test

SunScreen SKIP User's Guide, Release 1.1

Chapter 3 Managing SunScreen SKIP Through skiptool

Now that you have installed SunScreen SKIP and the local keys on your machine, you must set it up so that it can talk to other systems. You do this primarily through the graphical user interface (GUI).

This chapter tells

Note -

If you are using SunScreen SKIP as part of another application (such as SunScreen EFS), much of the configuration has already been done. Refer to the appropriate application manual for specific instructions on what needs to be configured through the SunScreen SKIP interfaces.

Using the Graphical User Interface (skiptool)

SKIP provides two interfaces for configuring and managing SunScreen SKIP: skiptool, the GUI; and skiphost, the command-line interface. The command-line interface is discussed in Chapter 4. The easiest way to set up your ACL is through skiptool. The GUI allows you to enable and disable access to your machine, set the type of encryption used for hosts or network connections to your system (encrypted or unencrypted [clear]), as well as determine how to deal with unauthorized hosts that try to connect to your system. It also allows you to view the following statistics:

To run skiptool, you must be able to become root on your system. In addition, enable access for any client to the X server for Solaris 2.x systems by entering the xhost +<localhost> command; for example,


% xhost +mysun

before you become root.

Configuring SunScreen SKIP

You can configure only one interface at a time using skiptool. If you have more than one network interface, you must configure each separately.

Configuring SunScreen SKIP requires completing several steps:

  1. Adding authorized systems ("Adding Authorized Systems")

  2. Adding excluded systems, if any ("Adding Excluded Systems")

  3. Setting up the behavior for unauthorized systems ("Behavior for Authorized Systems")

  4. Enabling SKIP (Access control button is enabled) ("Enabling SKIP")

  5. Verifying the installation and set up ("Verifying the SKIP Installation and Set Up")

    There are two optional steps that are helpful in troubleshooting and in tuning key usage, respectively.

  1. Viewing SunScreen SKIP statistics ("Viewing SunScreen SKIP Statistics ")

  2. Key management with skiptool ("Key Management with skiptool")

    Each step is described in further detail in the following sections.

    When skiptool is started just after the initial installation of the software, the following defaults are in effect:

    • Access control is disabled

    • Unauthorized systems are set at No Access

Starting skiptool

To start skiptool, complete the following steps:

  1. Open a window, and type


    % xhost +mysun

  2. Become root, and type 


    # skiptool&

    If you are configuring a system that has multiple network interfaces, you can specify the interface following the skiptool command; for example, skiptool le1.

    The main window of skiptool appears, as shown in Figure 3-1.

    Figure 3-1 skiptool Main Window

    Graphic

The skiptool Main Window

The skiptool main window has several important features:

File Menu

The file menu has five submenus:

Load--Loads current ACL from the kernel. This is useful if you have modified the ACL through other tools and want to update the configuration in skiptool.

Key Management--Defines the parameters for key usage, including when to delete an unused key (in seconds) and how much to transmit per key (in Kbytes).

SKIP Statistics--Brings up one of six statistics windows: (1) Network Interface Stats, (2) SKIP Header Stats, (3) Encryption Stats (Version 1), (4) Encryption Stats (Version 2), (5) Key Stats, or (6) Authentication Stats.

Save--Makes the configuration permanent. Before saving, it prompts you to add any systems that are in use, that have access, and that are not currently on the authorized list. The next time that you reboot this configuration is used. Quitting and restarting skiptool will not affect either saved or unsaved changes in configuration. (Another way to save the current ACL is to use the command-line tool skipif with the -s option.)

Note -

If you do not save the changes in the configuration, you can use them until the next time you reboot your machine when they will no longer be in effect.

Exit--Closes all open windows and quits SunScreen SKIP. The Statistics window will not close when you quit skiptool.

Access Control Buttons

Access Control button--This button toggles to enable or disable SKIP. When SKIP is enabled, the ACL rules apply. (For example, you could have only the "default" entry in the authorized systems list and some entries in the excluded systems list. In this case, any host except those that are in the excluded systems list could connect.) When SKIP is disabled, any system can connect, if the "default" entry is configured in the clear.

Unauthorized System button--This button is used to set the policy regarding unauthorized systems.

Note -

If a default authorized host entry exists, this policy does not take effect. The default entry has the name "default" and the ACL looks for this entry (in authorized or excluded host lists) if it cannot find a given entry that matches the host or network criteria.

