The IP Security feature of AIX provides the following functions:
IBM tunnels can be used between two AIX hosts running AIX 4.3, or between an AIX 4.3 host and a host running IBM Secure Network Gateway 2.2 or IBM Firewall 3.1.
Several Transforms and Cryptographic Algorithms are supported to maximize interoperability and provide varying levels of security (see table).
Two header formats are supported, the current RFC formats for the Authentication Header (AH) and the Encapsulating Security Payload (ESP) header (RFC 1826 for AH and RFC 1829 for ESP) as well as new header formats for 96 bit HMAC formats for AH and the combined ESP with Authentication for ESP that currently exist as IETF drafts.
In addition, new authentication transforms HMAC MD5 and HMAC SHA1 are supported, as well as the combined transforms DES CBC MD5, DES CBC SHA1, Triple DES MD5, and Triple DES SHA1.
Supported Header Formats and Algorithms | ||||||
Algorithm | AH for IBM Tunnels (IP V4) |
ESP for IBM Tunnels (IP V4 & 6) |
AH for Manual Tunnels (IP V4 & 6) |
ESP for Manual Tunnels (IP V4 & 6) |
RFC 1826 and 1829 for Header (old format) |
1997 Draft Format for Header (new format) |
---|---|---|---|---|---|---|
Keyed MD5 | X | V4 | X | |||
HMAC MD5 | X | X | ||||
HMAC SHA1 | X | X | ||||
DES CBC 8 | X | X | X | X | ||
DES CBC 4 | X | V4 | X | |||
CDMF | X | X | X | X | ||
Triple DES | X | X | ||||
DES CBC MD5 | X | X | ||||
DES CBC SHA1 | X | X | ||||
Triple DES MD5 | X | X | ||||
Triple DES SHA1 | X | X | ||||
Replay Protection | X | X | X |
In Tunnel mode, the entire IP packet is encapsulated. In transport mode, the IP header is unaltered, allowing for faster processing of packets within a trusted network.