IP Security Features

AIX Version 4.3 System Management Guide: Communications and Networks

IP Security Features

The IP Security feature of AIX provides the following functions:

Dual IP stack support (IP versions 4 and 6)
Encapsulation and filtering of traffic (IP versions 4 and 6). (Because the IP stacks are separate, the IP Security function for each stack can be configured independently.)
Automatic key refreshment provided by using IBM tunnels.
IBM tunnels can be used between two AIX hosts running AIX 4.3, or between an AIX 4.3 host and a host running IBM Secure Network Gateway 2.2 or IBM Firewall 3.1.
Manual tunnels can be configured to provide interoperability with other systems that do not support the IBM Tunnel key refreshment method.

Extended cryptographic support.

Several Transforms and Cryptographic Algorithms are supported to maximize interoperability and provide varying levels of security (see table).

Two header formats are supported, the current RFC formats for the Authentication Header (AH) and the Encapsulating Security Payload (ESP) header (RFC 1826 for AH and RFC 1829 for ESP) as well as new header formats for 96 bit HMAC formats for AH and the combined ESP with Authentication for ESP that currently exist as IETF drafts.

In addition, new authentication transforms HMAC MD5 and HMAC SHA1 are supported, as well as the combined transforms DES CBC MD5, DES CBC SHA1, Triple DES MD5, and Triple DES SHA1.

Algorithm	AH for IBM Tunnels (IP V4)	ESP for IBM Tunnels (IP V4 & 6)	AH for Manual Tunnels (IP V4 & 6)	ESP for Manual Tunnels (IP V4 & 6)	RFC 1826 and 1829 for Header (old format)	1997 Draft Format for Header (new format)
Supported Header Formats and Algorithms
Keyed MD5	X		V4		X
HMAC MD5			X			X
HMAC SHA1			X			X
DES CBC 8		X		X	X	X
DES CBC 4		X		V4	X
CDMF		X		X	X	X
Triple DES				X		X
DES CBC MD5				X		X
DES CBC SHA1				X		X
Triple DES MD5				X		X
Triple DES SHA1				X		X
Replay Protection			X	X		X

Use of Tunnel mode and Transport mode.
In Tunnel mode, the entire IP packet is encapsulated. In transport mode, the IP header is unaltered, allowing for faster processing of packets within a trusted network.
Filtering of secure and non-secure traffic by a variety of IP characteristics such as source and destination IP addresses, interface, protocol, port numbers, etc.
Basic Configuration that simplifies the configuration of individual tunnels by automatically generating the filter rules that apply to that tunnel. In addition, when defining tunnels, only a minimum number of parameters are required and the remaining can be autogenerated or imported into the system.
Use of hostnames for the destination address when defining tunnels and filter rules. The hostnames will be converted to IP addresses automatically (as long as DNS is available).
Logging of IP Security events to syslog.
Extensive use of system traces and statistics for problem determination.
User defined default action allows the user to specify whether traffic that does not match defined tunnels should be allowed or denied.