Securing the Network in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

Key Management for IPsec Security Associations

Security associations (SAs) require keying material for authentication and for encryption. The managing of this keying material is called key management. Oracle Solaris provides two methods for managing the keys for IPsec SAs: IKE and manual key management.

IKE for IPsec SA Generation

The Internet Key Exchange (IKE) protocol handles key management automatically. Oracle Solaris 11.2 supports IKE version 2 (IKEv2) and IKE version 1 (IKEv1) of the IKE protocol.

    The use of IKE to manage IPsec SAs is encouraged. These key management protocols offer the following advantages:

  • Simple configuration

  • Provide strong peer authentication

  • Automatically generate SAs with a high quality random key source

  • Do not require administrative intervention to generate new SAs

For more information, see How IKE Works.

To configure IKE, see Chapter 9, Configuring IKEv2. If you are communicating with a system that does not support the IKEv2 protocol, follow the instructions in Chapter 10, Configuring IKEv1.

Manual Keys for IPsec SA Generation

The use of manual keys is more complicated than IKE and is potentially risky. A system file, /etc/inet/secret/ipseckeys, contains the encryption keys. If these keys are compromised, they can be used to decrypt recorded network traffic. Because IKE frequently changes the keys, the window of exposure to such a compromise is much smaller. Using the ipseckeys file or its command interface, ipseckey, is appropriate only for systems that do not support IKE.

While the ipseckey command has only a limited number of general options, the command supports a rich command language. You can specify that requests be delivered by means of a programmatic interface specific for manual keying. For additional information, see the ipseckey (1M) and pf_key (7P) man pages.

Typically, manual SA generation is used when IKE is unavailable for some reason. However, if the SPI values are unique, manual SA generation and IKE can be used at the same time.