1. DSR Security Guide
  2. Optional IPsec Configuration

9 Optional IPsec Configuration

This section describes the security related to configuration changes required to use Internet Protocol Security (IPsec).

Note:

Customers are NOT required to configure IPsec.

9.1 IPsec Overview

Internet Protocol Security (IPsec) provides network layer security protocols for authentication, encryption, payload compression, and key exchange. IPsec provides Host-to-Host encrypted connections or Network-to-Network packet tunneling.

Network traffic between two end-points is encrypted and decrypted by authenticated hosts at the end-points, using a shared private key. The shared private key forms a Security Association that can be automatically changed using Security Policies based on traffic volume, expiry time, or other criteria.

IPsec works for both IPv4 and IPv6 on the Diameter interface. The provisioning interface only supports IPsec on IPv4. Oracle Communications Diameter Signaling Router supports IPsec with an SCTP/IPv6 configuration.

9.1.1 Encapsulating Security Payload

The Diameter Signaling Router IPsec uses the Encapsulating Security Payload (ESP) protocol for encryption and authentication. ESP uses encryption algorithms to encrypt either the packet payload or the entire packet, depending on the IPsec configuration, whether to use transport mode or tunnel mode. If the IPsec is in transport mode, only the packet payload is encrypted, and the IP header is not encrypted. If the IPsec is in tunnel mode, both the packet payload and the original IP header are encrypted, and then a new IP header is added.

ESP also provides authentication of the encrypted packets to prevent attacks by ensuring that the packet is from the correct source.

Many encryption algorithms use an Initialization Vector (IV). The IV encrypts to make each message unique. This makes it extremely difficult for cryptanalysis attempts to decrypt the ESP. For more details on the supported ESP encryption and authentication algorithms, see the Table 9-1 table.

9.1.2 Internet Key Exchange

Internet Key Exchange (IKE) is used to exchange secure keys to set up IPsec security associations. There are two versions of IKE: IKEv1 and IKEv2. The following are the main differences that exist between IKEv1 and IKEv2:
  • IKEv1:
    • security associations are established in 8 messages.
    • does not use a Pseudo-Random function.
  • IKEv2:
    • security associations are established in 4 messages.
    • uses an increased number of encryption algorithms and authentication transformations.
    • uses a Pseudo-Random function.

For more details on the encryption algorithms and authentication transformations that are supported for IKE, see the Table 9-1 table.

9.2 IPsec Process

When an IPsec connection is configured, you can create Security Policies using the IPsec connection configuration files. IPsec uses Security Policies to define whether to encrypt a packet or not. The Security Policies also help determine whether an IPsec procedure is needed for a connection. The Security Policies do not change over time. After the Security Policies exist and initial network connectivity has been made, the Internet Key Exchange (IKE) process occurs.

IKE operates in two phases:
  1. Phase 1 acts as an initial handshake and creates the IKE security associations that determine how to set up an initial secure connection to begin the IPsec security association negotiation.
  2. In phase 2, the keys are exchanged, and the IPsec security associations are created. Once the IPsec security associations exist, the IPsec connection setup process is complete. IPsec now knows how to encrypt the packets.

IPsec uses security associations to determine which type of encryption algorithm and authentication transportation should be used when creating an IPsec packet, and to apply the correct decryption algorithm when a packet is received. Since security associations change with time, a lifetime parameter is used to force the security associations to expire so that IPsec must renegotiate them.

You can set up an IPsec connection on a virtual IP that can be used for HA. However, when a switchover occurs and the virtual IP is added to the new box, a SIGHUP is sent to the iked daemon on the newly active box so that the virtual IP is under iked management. Also, the switchover does not occur until the security associations have expired and the renegotiation can begin.

9.3 Setting Up IPsec

This section describes the procedure to set up IPsec.

Prerequisites

Before configuring IPsec, perform the following steps on the active NOAMP server:

  1. Log in as root on the active NOAMP server.
  2. On the active NOAMP server, run the following commands:
    iadd -xu -fallowPgmChg -fname -fvalue LongParam \
<<'!!!'
Yes|cm.ha.enableIpsecWhack|1
!!!

Procedure

Adding an IPsec connection also configures it. You can edit or delete an existing IPsec connection. You can also start (enable) and stop (disable) an IPsec connection without deleting that connection completely. Perform IPsec setup on each MP that can control the connection.

Note:

You must not enableIPsec on a live connection. Disable the connection before enabling IPsec.
Perform the following steps to set up a new IPsec connection:
  1. Open platcfg.
  2. Add and configure an IPsec connection. For more information, see the Adding an IPsec Connection section.
  3. Select an IKE version.
    1. Complete the IKE configuration for the IPsec connection.
    2. Complete the ESP configuration for the IPsec connection.
    3. Complete the IPsec connection configuration entries.
    4. Wait for the connection to be added.
  4. Enable the IPsec connection. For more information, see the Enabling or Disabling Host Intrusion Detection System section.
  5. Logout of platcfg.
  6. Restart IPsec service by typing this command:
    # service ipsec restart

9.4 IPsec IKE and ESP Elements

The following table describes the IPsec IKE and ESP configuration elements and provides default values where applicable:

Table 9-1 IPsec IKE and ESP Elements

Description Valid Values Default
Internet Key Exchange (IKE) Version ikev1, ikev2 ikev2
IKE Configuration    
IKE Encryption aes128_cbc, aes192_cbc, aes256_cbc, 3des_cbc, hmac_md5

aes128_cbc

hmac_md5
IKE Authentication hmac_sha1, aes_xcbc, hmac_md5 hmac_md5
Pseudo Random Function

This is used for the key exchange only for ikev2.

 hmac_sha1, aes_xcbc (ikev2)  
Diffie-Hellman Group

The group number is used to generate the group (group - set of numbers with special algebraic properties) that is used to select keys for the Diffie-Hellman algorithm. The larger the group number, the larger the keys used in the algorithm.