The policy can be

No Access--Does not allow unauthorized hosts to connect.

Ask For Confirmation--Every time an unauthorized host connects, a pop-up window appears on which the user determines whether or not that particular connection should be allowed.

Add Automatically--Any host that sends packets to this system is automatically added to the authorized systems list.

Note -

It is recommended that you do not change the value from "No Access."

Authorized Systems/Excluded Systems Lists

Authorized Systems--A list of systems that are authorized to have access to this host. System types are host, network, or nomadic. Secure systems are denoted by a padlock or the Sun Microsystems' logo next to the system name, depending on the type of security being used.

Excluded Systems--A list of systems that are specifically denied access to your system. When you move or add a system to the excluded list, it is immediately excluded.

skiptool allows you to move systems from the list of authorized systems to the list of excluded systems and vice versa with the arrows between the two lists.

Management Buttons

These buttons enable you to add or delete a system from the access list. The buttons are available for both authorized and excluded systems.

Add--Brings up the Add pop-up menu where the system type to be added to the ACL is selected:

Host--Adds an individual host, either with or without security.

Network--Adds a network, either with or without security.

Nomadic--Adds a nomadic identity, with SKIP Version 1 or SKIP Version 2 security.

Delete--Deletes the selected system from the list. When an item is deleted, the deletion occurs immediately and cannot be undone.

You may also move ACL entries from one list to another with the arrow buttons. These arrow buttons make it easy to add or delete system when troubleshooting.

Caution - Caution -

If you add or delete ACL entries from one list to another, the addition or deletion takes effect immediately.

Adding Authorized Systems

Any remote host with which you want to communicate (send or receive data) must be configured using the Add pop-up window.

An authorized host may or may not be using encryption. The Add pop-up window provides four options:

You add hosts to the authorized systems list using the Add button, located at the bottom left of the main window of skiptool.

The valid types of remote hosts that you can add to your ACL are

Caution - Caution -

When setting up SunScreen SKIP, be sure to include any NFS servers and NIS or DNS name servers on the authorized systems list, otherwise your system may hang.

Note -

To avoid problems such as this, a safe approach at the beginning is to add the clear "default" entry. Once you become more comfortable with SKIP configuration, you can remove it.

To determine the servers your system communicates with, use the following commands:

If you do not specify a system that you currently have in use when you enable access control, a menu will come up and ask if you want to add the system. It also checks for multicast routers that are being used for others and adds them to the proposed list of systems to add.

Regardless of the type of system that you are adding to the ACL, you must implement the same policy on both your machine and the entity with which you wish to communicate securely over the intranetworks or internetworks. If you do not configure both systems properly, the packets are silently dropped and it appears as if that particular host does not exist. skiplog is useful in diagnosing this situation.

When you click on the Add button, the Add pop-up window appears. From the menu in this window, you select the type of connection: Host, Network, or Nomadic. Next, use the pull-right menu to set the security level. After you have selected the level of security, the appropriate Properties window becomes available. The Add System Properties window is used to set up the options for the type of encryption used by the host, network, or nomadic system being authorized. Table 3-1shows what type of encryption can be used with hosts, networks, or nomadic systems. The procedures in the sections following the table detail how to set up each encryption option.

Table 3-1 Type of Security Available, by Type of System

Type of System 

Type of Security  

Off (none) 

SKIP  

SKIP (Version 1) 

ESP/AH (manual keying) 

Host 

Network 

Nomadic 

-- 

-- 

Adding a Host or Network with No Encryption

This procedure is used to allow a host or network access to your system without using any encryption.

  1. Click and hold on the Add button at the bottom of the authorized systems list on the skiptool main window.

  2. Select the type of connection being authorized: Host or Network. (Nomadic does not offer this option.)

  3. Pull right on the type of connection and select Off.

    The Add Host properties or Add Network properties dialog box will appear (Figure 3-2).

    Figure 3-2 Add Host/Properties--No Encryption

    Graphic

  4. In the Add Host or Network properties window, enter the name or IP address of the host system to be added to your ACL.

    In the case of a network, you must define the network with the IP address and the netmask.

  5. Click the Apply button.

Setting Up Security for a Host, Network, or Nomadic System

These procedures enable a host, network, or nomadic system access to your system according to the encryption rules set up using one of the procedures below. Remember, both your system and the other system need to use the same properties in order to communicate.

