ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaja_5.4.0.1/rzajaipsec.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="IP Security (IPSec) protocols" />
<meta name="abstract" content="IPSec provides a stable, long lasting base for providing network layer security." />
<meta name="description" content="IPSec provides a stable, long lasting base for providing network layer security." />
<meta name="DC.Relation" scheme="URI" content="rzajavpnprotocols.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajaahheader.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajaesp.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajaahandesp.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajasecassociations.htm" />
<meta name="DC.Relation" scheme="URI" content="http://www.rfc-editor.org" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzajaipsec" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>IP Security (IPSec) protocols</title>
</head>
<body id="rzajaipsec"><a name="rzajaipsec"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">IP Security (IPSec) protocols</h1>
<div><p>IPSec provides a stable, long lasting base for providing network
layer security.</p>
<p>IPSec supports all of the cryptographic algorithms in use today, and can
also accommodate newer, more powerful algorithms as they become available.
IPSec protocols address these major security issues:</p>
<dl><dt class="dlterm">Data origin authentication</dt>
<dd>Verifies that each datagram was originated by the claimed sender.</dd>
<dt class="dlterm">Data integrity</dt>
<dd>Verifies that the contents of a datagram were not changed in transit,
either deliberately or due to random errors.</dd>
<dt class="dlterm">Data confidentiality</dt>
<dd>Conceals the content of a message, typically by using encryption.</dd>
<dt class="dlterm">Replay protection</dt>
<dd> Ensures that an attacker cannot intercept a datagram and play it back
at some later time.</dd>
<dt class="dlterm">Automated management of cryptographic keys and security associations</dt>
<dd>Ensures that your VPN policy can be used throughout the extended network
with little or no manual configuration.</dd>
</dl>
<p>VPN uses two IPSec protocols to protect data as it flows through the VPN:
Authentication Header (AH) and Encapsulating Security Payload (ESP). The other
part of IPSec enablement is the Internet Key Exchange (IKE) protocol, or key
management. While IPSec encrypts your data, IKE supports automated negotiation
of security associations (SAs), and automated generation and refreshing of
cryptographic keys.</p>
<div class="p"><img src="./delta.gif" alt="Start of change" /><div class="note"><span class="notetitle">Note:</span> Some VPN configurations could have a security
vulnerability depending on how IPSec is configured. The vulnerability affects
configurations where IPsec is configured to employ Encapsulating Security
Payload (ESP) in tunnel mode with confidentiality (encryption), but without
integrity protection (authentication) or Authentication Header (AH).   The
default configuration when ESP is selected always includes an authentication
algorithm that provides integrity protection. Therefore, unless the authentication
algorithm in the ESP transform is removed, VPN configurations will be protected
from this vulnerability. The IBM<sup>®</sup> Universal Connection VPN configuration is not affected
by this vulnerability.<div class="p">To check if your system is affected by this security
vulnerability follow these steps: <ol><li>In iSeries™ Navigator,
expand your server &gt; <span class="menucascade"><span class="uicontrol">Network</span> &gt; <span class="uicontrol">IP
Policies</span> &gt; <span class="uicontrol">Virtual Private Networking</span> &gt; <span class="uicontrol"> IP
Security Policies</span> &gt; <span class="uicontrol"> Data Policies </span></span>.</li>
<li>Right-click on the data policy you want to check and select <span class="uicontrol">Properties</span>. </li>
<li>Click on the <span class="uicontrol">Proposals</span> tab.</li>
<li>Select any of the data protection proposals that are using the ESP protocol
and click <span class="uicontrol">Edit</span>. </li>
<li>Click on the <span class="uicontrol">Transforms</span> tab. </li>
<li>Select any transforms from the list that use the ESP protocol and click <span class="uicontrol">Edit</span>. </li>
<li>Verify that the Authentication algorithm has any other value then <span class="uicontrol">None</span>. </li>
</ol>
</div>
</div>
<img src="./deltaend.gif" alt="End of change" /></div>
<p>The Internet Engineering Task Force (IETF) formally defines IPSec in Request
for Comment (RFC) 2401, <cite>Security Architecture for the Internet Protocol</cite>.
You can view this RFC on the Internet at the following Web site:  http://www.rfc-editor.org.</p>
<p>The principal IPSec protocols are listed below:</p>
</div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="rzajaahheader.htm">Authentication Header</a></strong><br />
The Authentication Header (AH) protocol provides data origin authentication, data integrity, and replay protection. However, AH does not provide data confidentiality, which means that all of your data is sent in the clear.</li>
<li class="ulchildlink"><strong><a href="rzajaesp.htm">Encapsulating Security Payload</a></strong><br />
The Encapsulating Security Payload (ESP) protocol provides data confidentiality, and also optionally provides data origin authentication, data integrity checking, and replay protection.</li>
<li class="ulchildlink"><strong><a href="rzajaahandesp.htm">AH and ESP combined</a></strong><br />
VPN allows you to combine AH and ESP for host-to-host connections in transport mode.</li>
</ul>

<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajavpnprotocols.htm" title="It is important that you have at least a basic knowledge of standard VPN technologies. This topic provides you with conceptual information about the protocols VPN uses in its implementation.">VPN concepts</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzajasecassociations.htm" title="A dynamic VPN provides additional security for your communications by using the Internet Key Exchange (IKE) protocol for key management. IKE allows the VPN servers on each end of the connection to negotiate new keys at specified intervals.">Key management</a></div>
</div>
<div class="relinfo"><strong>Related information</strong><br />
<div><a href="http://www.rfc-editor.org" target="_blank">http://www.rfc-editor.org</a></div>
</div>
</div>
</body>
</html>