Cisco MDS 9000 Series Configuration Manual page 190

Supported IPsec Transforms and Algorithms
Note The term tunnel mode is different from the term tunnel, which is used to indicate a secure communication
path between two peers, such as two switches connected by an FCIP link.
• Anti-replay—A security service where the receiver can reject old or duplicate packets to protect itself
• Data authentication—Data authentication can refer either to integrity alone or to both integrity and
• Data confidentiality—A security service where the protected data cannot be observed.
• Data flow—A grouping of traffic, identified by a combination of source address and mask or prefix,
• Perfect forward secrecy (PFS)—A cryptographic characteristic associated with a derived shared secret
• Security Policy Database (SPD)—An ordered list of policies applied to traffic. A policy decides if a
Supported IPsec Transforms and Algorithms
The component technologies implemented for IPsec include the following transforms:
• Advanced Encrypted Standard (AES) is an encryption algorithm. It implements either 128 or 256 bits
• Data Encryption Standard (DES) is used to encrypt packet data and implements the mandatory 56-bit
• Triple DES (3DES) is a stronger form of DES with 168-bit encryption keys that allow sensitive information
Note Cisco NX-OS images with strong encryption are subject to United States government export controls, and
have a limited distribution. Images to be installed outside the United States require an export license. Customer
orders might be denied or subject to delay due to United States government regulations. Contact your sales
representative or distributor for more information, or send e-mail to export@cisco.com.
• Message Digest 5 (MD5) is a hash algorithm with the HMAC variant. HMAC is a keyed hash variant
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
172
against replay attacks. IPsec provides this optional service by use of a sequence number combined with
the use of data authentication.
authentication (data origin authentication is dependent on data integrity).
• Data integrity—Verifies that data has not been altered.
• Data origin authentication—Verifies that the data was actually sent by the claimed sender.
destination address mask or prefix length, IP next protocol field, and source and destination ports, where
the protocol and port fields can have any of these values. Traffic matching a specific combination of
these values is logically grouped together into a data flow. A data flow can represent a single TCP
connection between two hosts, or it can represent traffic between two subnets. IPsec protection is applied
to data flows.
value. With PFS, if one key is compromised, previous and subsequent keys are not compromised, because
subsequent keys are not derived from previous keys.
packet requires IPsec processing, if it should be allowed in clear text, or if it should be dropped.
• The IPsec SPDs are derived from user configuration of crypto maps.
• The IKE SPD is configured by the user.
using Cipher Block Chaining (CBC) or counter mode.
DES-CBC. CBC requires an initialization vector (IV) to start encryption. The IV is explicitly given in
the IPsec packet.
to be transmitted over untrusted networks.
used to authenticate data.
Configuring IPSec Network Security