Explanations of the Dialog Box Parameters

The three encryption dialog boxes (SKIP, SKIP Version 1, and ESP/AH) use common set-up parameters, as you can see in Figure 3-3 through Figure 3-10. Explanations of the parameters follow the figures. The procedure follows the explanations.

Figure 3-3 Host--Add SKIP Host Properties

Graphic

Figure 3-4 Host--Add SKIP Version 1 Properties

Graphic

Figure 3-5 Host--Add ESP/AH Host Properties

Graphic

Figure 3-6 Network--Add SKIP Network Properties

Graphic

Figure 3-7 Network--Add SKIP Version 1 Properties

Graphic

Figure 3-8 Network--Add ESP/AH (Manual Keying) Network Properties

Graphic

Figure 3-9 Nomadic--Add SKIP Properties (Nomadic)

Graphic

Figure 3-10 Nomadic--Add SKIP Version 1 (Nomadic)

Graphic

Adding Authorized Systems with Encryption

  1. Click and hold on the Add button at the bottom of the authorized systems list on skiptool's Main Window.

  2. Select the type of connection being authorized: Host, Network, or Nomadic.

  3. Pull right on the type of connection and select the type of encryption that you want to use.

    • If the remote host system also uses SKIP and the traffic between your systems is to be encrypted, select SKIP.

    • For systems using Sun Microsystems' SunScreen SPF-100, select SKIP Version 1.

    • If ESP/AH (manual keying) is to be used, click on ESP/AH.

  4. On the Add properties window, enter the name or IP address of the host system to be added to your ACL.

  5. Determine whether Whole packet ("tunnel mode") or Data only ("transport mode") is secure by clicking on the appropriate selection for the Secure button.

  6. Each type of encryption requires that certain options be set.

    The parameters selected are determined by the type of system being authorized and your security policies. The options to be considered are based on the method of encryption selected. They are

    • For systems using SKIP: Tunnel address, Remote Key ID, Local Key ID. If you leave the tunnel address blank, it will default to the peer's address.

    • For SKIP Version 1: Key ID, Tunnel address.

    • For ESP/AH systems: Tunnel address, Local SPI, Remote SPI.

  7. Select the appropriate algorithms buttons for Key encryption, Traffic encryption, and Authentication.

    The options available for each system are based upon the method of encryption selected from the Security pop-up menu:

    • Key Encryption button: Selecting this button lists the available key encryption algorithms. The algorithm available is determined by the type of system and selected method of encryption.

    • Traffic Encryption button: Selecting this button lists the algorithms available for encryption between your system and the remote system. The algorithms that are available for key and traffic encryption depend on the packages that were installed on the system, such as core product and key upgrades. The algorithms available determine the type of system and the method of encryption selected.

    • Authentication button: Use this button to select the type of authentication for the packets.

    • Compression button: Compression is not currently supported.

  8. Click Apply to add the host to the authorized systems list.

    Refer to the previous section for descriptions of the fields and buttons.

    Repeat Steps 1 though 8 for all encrypted hosts. Remember that your policy options for each system entered on your ACL must be the same as those entered on the system entity with which you wish to communicate through encrypted channels. If the configuration on your system does not match that of the party with which you wish to communicate, the packets are silently dropped. It will simply appear as though that host no longer exists.

Default System Entry

The default system entry is used when no other more specific ACL entry matches a host. Often, this entry is set to clear to allow hosts that are not listed in the ACL to communicate in the clear. It may, however, be used to create a default encryption rule.

Note -

If the default ACL remains and is set to Off, it is unnecessary to add any entity with the Off security option. Further, if the default ACL remains and is set to Off, the option set by the Unauthorized Systems button never goes into effect because all systems are considered as authorized.

Communicating In the Clear (Off)

Typically, the NIS and DNS servers to which your servers have access are set up as communicating with your system in the clear or unencrypted. In addition, any host that does not use an encryption package must be set up to communicate with you in the clear.

Communicating Using SKIP Version 1

Complete the following steps to set these fields for encrypted traffic between your server and the system to be authorized.

  1. After selecting the type of system and setting the security to SKIP, enter the Hostname.

  2. Enter the Node ID.

    This is the IPv4 key ID.

  3. Local Key ID and ID buttons.

    Use the Local Key ID button to indicate whether you want your local system to send its key ID in the SKIP packet.