2, 14 (ikev2)

2 (ikev1)

2 (IKEv1)

14 (IKEv2)
IKE SA Lifetime
Lifetime of the IKE/IPsec security associations. A correct lifetime value would be <hours/mins/secs>. Example: 3 mins.

Note:

If a connection goes down, it does not re-establish until the lifetime expires. If the lifetime is set to 60 minutes and a failure causing a switchover of a VIP is required, the switchover does not occur until the 60 minutes expire. The recommendation is to set the lifetime to the lowest possible time that does not impact network connectivity, such as 3-5 minutes.
Number of time units 60
Lifetime Units hours, mins, secs mins
Perfect Forward Secrecy

This is an algorithm used to ensure that if one of the private keys is compromised the other keys are not compromised.

 yes, no yes
ESP Configuration    
ESP Authentication

Algorithm used to authenticate the encrypted ESP.

 hmac_sha1, hmac_md5 hmac_sha1
Encryption Algorithm

Algorithm used to encrypt the actual IPsec packets.

 aes128_cbc, aes192_cbc, aes256_cbc, 3des_cbc aes128_cbc

9.5 Adding an IPsec Connection

Perform the following steps to add an IPsec connection:
  1. Log in as admusr on the source server.
    login: admusr
Password: <current admin user password>
  2. Enter the following command to open the platcfg menu:
    $ sudo su – platcfg

    1. Select Network Configuration.
    2. Select IPsec Configuration.
    3. Select IPsec Connections.
    4. Click Edit.

    1. Select Add Connection.
    2. Select the Internet Key Exchange Version: either IKEv1 or IKEv2.
    3. Complete the IKE Configuration fields for the desired connection, then click OK.
    For more details about the fields, see the Table 9-1 table.
  5. Select the desired ESP Encryption algorithm, and click OK.
    For more details about the fields, see the Table 9-1 table.
  6. Complete the Add Connection fields for the desired connection.
    1. Enter the Local Address.
    2. Enter the Remote Address.
    3. Enter the Pass Phrase.

      Note:

      Select a non-trivial passphrase.
    4. Select the Mode.
  7. Click OK.

    Wait for the connection to be added.

    When the connection has been successfully added, the Internet Key Exchange Version menu displays.

  8. Select Exit in each of the menus until a command prompt is reached.

9.6 Editing an IPsec Connection

Perform the following steps to edit an IPsec connection:
  1. Log in as admusr on the source server.
    login: admusr
Password: <current admin user password>
  2. Enter the following command to open the platcfg menu:
    $ sudo su – platcfg

    1. Select Network Configuration.
    2. Select IPsec Configuration.
    3. Select IPsec Connections.
    4. Click Edit.

    1. Select Edit Connection.
    2. Select IPsec connection to edit.
    3. View the IPsec connection’s current configuration.
    4. Click Edit.

    1. Select either IKEv1 or IKEv2.
    2. Complete the IKE Configuration fields if needed, then click OK.
      For more details about the fields, see the Table 9-1 table.
  6. Select the desired ESP Configuration fields, and click OK.
    For more details about the fields, see the Table 9-1 table.
  7. Complete the Add Connection fields for the desired connection.
    1. Enter the Local Address.
    2. Enter the Remote Address.
    3. Enter the Pass Phrase.
    4. Select the Mode.

    1. Click OK.
    2. Select Yes to restart the connection.
      When the connection has been successfully updated, the Internet Key Exchange Version menu displays.
  9. Select Exit in each of the menus until a command prompt is reached.

9.7 Enabling and Disabling an IPsec Connection

Perform the following steps to enable or disable an IPsec connection:
  1. Log in as admusr on the source server.
    login: admusr
Password: <current admin user password>
  2. Enter the following command to open the platcfg menu:
    $ sudo su – platcfg

    1. Select Network Configuration.
    2. Select IPsec Configuration.
    3. Select IPsec Connections.
    4. Click Edit.

    1. Select Edit Connection.
    2. Select IPsec connection to edit.
    3. View the IPsec connection’s current configuration.
    4. Click Edit.

    1. Select Connection Control.
    2. Select IPsec connection to enable or disable.
    3. Select Enable or Disable.
  6. Click OK to enable or disable the selected IPsec connection.
  7. Select Exit in each of the menus until a command prompt is reached.

9.8 Deleting an IPsec Connection

Perform the following steps to delete an IPsec connection:
  1. Log in as admusr on the source server.
    login: admusr
Password: <current admin user password>
  2. Enter the following command to open the platcfg menu:
    $ sudo su – platcfg

    1. Select Network Configuration.
    2. Select IPsec Configuration.
    3. Select IPsec Connections.
    4. Click Edit.

    1. Select Delete Connection.
    2. Select IPsec connection to delete.
    3. Click Yes to confirm the delete.

  5. Wait for the connection to be deleted.

    When the IPsec connection has been successfully deleted, the Connection Action menu displays.

  6. Select Exit in each of the menus until a command prompt is reached.