the traffic flow between two systems
that have IP sec protection. IP addresses, the direction of traffic flow (inbound, outbound) and the
upper layer protocol are used to define a filter for traffic (IP datagrams) that is protected using
IP sec.

IP sec transform

A transform set is a combination of IP sec protocols and cryptographic algorithms that are applied
on the packet after it is matched to a selector. The transform set specifies the IP sec protocol,
IP sec mode and action to be performed on the IP packet. It specifies the key management policy
that is needed for the IP sec connection and the encryption and authentication algorithms to be
used in security associations when IKE is used as the key management protocol.

IP sec can protect either the entire IP datagram or only the upper-layer protocols using tunnel mode
or transport mode. Tunnel mode uses the IP sec protocol to encapsulate the entire IP datagram.
Transport mode handles only the IP datagram payload.

IKE policies

When IKE is used as the key management protocol, IKE policy defines the parameters used in IKE
negotiations needed to establish IKE SA and parameters used in negotiations to establish IP sec
SAs. These include the authentication and encryption algorithms, and the primary authentication
method, such as preshared keys, or a certificate-based method, such as RSA signatures.

Key management

The IP sec key management supports Internet Key Exchange or Manual key/SA entry. The Internet
Key Exchange (IKE) protocol handles key management automatically. SAs require keying material
for authentication and encryption. The managing of keying material that SAs require is called key
management.

The IKE protocol secures communication by authenticating peers and exchanging keys. It also
creates the SAs and stores them in the SADB.

The manual key/SA entry requires the keys to be generated and managed manually. For the
selected authentication or encryption algorithms, the correct keys must be generated using a third
party utility on your LINUX system. The key length is determined by the algorithm selected.

Linux IP sec-tools 0.7 provides tools for manual key entry (MKE) and automatic keyed connections.
The LINUX setKey command can be used for manually keyed connections, which means that all
parameters needed for the setup of the connection are provided by you. Based on which protocol,
algorithm, and key used for the creation of the security associations, the switch populates the
security association database (SAD) accordingly.

Pre-shared keys

A pre-shared key has the .psk extension and is one of the available methods IKE can be configured
to use for primary authentication. You can specify the pre-shared keys used in IKE policies; add and
delete pre-shared keys (in local database) corresponding to the identity of the IKE peer or group of
peers.