Send documentation comments to mdsfeedback-doc@cisco.com.
29-5
Cisco MDS 9000 Family Fabric Manager Configuration Guide
OL-6965-03, Cisco MDS SAN-OS Release 2.x
Chapter 29 IPsec and IKE
Configuring IPsec Network Security
Transform—A list of operations done on a dataflow to provide data authentication, data
confidentiality, and data compression. For example, one transform is the ESP protocol with the
HMAC-MD5 authentication algorithm.
Session keys—A key to encrypt and decrypt IP packets in a specified IKE session.
Lifetime—A lifetime counter (in seconds and bytes) is maintained from the time the SA is
created. When the time limit expires the SA is no longer operational and is automatically
renegotiated (rekeyed).
Mode of operation—Two modes of operation are generally available for IPsec and IKE: tunnel
mode and transport mode. The SAN-OS implementation of IPsec only supports the tunnel
mode. The IPsec tunnel mode encrypts and authenticates the IP packet and an additional IP
header between two hosts, a host and a gateway, or between two gateways. The gateways
encrypt traffic on behalf of the hosts and subnets. This mode implements secure internal,
external, remote access, and other networks. The SAN-OS implementation of IPsec does not
support transport mode.
Note The term tunnel mode is different from the term tunnel used to indicate secure
communication path between two peers, such as two switches connected by an FCIP link.
Anti-replay—A security service where the receiver can reject old or duplicate packets in order to
protect itself against replay attacks. IPsec provides this optional service by use of a sequence number
combined with the use of data authentication.
Data authentication—Data authentication can refer either to integrity alone or to both integrity and
authentication (data origin authentication is dependent on data integrity).
Data integrity—Verifies that data has not been altered.
Data origin authentication—Verifies that the data was actually sent by the claimed sender.
Data confidentiality—A security service where the protected data cannot be observed.
Data flow—A grouping of traffic, identified by a combination of source address/mask, destination
address/mask, IP next protocol field, and source and destination ports, where the protocol and port
fields can have the values of any. Traffic matching a specific combination of these values is logically
grouped together into a data flow. A data flow can represent a single TCP connection between two
hosts, or it can represent traffic between two subnets. IPsec protection is applied to data flows.
Perfect forwarding secrecy (PFS)—A cryptographic characteristic associated with a derived shared
secret value. With PFS, if one key is compromised, previous and subsequent keys are not
compromised, because subsequent keys are not derived from previous keys.
Security Policy Database (SPD)—an ordered list of policies applied to traffic. A policy decides if a
packet requires IPsec processing, if should be allowed in clear text, or if it should be dropped.
IPsec SPDs are derived from user configuration of crypto maps.
IKE SPDs are configured by the user.

Supported IPsec Transforms

The component technologies implemented for IPsec include the following transforms:
Advanced Encrypted Standard (AES) is an encryption algorithm. It implements either 128 or 256
bits using Cipher Block Chaining (CBC) or counter mode. This is an encryption technology.