  4. Set the Tunnel Address, if you are using topology hiding.

    Tunnel addressing is generally used for clients of encrypted gateways where the IP address of the host entered here serves as the intermediary for any or all hosts on a network whose topography is to remain unknown or hidden from the rest of the world.

  5. Select the appropriate key and traffic algorithms for the Key and Traffic encryption buttons. Available Key encryption algorithms are DES-CBC and RC2-40. Available Traffic encryption algorithms are RC4-40 and RC2-40.

Communicating Using SKIP

Complete the following steps to set these fields for encrypted traffic between your server and the system to be authorized.

  1. After selecting the type of system and setting the security to SKIP, enter the Hostname.

  2. Set the Secure button to either Whole packet (`tunnel mode") or Data only ("transport mode").

    Whole packet is recommended because it offers a greater degree of security.

  3. Set the Tunnel address, if you are using topology hiding.

    Tunnel addressing is generally used for clients of encrypted gateways where the IP address of the host entered here serves as the intermediary for any or all hosts on a network whose topography is to remain unknown or hidden from the rest of the world.

  4. Use the Remote Key ID button to select whether you would like the remote system's keyID included in SKIP packets.

    If so, what namespace does that key occupy. By selecting Not Present, the receiver key ID is not sent.

    Not Present is the default. It uses the IP address of the remote system to identify its certificate. If a remote system has a key ID other than identified by its IP address, set the namespaces and indicate the remote system's key ID in the ID Field. The namespace indicated in the Remote Key ID field is determined by the type of certificate that is used or obtained for this system. The type of certificate and the Remote Key ID field for that certificate is shown below

    Certificate Type 

    Remote Key ID Field 

    CA (Sun or other) 

    IPv4 

    Self-generated unsigned key 

    MD5 (DH Public Value) 

  5. The following namespaces are used in this menu:

    Not present 

    IPv4 Address 

    MD5 (DH public Value) 

  6. If the Remote Key ID field has been set to something other than Not Present, enter the key ID in hexadecimal format in the ID field (0x0a000000).

    It must contain the appropriate key ID for the system that is being authorized based upon the selection made in the Remote Key ID field. Depending on the type of certificate, this information may be obtained from the master keyID on the diskette or from the Local key ID field of the other host.

  7. Select the appropriate key and traffic algorithms for the Key and Traffic encryption buttons.

    Available Key encryption is None, DES_CBC, and RC2-40. Available Traffic encryption is None, RC4-40, and RC2-40.

  8. Authentication button.

    Use the authentication button to select the type of authentication for the packets. Currently, SunScreen SKIP supports only one type of authentication--MD5. You can also select None for no authentication.

  9. Compression button.

    Compression is not available at this time.

Communicating Using ESP/AH

ESP/AH (also called manual keying) is typically used in test mode only. It is not recommended for day-to-day operations. To configure a host with which you are using manual keying, both skiptool and the raw_keys files must be configured.

Adding Excluded Systems

If the default entry remains on the authorized systems list, then any remote host with which you want to prevent communication must be configured using the Add button located under the excluded systems list. When setting up an excluded system, you only need to enter the hostname for hosts and network number for networks. For nomadic systems you need to specify the key IDs.

If the state of the host or network changes to an authorized system, you must delete the system from the excluded systems list and add it to the authorized systems list.

The easiest way to exclude a system is to move it from the authorized systems list with the arrow button to the excluded systems list. The arrow buttons make it easy to add or delete systems when troubleshooting and the host is already present in the authorized systems list. If the host does not already exist on one of the lists, it is simpler to add it directly on the excluded systems list so that you can move it easily with the arrow button when you wish to add it to the authorized systems list.

Note -

If you move an encrypted host from the authorized systems list to the excluded systems list with the arrow button, SunScreen SKIP retains the encryption parameters so that if you later move this host back to the authorized systems list, its parameters are restored.

You can also complete the following steps to exclude a system:

  1. Click on the Add button at the bottom of the excluded systems list on skiptool's main window.

  2. Select the system type: Host, Network, or Nomadic.

  3. In the Hostname field on the Exclude System window, enter the name or IP address of the host system that you want to deny access to your system.

    If you are excluding a nomadic system, also enter the key ID.

  4. Click Apply on the Exclude System window.

    Caution - Caution -

    If you add or delete ACL entries from one list to another, the addition or deletion takes effect immediately.

