Encryption and Decryption of IPv4 Unicast Data and Control Packets
Features include for encryption and decryption of IPv4 unicast data and control packets include IKEv2 on MP; IPSec FPGA protocol;
IKEv2 protocol support; and PKI checks for certicate presence.
Major enhancements to support encryption and decryption of IPv4 unicast data and control packets transmitted or received from
external networks include:
• IPSec FPGA protocol using a new 4x10G/1G and 4x1G IPSec line card, developed to provide hardware based data encryption
and decryption at line rate of 44GBe. This card has free scale P2010 CPU with Security Engine 3.1x.
• IKEv2 protocol support to setup and manage secure tunnels across the external network.
• PKI support for authentication of endpoints of tunnel using digital certicates.
NOTE
The PKI module needs to run over HTTP, so it will be running as a separate task on MP.
IKE or another module should not store the PKI certicates for later reference. Whenever needed, the PKI module
should be queried with the certicate DN or Subject's alternate name.
• Manual PKI is supported, and OCSP and SCEP are not supported (for NetIron Release 5.8.00).
IKEv2 Authentication
When IKEv2 authentication is congured and the method (remote or local) is ECDSA, the CA certicates are retrieved and downloaded to
LPs where IKE will store these certicates. This is done even if the peer is not up, such as during peer init. This data is required or SA-
INIT cannot be completed.
NOTE
The new PKI feature in NI Release 5.8.00 will only be used for setting up the IKEv2 session.
When a peer is created and auth method is ECDSA IKE checks its database to ascertain if the CA and its self certicate are available.
The following certicate payload encoding is supported:
Certicate Type Value
X.509 Certicate – Signature 4
Hash and URL of X.509 certicate 12
OCSP content 14
During the IKEv2 exchange, when two peers are establishing a tunnel, each peer will receive a certicate from the other IKE peer. In the
IKE, the certicates can be sent in two ways: Inline certicate and HTTP and URL format.
NOTE
IKE or another module should not store the PKI certicates for later reference. Whenever needed, the PKI module should be
queried with the certicate DN or Subject alternate name.
Router modules
Brocade NetIron MLXe Series Hardware Installation Guide
46 53-1004203-04
To Next Page
Loading...
Need help?
General
