IP security features

Edit online

The following are features of IP Security.

The following features are available with Internet Key Exchange for the AIX® operating system:

  • Supports AES 128-bit, 192-bit, and 256-bit algorithms.
  • Hardware acceleration with the 10/100 Mbps Ethernet PCI Adapter II.
  • AH support by using RFC 2402, and ESP support by using RFC 2406.
  • Manual tunnels can be configured to provide interoperability with other systems that do not support the automatic IKE key refreshment method, and for use of IP Version 6 tunnels.
  • Tunnel mode and transport mode of encapsulation for host or gateway tunnels.
  • Authentication algorithms of HMAC (Hashed Message Authentication Code) MD5 (Message Digest 5) and HMAC SHA (Secure Hash Algorithm).
  • Encryption algorithms include 56-bit Data Encryption Standard (DES) Cipher Block Chaining (CBC) with 64-bit initial vector (IV), Triple DES, DES CBC 4 (32-bit IV), and AES CBC.
  • Dual IP Stack Support (IP version 4 and IP version 6).
  • Both IP Version 4 and IP Version 6 traffic can be encapsulated and filtered. Because the IP stacks are separate, the IP Security function for each stack can be configured independently.
  • Filtering of secure and nonsecure traffic by various IP characteristics such as source and destination IP addresses, interface, protocol, port numbers, and more.
  • Automatic filter-rule creation and deletion with most tunnel types.
  • Use of host names for the destination address when you define tunnels and filter rules. The host names are converted to IP addresses automatically (when DNS is available).
  • Logging of IP Security events to syslog.
  • Use of system traces and statistics for problem determination.
  • User-defined default action allows the user to specify whether traffic that does not match defined tunnels is allowed.

The following additional features are available with Internet Key Exchange for AIX 6.1 TL 05, or later:

  • IPSec support by using RFC 4301, AH support by using RFC 4302, and ESP support by using RFC 4303
  • Authentication algorithms of Cipher-based Message Authentication Code (CMAC) AES XCBC
  • Encryption algorithms include AES 128-bit, 192-bit, 256-bit GCM (16-bit IV), AES-128-GMAC, AES-192-GMAC, and AES-256-GMAC
  • Port range support for filter rules
  • Extended Sequence Numbers