Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX IPSec version A.01.06 Administrator's Guide: HP-UX 11i Version 2 > Appendix A Product Specifications

Product Restrictions
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

HP-UX IPSec product restrictions are described below:

  • HP-UX IPSec systems cannot act as IP or IPSec gateways (when HP-UX IPSec is running, the system will not forward IP or IPSec packets).

  • HP-UX IPSec does not support security for multiple destination addresses (i.e. broadcast, subnet broadcast, multicast, and anycast addresses).

  • You cannot selectively encrypt or authenticate services that use dynamic ports, such as NFS (Network File System) mountd, NFS lockd, and NIS (Network Information Service).

  • Manual keying is not supported but is provided for diagnostic purposes only as a contributed tool under:

    /usr/contrib/bin/ipsec_diag

  • HP-UX IPSec supports Perfect Forward Secrecy (PFS) for keys and identities (the IKE daemon can be configured to create a new ISAKMP/MM SA for each IPSec/QM negotiation). HP-UX IPSec does not support PFS for keys only (the IKE daemon would use the ISAKMP/MM SA for multiple IPSec/QM negotiations and perform a Diffie-Hellman key exchange for each IPSec/QM negotiation).

  • If an HP-UX IPSec system crashes and the system had previously established ISAKMP SA(s) with peer IPSec system(s), the peer IPSec system(s) will not be able to use any existing ISAKMP and IPSec SAs to initiate communication with the rebooted IPSec system.

    If the IPSec SA(s) are configured to be “Shared” (host-based), the peer system will not be able to initiate any communication with the rebooted system that would use the same IPSec SAs until the existing IPSec SAs expire.

    If the IPSec SA(s) are configured to be “Exclusive” (session-based), then the peer system will be able to initiate IPSec encrypted or authenticated communication with the rebooted system only if the ISAKMP SA(s) are configured to use PFS (Perfect Forward Secrecy) until the ISAKMP SA expires.

ISAKMP Limitations

ISAKMP limitations and constraints are described below:

  • For Main Mode (MM) and Quick Mode (QM) transaction exchanges, a single transaction request will timeout after 25 seconds (5 attempts at 5 second intervals) which in turn will timeout or terminate the transaction negotiation.

    When timeouts occur, they usually occur during heavy network traffic congestion. It is the responsibility of the application to try to re-establish the connection after a connection establishment failure.

  • Secondary IP addresses configured for a single interface card require that you configure a route to each peer IPSec system where the secondary IP address is specified as the gateway to the remote system.

    For example: if Node A has IP address 15.1.1.1 and the Node B has IP addresses 16.2.2.2 (address for the primary interface, lanx:0, such as lan0:0) and 16.3.3.3 (address for the secondary interface, lan0:1) the network administrator must add the following host route on the Node B:

    route add host     15.1.1.1    16.3.3.3

  • The current product supports the PFS of both IPSec SA keys and the identity of the ISAKMP negotiating peers. The current product does not support the PFS for only the IPSec keys.

  • For IPv6 systems, the only type of ISAKMP authentication supported is preshared keys.

  • When using certificate-based ISAKMP authentication (RSA signatures), HP-UX IPSec checks that the identity sent by the other node in the Main Mode (MM) negotiation matches information in the other node’s certificate. HP-UX IPSec always sends its local IP address as its identity in MM exchanges. HP-UX IPSec accepts the following identification types from nodes it communicates with:

    • IPv4 address (ID_IPV4_ADDR)

    • Fully Qualified Domain Name (ID_FQDN)

    • User-Fully Qualified Domain Name (ID_USER_FQDN)

    • X.509 Subject Distinguished Name (DN, ID_DER_ASN1_DN)

IPv4 ICMP Messages

Discarding or requiring IPv4 ICMP messages (Internet Control Message Protocol messages, IP protocol value 1) to be encrypted or authenticated may cause connectivity problems. Normal network operation may require IP to exchange ICMP messages between end-to-end hosts and between an end host and an IP gateway (including router devices). IP may need to exchange ICMP packets with gateway nodes even though no user (end-to-end) services are being used to the gateways.

Be careful when configuring the default IPSec policy or IPSec policies that affect entire subnets, because you may inadvertently cause ICMP messages to be discarded. You may also inadvertently require ICMP messages being transmitted or received from a non-IPSec gateway or router to be authenticated or encrypted, which will also cause ICMP packets to be discarded.

IP uses ICMP messages to transmit error and control information, such as in the following situations:

  • IP may periodically send ICMP Echo messages to gateways to determine if the gateway is up (“Gateway Probes”). If no response is received, the gateway is marked “Dead” in the IP routing table.

    This feature is controlled by the IP kernel parameter ip_ire_gw_probe. By default, this feature is enabled on all HP-UX systems. Refer to the ndd man page for information on checking or changing this parameter value.

  • IP may use ICMP Echo messages with the “Don’t Fragment” flag and ICMP Destination Unreachable messages with the “Fragmentation Needed” flag to set the Path Maximum Transmission Unit (Path MTU).

    This feature is controlled by the IP kernel parameter ip_pmtu_strategy. Refer to the ndd man page for information on checking or changing this parameter value.

  • IP may send ICMP Redirect messages to redirect traffic to a different gateway.

    The transmission of ICMP Redirect messages is controlled by the IP kernel parameter ip_send_redirects. By default, this feature is enabled on all HP-UX systems. Refer to the ndd man page for information on checking or changing this parameter value.

  • IP may send ICMP Source Quench messages to request the source system to decrease its transmission rate.

    The transmission of ICMP Source Quench messages is controlled by the IP kernel parameter ip_send_source_quench. By default, this feature is enabled on all HP-UX systems. Refer to the ndd man page for information on checking or changing this parameter value.

IPv6 ICMP Messages

To ensure proper operation of IPv6 networks, HP-UX IPSec always allows the following ICMPv6 messages to pass in clear text:

  • Router Solicitation

  • Router Advertisement

  • Neighbor Solicitation

  • Neighbor Advertisement

  • Redirect

  • Destination Unreachable

  • Packet Too Big

  • Time Exceeded

  • Parameter Problem

  • Router Renumbering

You can configure HP-UX IPSec policies to authenticate, encrypt, pass, or discard the following ICMPv6 messages:

  • Echo Request

  • Echo Reply



IPSec RFCs
  		 


Appendix B HP-UX IPSec Configuration Examples  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2003 Hewlett-Packard Development Company, L.P.