The IP Security feature of AIX provides the following functions:
The following features are available with Internet Key Exchange, AIX versions 4.3.2 and later:
The building block on which secure communications is built is a concept known as a security association. Security associations (SAs) relate a specific set of security parameters to a type of traffic. With IP Security-protected data, a separate SA exists for each direction and for each header type, AH or ESP. The information contained in the SA includes the IP addresses of the communicating parties, a unique identifier known as the Security Parameters Index (SPI), the algorithms selected for authentication and/or encryption, the authentication and encryption keys, and the key lifetimes (see figure). The goal of key management is to negotiate and compute the SAs that protect IP traffic.
To set up a secure communication between two hosts, Security Associations must be negotiated and managed during the use of the tunnel. Three types of tunnels are supported in AIX, and each uses a different key management technique. They are:
IKE Tunnels are based on the ISAKMP/Oakley standards developed by the IETF. With this protocol, security parameters are negotiated and refreshed, and keys are exchanged securely . Three types of authentication are described in the standards, preshared key, digital signature and public key. AIX Version 4.3.3 currently implements Preshared Key.
The negotiation uses a two phase approach. The first phase authenticates the communicating parties, and specifies the algorithms to be used for securely communicating in phase 2. During phase 2, IP Security parameters to be used during data transfer are negotiated, security associations and keys are created and exchanged.
| Algorithm | AH IP Version 4 | ESP IP Version 4 |
|---|---|---|
| HMAC MD5 | X | X |
| HMAC SHA1 | X | X |
| DES CBC 8 | X | |
| 3DES CBC | X | |
| ESP Null | X |
Manual tunnels provide backward compatibility and will interoperate with machines that do not support IKE key management protocols. The disadvantage of manual tunnels is that the key values are static. In other words, the encryption and authentication keys are the same for the life of the tunnel and must be manually updated.
| Algorithm | AH IP Version 4 | AH IP Version 6 | ESP IP Version 4 | ESP IP Version 6 |
|---|---|---|---|---|
| HMAC MD5 | X | X | X | X |
| HMAC SHA1 | ||||
| DES CBC 8 | X | X | ||
| DES CBC 4 | X | X | ||
| CDMF | X | X | ||
| 3 DES CBC | X | X |
Since IKE tunnels offer more effective security, IKE is the preferred key management method.
Filtering is a basic function in which incoming and outgoing packets can be accepted or denied based on a variety of characteristics. This allows a user or system administrator to configure the host to control the traffic between this host and other hosts. Filtering is done on a variety of packet properties, such as source and destination addresses, IP version (4 or 6), subnet masks, protocol, port, routing characteristics, fragmentation, interface, and tunnel definition.
Rules, known as filter rules, are used to associate certain kinds of traffic with a particular tunnel. In a basic AIX configuration for manual tunnels, when a user defines a host-to-host tunnel, filter rules are autogenerated to direct all traffic from that host through the secure tunnel. If more specific types of traffic are desired (for instance subnet to subnet), the filter rules can be edited or replaced to allow precise control of the traffic using a particular tunnel.
For IKE tunnels, the filter rules are also automatically generated and inserted in the filter table once the tunnel is activated.
Similarly, when the tunnel is modified or deleted, the filter rules for that tunnel are automatically deleted. This greatly simplifies IP Security configuration and helps reduce human error. Tunnel definitions can be propagated and shared among AIX machines and AIX firewalls using import and export utilities. This is especially helpful in the administration of a large number of machines.
Filter rules are necessary to associate particular types of traffic with a tunnel, but data being filtered does not necessarily need to travel in a tunnel. This allows AIX to provide base firewall function for users who want to restrict the flow of certain types of traffic to or from their machine. This is especially useful for the administration of machines in an intranet or machines that do not have the protection of a firewall. In concept, it is somewhat like setting up a demilitarized zone (DMZ); filter rules provide a second barrier around a group of machines in case of a compromise.
Once the filter rules are generated, they are stored in a table and loaded into the kernel. When packets are ready to be sent or received from the network, the filter rules are checked in the list from top to bottom to determine whether the packet should be permitted, denied or sent through a tunnel. The criteria of the rule is compared to the packet characteristics until a match is found or the default rule is reached.
The IP Security function also implements filtering of non-secure packets based on very granular user-defined criteria. This is a useful function to allow the control of IP traffic between networks and machines that do not require the authentication or encryption properties of IP Security.
