IPsec is a framework to secure network data at the IP layer and is defined in many RFCs, most notably RFCs 4301 through 4309. IPsec uses policies to define the security protection that is to be applied at the MCP-to-network boundary. Traffic can be forbidden from being transmitted unencrypted (DISCARD), allowed to be transmitted unencrypted (BYPASS), or required to be encrypted prior to transmission (PROTECT). Refer to RFC 4302 (IP Authentication Header) and RFC 4303 (IP Encapsulating Security Payload) for more details on the protection services.
The MCP implementation supports point-to-point policies for IPv6 traffic using manual keying. Wild cards are not allowed. The IPsec policies are created and managed through the Security Policy Management module of Security Center and are saved in the Security Center database. When IPsec is enabled, these policies are activated in the TCP/IP network provider.
| Note: | Some systems also support IPsec for IPv4 traffic. |
IPsec uses the Authentication Header (AH) protocol to authenticate and uses the Encapsulating Security Payload (ESP) protocol to encrypt and authenticate the data flowing over the connection. The MCP implementation supports AH (using the HMAC-SHA1-96 algorithm), ESP confidentiality (using the 3DES-CBC and AES-CBC algorithms), and ESP integrity (using the HMAC-SHA1-96 algorithm).
| Note: | Some systems also support AES_CBC with 256-bit keys, HMAC-SHA-256, and HMAC-SHA-512. |
For more information about IPsec, see Network Security and Cryptography Services.
