Fabric OS Administrator’s Guide 165
53-1001763-02
Management interface security 7
Replay Protection — Prevents replay attack, a type of denial of service (DoS) attack where an
attacker intercepts a series of packets and resends them to cause the recipient to waste CPU
cycles processing them.
Automated Key Management—Automates the process, as well as manages the periodic
exchange and generation of new keys.
Using the ipsecConfig command, you must configure multiple security policies for traffic flows on
the Ethernet management interfaces based on IPv4 or IPv6 addresses, a range of IPv4 or IPv6
addresses, the type of application, port numbers, and port types used (UDP/TCP). You must specify
the transforms and processing choices for the traffic flow (drop, protect or bypass). Also, you must
select and configure the key management protocol using an automatic or manual key.
For more information on IPv4 and IPv6 addressing, refer to Chapter 2, “Performing Basic
Configuration Tasks”.

Configuration examples

Below are several examples of various configurations you can use to implement an IPsec tunnel
between two devices. You can configure other scenarios as nested combinations of these
configurations.

Endpoint-to-Endpoint Transport or Tunnel

In this scenario, both endpoints of the IP connection implement IPsec, as required of hosts in
RFC4301. The transport mode is commonly used with no inner IP header. If there is an inner IP
header, the inner addresses will be the same as the outer addresses. A single pair of addresses will
be negotiated for packets protected by this SA.
It is possible in this scenario that one or both of the protected endpoints will be behind a network
address translation (NAT) node, in which case the tunneled packets will have to be
UDP-encapsulated so that port numbers in the UDP headers can be used to identify individual
endpoints behind the NAT.
FIGURE 17 Protected endpoints configuration
A possible drawback of end-to-end security is that various applications that require the ability to
inspect or modify a transient packet will fail when end-to-end confidentiality is employed. Various
QoS solutions, traffic shaping, and firewalling applications will be unable to determine what type of
packet is being transmitted and will be unable to make the decisions that they are supposed to
make.