IPSec provides a stable, long lasting base for providing network
layer security.
IPSec supports all of the cryptographic algorithms in use today, and can
also accommodate newer, more powerful algorithms as they become available.
IPSec protocols address these major security issues:
- Data origin authentication
- Verifies that each datagram was originated by the claimed sender.
- Data integrity
- Verifies that the contents of a datagram were not changed in transit,
either deliberately or due to random errors.
- Data confidentiality
- Conceals the content of a message, typically by using encryption.
- Replay protection
- Ensures that an attacker cannot intercept a datagram and play it back
at some later time.
- Automated management of cryptographic keys and security associations
- Ensures that your VPN policy can be used throughout the extended network
with little or no manual configuration.
VPN uses two IPSec protocols to protect data as it flows through the VPN:
Authentication Header (AH) and Encapsulating Security Payload (ESP). The other
part of IPSec enablement is the Internet Key Exchange (IKE) protocol, or key
management. While IPSec encrypts your data, IKE supports automated negotiation
of security associations (SAs), and automated generation and refreshing of
cryptographic keys.
Note: Some VPN configurations could have a security
vulnerability depending on how IPSec is configured. The vulnerability affects
configurations where IPsec is configured to employ Encapsulating Security
Payload (ESP) in tunnel mode with confidentiality (encryption), but without
integrity protection (authentication) or Authentication Header (AH). The
default configuration when ESP is selected always includes an authentication
algorithm that provides integrity protection. Therefore, unless the authentication
algorithm in the ESP transform is removed, VPN configurations will be protected
from this vulnerability. The IBM
® Universal Connection VPN configuration is not affected
by this vulnerability.
To check if your system is affected by this security
vulnerability follow these steps:
- In iSeries™ Navigator,
expand your server > .
- Right-click on the data policy you want to check and select Properties.
- Click on the Proposals tab.
- Select any of the data protection proposals that are using the ESP protocol
and click Edit.
- Click on the Transforms tab.
- Select any transforms from the list that use the ESP protocol and click Edit.
- Verify that the Authentication algorithm has any other value then None.
The Internet Engineering Task Force (IETF) formally defines IPSec in Request
for Comment (RFC) 2401, Security Architecture for the Internet Protocol.
You can view this RFC on the Internet at the following Web site: http://www.rfc-editor.org.
The principal IPSec protocols are listed below: