JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Securing the Network in Oracle Solaris 11.1     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

1.  Using Link Protection in Virtualized Environments

2.  Tuning Your Network (Tasks)

3.  Web Servers and the Secure Sockets Layer Protocol

4.  IP Filter in Oracle Solaris (Overview)

5.  IP Filter (Tasks)

6.  IP Security Architecture (Overview)

Introduction to IPsec

IPsec RFCs

IPsec Terminology

IPsec Packet Flow

IPsec Security Associations

Key Management in IPsec

IPsec Protection Mechanisms

Authentication Header

Encapsulating Security Payload

Security Considerations When Using AH and ESP

Authentication and Encryption Algorithms in IPsec

Authentication Algorithms in IPsec

Encryption Algorithms in IPsec

IPsec Protection Policies

Transport and Tunnel Modes in IPsec

Virtual Private Networks and IPsec

IPsec and NAT Traversal

IPsec and SCTP

IPsec and Oracle Solaris Zones

IPsec and Logical Domains

IPsec Utilities and Files

7.  Configuring IPsec (Tasks)

8.  IP Security Architecture (Reference)

9.  Internet Key Exchange (Overview)

10.  Configuring IKE (Tasks)

11.  Internet Key Exchange (Reference)

Glossary

Index

Introduction to IPsec

IPsec protects IP packets by authenticating the packets, by encrypting the packets, or by doing both. IPsec is performed inside the IP module. Therefore, an Internet application can take advantage of IPsec while not having to configure itself to use IPsec. When used properly, IPsec is an effective tool in securing network traffic.

IPsec protection involves the following main components:

IPsec applies the security mechanisms to IP datagrams that travel to the IP destination address. The receiver uses information in its SADB to verify that the arriving packets are legitimate and to decrypt them. Applications can invoke IPsec to apply security mechanisms to IP datagrams on a per-socket level as well.

If a socket on a port is connected, and IPsec policy is later applied to that port, then traffic that uses that socket is not protected by IPsec. Of course, a socket that is opened on a port after IPsec policy is applied to the port is protected by IPsec policy.

IPsec RFCs

The Internet Engineering Task Force (IETF) has published a number of Requests for Comment (RFCs) that describe the security architecture for the IP layer. All RFCs are copyrighted by the Internet Society. For a link to the RFCs, see http://www.ietf.org/. The following list of RFCs covers the more general IP security references:

IPsec Terminology

The IPsec RFCs define a number of terms that are useful to recognize when implementing IPsec on your systems. The following table lists IPsec terms, provides their commonly used acronyms, and defines each term. For a list of terminology used in key negotiation, see Table 9-1.

Table 6-1 IPsec Terms, Acronyms, and Uses

IPsec Term
Acronym
Definition
Security association
SA
The cryptographic parameters and the IP security protocol that are applied to a specific flow of network traffic. The SA is defined by a triplet: a security protocol, a unique security parameter index (SPI), and an IP destination.
Security associations database
SADB
Database that contains all active security associations.
Security parameter index
SPI
The indexing value for a security association. An SPI is a 32-bit value that distinguishes among SAs that have the same IP destination and security protocol.
Security policy database
SPD
Database that determines if outbound packets and inbound packets have the specified level of protection.
Key exchange
The process of generating keys by using asymmetric cryptographic algorithms. The two main methods are RSA and Diffie-Hellman.
Diffie-Hellman
DH
A key exchange algorithm that allows key generation and key authentication. Often called authenticated key exchange.
RSA
RSA
A key exchange algorithm that allows key generation and key distribution. The protocol is named for its three creators, Rivest, Shamir, and Adleman.
Internet Security Association and Key Management Protocol
ISAKMP
The common framework for establishing the format of SA attributes, and for negotiating, modifying, and deleting SAs. ISAKMP is the IETF standard for handling an IKE exchange.