Behavior for Authorized Systems

Once you have entered the authorized systems and the excluded systems, you need to determine what should happen when unidentified systems attempt to obtain access to your system. An unidentified system is unrecognized by SKIP; that is, it is not on either the authorized systems list or the excluded systems list.

Use the Unauthorized Systems button on the main window to select the action SKIP should take when an unidentified system attempts access. When you remove a default entry from these lists, SKIP will take one of the following three actions:

It is recommended that you leave this entry in the default selection of No Access for greater security.

If you quit skiptool or if you reboot your system, the selection will revert to No Access.

Note -

If a default ACL entry is on the authorized systems list, this option does not take effect.

Once you have configured SunScreen SKIP on your system, you are ready to configure it on the other systems with which you will be communicating either in the clear or through one of the methods of encryption available in SunScreen SKIP. Once both parties have installed and configured SKIP, SKIP should be enabled and your data protected.

Enabling SKIP

The last step in setting up SunScreen SKIP is to enable access control for the system. Enable SunScreen SKIP by selecting enabled from the Access Control button on the main window. When SKIP is enabled for the first time, it checks for all systems with which you are talking in the clear. It detects the NFS, X Windows, NIS, and DNS servers with which you are communicating and offers the possibility of adding the systems automatically to the ACL when you select Add from the Required Systems window (Figure 3-11). Choosing Cancel can hang your system or prevent your access to the system or network the next time you try to log in because certain necessary servers may not have been added. To prevent this, select disable after canceling.

Figure 3-11 Enabling SKIP

Graphic

Understanding the Symbols in the Authorized Systems List

The authorized systems area lists all the hosts that are allowed access. The excluded systems area shows all those known hosts that are explicitly denied access. The graphic preceding the host name or IP address depicts what type of security is being used with that host.

Iconify SunScreen SKIP

Once you have enabled SunScreen SKIP, it is no longer necessary to keep the window open. At this time, you may wish to iconify the main window. The skiptool icon (Figure 3-12) shows SKIP's status. If you have set unauthorized systems to No Access, you can quit skiptool.

Figure 3-12 SKIP Icon Showing Both the Enabled and Disabled States

Graphic

If you quit the application, SKIP stays in whatever mode it was last in (enabled or disabled).

Unauthorized Systems automatically changes to No Access, since there is no longer any way to notify you if an unauthorized system attempts to gain access.

Verifying the SKIP Installation and Set Up

Once you have configured and enabled SKIP, it is time to determine that it is working properly. If the configurations on the systems do not match (that is, the encryption algorithms used), it will appear as if the other part of the communication equation does not exist. SKIP silently drops the packets. skiplog will log this event.

To verify that SunScreen SKIP is operating properly on your system, complete one or more of the following procedures:

  1. Ping the remote system.

    The remote system must have SunScreen SKIP enabled and be using the same key and traffic encryption algorithms as your system.

    If you have the remote site's certificate, you can immediately start sending encrypted IP. Otherwise, SKIP will need to fetch the remote machine's certificate. By default, this is done by asking the remote site for its certificate over a clear channel. If you have configured other hosts to act as key servers, they will be asked for the certificate. See the man pages for skipd and skipd.conf for details. If there are no problems at the remote site, you receive replies when you ping.

    Note -

    The initial ping can fail because the key manager's computation may exceed the time-out value of some of the IP protocols, such as ping.

  2. Run snoop on your local system or a sniffer to see that packets are being encrypted.

    If encryption is not taking place between your system and a system on your authorized systems list or you cannot connect to that system, check the following items.

    • Is SKIP enabled? Check the Access Control button. Set it to enabled.

    • Verify that a certificate exists for each system you wish to communicate with on your authorized systems list. Use the skipdb command to check for the certificate of the remote system by dumping the database to the screen. Try to restart the key manager by using the skipd_restart command.

    • Verify that SKIP is installed, configured, enabled, and has the certificate of the remote system.

    • Verify the key ID of the remote system in the log file /var/log/skipd.log to see if the key manager has set the key ID to what you think it should be. If it is not the correct key ID, get certificates for the correct key ID.

    • Verify that both machines have the same key encryption, traffic encryption, and authentication algorithms. You can check which ACL entry will be used when communicating with a remote host by using skiphost <hostname/IP address> command. This command will check default entries, as well as network entries.

