Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP-UX IPSec version A.02.00 Administrator's Guide: HP-UX 11i version 1 and HP-UX 11i version 2 > Appendix A Product Specifications

Product Restrictions
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

HP-UX IPSec product restrictions are described below:

  • HP-UX IPSec systems cannot act as IP or IPSec gateways unless the local system is an HP-UX Mobile IPv6 Home Agent forwarding Mobile IPv6 packets to Mobile Node clients.

  • You cannot use an end-to-end or transport transform in a host-to-host tunnel topology. The action for the host policy in a host-to-host topology must be PASS.

  • HP-UX IPSec does not support security for multiple destination addresses (i.e. broadcast, subnet broadcast, multicast, and anycast addresses).

  • You cannot selectively encrypt or authenticate services that use dynamic ports, such as NFS (Network File System) mountd, NFS lockd, and NIS (Network Information Service).

  • HP-UX IPSec supports Perfect Forward Secrecy (PFS) for keys and identities (the IKE daemon can be configured to create a new ISAKMP/MM SA for each IPSec/QM negotiation). HP-UX IPSec does not support PFS for keys only (the IKE daemon would use the ISAKMP/MM SA for multiple IPSec/QM negotiations and perform a Diffie-Hellman key exchange for each IPSec/QM negotiation).

  • If an HP-UX IPSec system crashes and the system had previously established ISAKMP SA(s) with peer IPSec system(s), the peer IPSec system(s) will not be able to use any existing ISAKMP and IPSec SAs to initiate communication with the rebooted IPSec system.

    If the IPSec SA(s) are configured to be “Shared” (host-based), the peer system will not be able to initiate any communication with the rebooted system that would use the same IPSec SAs until the existing IPSec SAs expire.

    If the IPSec SA(s) are configured to be “Exclusive” (session-based), then the peer system will be able to initiate IPSec encrypted or authenticated communication with the rebooted system only if the ISAKMP SA(s) are configured to use PFS (Perfect Forward Secrecy) until the ISAKMP SA expires.

ISAKMP Limitations

ISAKMP limitations and constraints are described below:

  • For Main Mode (MM) and Quick Mode (QM) transaction exchanges, a single transaction request will timeout after 25 seconds (5 attempts at 5 second intervals) which in turn will timeout or terminate the transaction negotiation.

    When timeouts occur, they usually occur during heavy network traffic congestion. It is the responsibility of the application to try to re-establish the connection after a connection establishment failure.

  • The current product supports the PFS of both IPSec SA keys and the identity of the ISAKMP negotiating peers. The current product does not support the PFS for only the IPSec keys.

  • For IPv6 systems, the only type of ISAKMP authentication supported is preshared keys.

  • When using certificate-based ISAKMP authentication (RSA signatures), HP-UX IPSec checks that the identity sent by the other node in the Main Mode (MM) negotiation matches information in the other node’s certificate. HP-UX IPSec always sends its local IP address as its ID value and the appropriate IP address type (IPv4 or IPv6) as the ID type as the ISAKMP ID payload in MM exchanges. HP-UX IPSec accepts the following ID types from nodes it communicates with:

    • IPv4 address (ID_IPV4_ADDR)

    • Fully Qualified Domain Name (ID_FQDN)

    • User-Fully Qualified Domain Name (ID_USER_FQDN)

    • X.509 Subject Distinguished Name (DN, ID_DER_ASN1_DN)

IPv4 ICMP Messages

Discarding or requiring IPv4 ICMP messages (Internet Control Message Protocol messages, IP protocol value 1) to be encrypted or authenticated may cause connectivity problems. Normal network operation may require IP to exchange ICMP messages between end-to-end hosts and between an end host and an IP gateway (including router devices). IP may need to exchange ICMP packets with gateway nodes even though no user (end-to-end) services are being used to the gateways.

Be careful when configuring the default IPSec policy or IPSec policies that affect entire subnets, because you may inadvertently cause ICMP messages to be discarded. You may also inadvertently require ICMP messages being transmitted or received from a non-IPSec gateway or router to be authenticated or encrypted, which will also cause ICMP packets to be discarded.

IP uses ICMP messages to transmit error and control information, such as in the following situations:

  • IP may periodically send ICMP Echo messages to gateways to determine if the gateway is up (“Gateway Probes”). If no response is received, the gateway is marked “Dead” in the IP routing table.

    This feature is controlled by the IP kernel parameter ip_ire_gw_probe. By default, this feature is enabled on all HP-UX systems. Refer to the ndd(1M) manpage for information on checking or changing this parameter value.

  • IP may use ICMP Echo messages with the “Don’t Fragment” flag and ICMP Destination Unreachable messages with the “Fragmentation Needed” flag to set the Path Maximum Transmission Unit (Path MTU).

    This feature is controlled by the IP kernel parameter ip_pmtu_strategy. Refer to the ndd(1M) manpage for information on checking or changing this parameter value.

  • IP may send ICMP Redirect messages to redirect traffic to a different gateway.

    The transmission of ICMP Redirect messages is controlled by the IP kernel parameter ip_send_redirects. By default, this feature is enabled on all HP-UX systems. Refer to the ndd(1M) manpage for information on checking or changing this parameter value.

  • IP may send ICMP Source Quench messages to request the source system to decrease its transmission rate.

    The transmission of ICMP Source Quench messages is controlled by the IP kernel parameter ip_send_source_quench. By default, this feature is enabled on all HP-UX systems. Refer to the ndd(1M) manpage for information on checking or changing this parameter value.

IPv6 ICMP Messages

To ensure proper operation of IPv6 networks, HP-UX IPSec always allows the following ICMPv6 messages to pass in clear text:

  • Router Solicitation

  • Router Advertisement

  • Neighbor Solicitation

  • Neighbor Advertisement

  • Redirect

  • Destination Unreachable

  • Packet Too Big

  • Time Exceeded

  • Parameter Problem

  • Router Renumbering

You can configure HP-UX IPSec policies to authenticate, encrypt, pass, or discard the following ICMPv6 messages:

  • Echo Request

  • Echo Reply

  • Mobile Prefix Advertisement

  • Mobile Prefix Solicitation



IPSec RFCs
  		 


HP-UX IPSec Transforms  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2004 Hewlett-Packard Development Company, L.P.