IP Security (IPSec) protocols

IPSec provides a stable, long lasting base for providing network layer security.

IPSec supports all of the cryptographic algorithms in use today, and can also accommodate newer, more powerful algorithms as they become available. IPSec protocols address these major security issues:

Data origin authentication
Verifies that each datagram was originated by the claimed sender.
Data integrity
Verifies that the contents of a datagram were not changed in transit, either deliberately or due to random errors.
Data confidentiality
Conceals the content of a message, typically by using encryption.
Replay protection
Ensures that an attacker cannot intercept a datagram and play it back at some later time.
Automated management of cryptographic keys and security associations
Ensures that your VPN policy can be used throughout the extended network with little or no manual configuration.

VPN uses two IPSec protocols to protect data as it flows through the VPN: Authentication Header (AH) and Encapsulating Security Payload (ESP). The other part of IPSec enablement is the Internet Key Exchange (IKE) protocol, or key management. While IPSec encrypts your data, IKE supports automated negotiation of security associations (SAs), and automated generation and refreshing of cryptographic keys.

Start of change
Note: Some VPN configurations could have a security vulnerability depending on how IPSec is configured. The vulnerability affects configurations where IPsec is configured to employ Encapsulating Security Payload (ESP) in tunnel mode with confidentiality (encryption), but without integrity protection (authentication) or Authentication Header (AH). The default configuration when ESP is selected always includes an authentication algorithm that provides integrity protection. Therefore, unless the authentication algorithm in the ESP transform is removed, VPN configurations will be protected from this vulnerability. The IBM® Universal Connection VPN configuration is not affected by this vulnerability.
To check if your system is affected by this security vulnerability follow these steps:
  1. In iSeries™ Navigator, expand your server > Network > IP Policies > Virtual Private Networking > IP Security Policies > Data Policies .
  2. Right-click on the data policy you want to check and select Properties.
  3. Click on the Proposals tab.
  4. Select any of the data protection proposals that are using the ESP protocol and click Edit.
  5. Click on the Transforms tab.
  6. Select any transforms from the list that use the ESP protocol and click Edit.
  7. Verify that the Authentication algorithm has any other value then None.
End of change

The Internet Engineering Task Force (IETF) formally defines IPSec in Request for Comment (RFC) 2401, Security Architecture for the Internet Protocol. You can view this RFC on the Internet at the following Web site: http://www.rfc-editor.org.

The principal IPSec protocols are listed below:

Related concepts
Key management
Related information
http://www.rfc-editor.org