    • Certificate Discovery works by sending UDP requests to port 1640 of the server. If you are connecting through a firewall, check with your system administrator that UDP messages are allowed to pass on port 1640. These ports are required for the certificate discovery protocol (CDP). As a workaround, you can manually distribute keys. Also, make sure that the SKIP protocol 57 (decimal number) and the SKIP Version 1 protocol 79 (decimal number) are permitted to pass through the firewall.

    • Some routers also filter packets. Check on the router and its configuration.

    • Verify that the CDP server specified in skipd.conf is correct and has been authorized in skiptool. If the cdp_server entry is = or @, it is specifying the tunnel address or host address, respectively.

    • SKIP requires that machine clocks be synchronized within one hour. Make sure they are synchronized. Messages in /var/log/skipd.log will indicate this situation. You may use the UNIX command rdate (1M) to synchronize the clocks.

    • If the skiplocal export command has been used to communicate key IDs when one or both of the systems have multiple keys or multiple network interfaces, the key ID may have been bound to the wrong network interface or local key ID. Use skiptool or skiphost to add the remote host after verifying key IDs over the telephone.

    • Use skiplog to verify configuration mismatches.

Viewing SunScreen SKIP Statistics

SunScreen SKIP provides two methods of viewing statistics: skiptool and skipstat. skiptool is the GUI. skipstat is the command-line interface for viewing SKIP statistics and is discussed in Chapter 4. The method you choose is a matter of personal preference since both interfaces provide the same data. The GUI display has a yellow label with the word "UPDATED" in front of fields whose values have changed since the last "sampling." This feature is not available through skipstat.

The following statistics are available in SunScreen SKIP:

The Statistics Window

You can view the Network Interface, SKIP Header, Key, Encryption (Versions 1 and 2), and Authentication statistics in real-time by selecting SKIP Statistics from the File menu (File --> SKIP Statistics) on the skiptool main window (Figure 3-13).

Figure 3-13 Bringing Up a Statistics Window

Graphic

Each of the statistics available for SunScreen SKIP is described on the following pages. Sample data with field descriptions illustrate the information available for monitoring SunScreen SKIP's performance. The fields on the statistics screens are updated approximately every 3 seconds. A status change is indicated by a yellow label with the word "UPDATED" next to the fieldname.

SKIP Statistics

SKIP Interface StatisticsSelecting File --> SKIP Statistics --> Network Interface Stats displays the SKIP Interface Statistics window ().

Figure 3-14 SKIP Interface Statistics Window

Graphic

A brief description of each field is given below:

skip_if_ipkts

Packets received by the interface. 

skip_if_opkts

Packets sent by the interface. 

skip_if_encrypts

Packets encrypted. 

skip_if_decrypts

Packets decrypted. 

skip_if_drops

Packets dropped. 

skip_if_notv4

Packets that are not IPv4 packets. 

skip_if_bypasses

The number of certificate packets. 

skip_if_raw_in

Raw AH and ESP packets received by the interface. 

skip_if_raw_out

Raw AH and ESP packets sent by the interface. 

SKIP Header Statistics

Selecting File --> SKIP Statistics --> Header Stats displays the Header Statistics window (Figure 3-15). In the field descriptions below, V1 refers to SKIP Version 1.

Figure 3-15 SKIP Header Statistics Window

Graphic

A brief description of each field in SKIP Header Statistics window is given below:

skip_hdr_bad_versions

The number of headers with invalid protocol versions. 

skip_hdr_short_ekps

The number of headers with short eKp fields. 

skip_hdr_short_mids

The number of headers with short MID fields. 

skip_hdr_bad_kp_algs

The number of headers with unknown cryptographic algorithms. 

V1 skip_hdr_encodes

The number of SKIP V1 headers encoded. 

V1 skip_hdr_decodes

The number of SKIP V1 headers decoded. 

V1 skip_hdr_runts

The number of headers with short SKIP V1 packets. 

V1 skip_hdr_short_nodeids

The number of headers with short SKIP V1 key ID. 

IPSP skip_ipsp_decodes

The number of SKIP headers decoded. 

IPSP skip_ipsp_encodes

The number of SKIP headers encoded. 

IPSP skip_hdr_bad_nsid

The number of headers with a bad SKIP name- space ID. 

IPSP skip_hdr_bad_mac_algs

The number of headers with unknown or bad authentication algorithms. 

IPSP skip_hdr_bad_mac_size

The number of headers with an authentication error in the MAC size.  

IPSP skip_hdr_bad_mac_val

The number of headers with an authentication error in the MAC value. 

IPSP skip_hdr_bad_next

The number of headers with a bad SKIP next protocol field. 

IPSP skip_hdr_bad_esp_spi

The number of headers with a bad SKIP SPI field. 

IPSP skip_hdr_bad_ah_spi_

The number of bad AH/SPI headers (manual keying). 

IPSP skip_hdr_bad_iv

The number of headers with a bad SKIP initialization vector. 

IPSP skip_hdr_short_r_mkeyid

The number of headers with a short SKIP receiver key ID. 

IPSP skip_hdr_short_s_mkeyid

The number of headers with a short SKIP sender key ID. 

IPSP skip_hdr_bad_r_mkeyid

The number of headers with a bad SKIP receiver key ID. 

SKIP Key Statistics

Selecting File --> SKIP Statistics --> Key Stats displays the Key Statistics window (Figure 3-16).

Figure 3-16 SKIP Key Statistics Window

Graphic

A brief description of each field on the Key Statistics window is given below:

skip_key_max_idle

The time, in seconds, until an unused key is reclaimed. 

skip_key_max_bytes

Maximum number of bytes to encrypt before discarding a key. 

skip_encrypt_keys_active

Number of encryption keys in the cache. 

skip_decrypt_keys_active

Number of decryption keys in the cache. 

skip_key_lookups

The total number of key cache lookups. 

skip_keymgr_requests

The total number of key cache misses (key not found). 

skip_key_reclaims

The total number of key entries reclaimed. 

skip_hash_collisions

The total number of table collisions. 

SKIP (Version 1) Algorithm Statistics

Selecting File --> SKIP Statistics --> Encryption Stats (Version 1) displays the Algorithm Statistics window for SKIP Version 1 (Figure 3-17).

Figure 3-17 Encryption Statistics Window--SKIP Version 1

Graphic

SKIP Algorithm Statistics

Selecting File --> SKIP Statistics --> Encryption Stats displays the Algorithm Statistics window shown in Figure 3-18.

Figure 3-18 Encryption Statistics Window

Graphic

One set of statistics is displayed for each different traffic and key encryption module. A brief description of each field is give below:

Crypto Module Name 

The name of the cryptographic module for which the statistics are being displayed. 

encrypts

Number of successful encryptions. 

encrypterrs

Number of failed encryptions. 

decrypts

Number of successful decryptions. 

decrypterrs

Number of failed decryptions. 

SKIP Authentication Statistics

Selecting File --> SKIP Statistics --> Authentication Stats displays the Authentication Statistics window (Figure 3-19), which provides information on MACs (Message Authentication Code).

Figure 3-19 Authentication Statistics Window

Graphic

A brief description of each field on the Authentication Stats window is given below:

MAC_Module_Name 

MAC method used for authentication. 

in_mac

Number of received MAC calculations that succeeded. 

in_mac_errs

Number of received MAC calculations that failed. 

out_mac

Number of sent MAC calculations that succeeded. 

out_mac_errs

Number of sent MAC calculations that failed. 

Key Management with skiptool

The Key Management Parameters window (Figure 3-20) is displayed by selecting File --> Key Management. Key management parameters are global; that is, one set of key management parameters governs the activity of all keys on a particular system. They determine when a key is deleted based upon use and the maximum number of bytes transmitted per encrypt key.

Figure 3-20 Key Management Parameters Window

Graphic

The Key Management Parameters window has four major components.

Change transmit keys every:

The system uses the delete unused key parameter to decide when to change active encrypt keys.

Delete unused keys after:

This button sets the number of seconds an unused traffic key is kept before it is deleted. The number may be changed by either typing in a new number or clicking on the up and down arrows until the desired number is reached. Default value = 30 seconds. Valid range: 5 seconds to 10,000 seconds.

Transmit at most:

This button sets the maximum amount of information that can be transmitted using a particular key. When the set amount is reached, the key is changed. The number can be changed by either typing in a new number or clicking on the up and down arrows until the desired number is reached. Default value = 512 Kbytes per key. Valid range: 1 Kbyte per key to 10,000 Kbytes per key.

Management Buttons:

These three buttons enable you to apply the new values, return to the default values, or dismiss the window without changes.