HP 635n Practical IPsec Deployment for Printing and Imaging Devices - Page 38

transferred using the IKE Phase 1 SA only IKE Phase 2 SA negotiations. - jetdirect reviews

Get HP 635n - JetDirect IPv6/IPsec Print Server PDF manuals and user guides
UPC - 882780301016
View all HP 635n manuals
Add to My Manuals
Save this manual to your list of manuals

Page 38 highlights

but will be using a different set of keys for sending data than for receiving data. If you are ever debugging IPsec issues, knowing that IPsec has two SAs and not just one will become important. Otherwise, don't worry about it. Why would IKE Phase 2 allow me to select DH Groups again? Didn't I already do that? The reason is "Perfect Forward Secrecy" or PFS. The secret material in the IKE Phase 1 SA is used to generate the keying material in the IPsec SAs. Therefore, if this keying material is somehow compromised in IKE Phase1, then the IPsec SAs can also be compromised. PFS allows for separate keying material to be used anytime an IPsec SA needs to be created. This configuration requires a DH group selection which could be the same value as IKE Phase 1 (e.g., DH-2) or it could be different (e.g., DH-5). Although the DH groups could be configured the same between Phase 1 and Phase 2, the exchanges are different and different values are used respectively. PFS is optional and should only be used if the security policy dictates it. What are Security Association Lifetimes? What is the difference between using a time value and using a byte value? Why are they different between Phase 1 and Phase 2? What do they do? The SA Lifetime value determines either (a) how long in seconds an SA should be used or (b) the amount of data an SA should be used to provide confidentiality and authentication before being discarded. In most cases, the more data that is protected by a single set of keys, the more vulnerable that key is to being discovered. The SA lifetimes allow for the administrator to use different keys for data protection on a regular basis. These lifetimes are also flexible enough to say the following: "Protect up to one Gigabyte of data or protect up to eight hours, whichever comes first, with one set of keys". The Lifetime values allow for new keys to be renegotiated by IKE without administrator intervention. Conventionally, the IKE Phase 1 SA is given a longer lifetime than the IKE Phase 2 SAs because there is greater overhead in negotiation an IKE Phase 1 SA and not as much data is transferred using the IKE Phase 1 SA (only IKE Phase 2 SA negotiations). However, all of these values are configurable on the basis of what is needed to comply with a given security policy. For a quick overview of IKE and the configuration of Phase 1 and Phase 2, let's look at the HP Jetdirect advanced configuration screens to review all the configuration parameters. Refer to Figure 29 - IKE Phase 1: Figure 29 - IKE Phase 1 Here we make the selection between Main and Aggressive mode. For HP Jetdirect, we will always recommend that Main Mode be used. The Diffie-Hellman groups are also there for our Phase 1 38

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
38
but will be using a different set of keys for sending data than for receiving data.
If you are ever
debugging IPsec issues, knowing that IPsec has two SAs and not just one will become important.
Otherwise, don’t worry about it.
Why would IKE Phase 2 allow me to select DH Groups again?
Didn’t I already do that?
The reason is “Perfect Forward Secrecy” or PFS.
The secret material in the IKE Phase 1 SA is used to
generate the keying material in the IPsec SAs.
Therefore, if this keying material is somehow
compromised in IKE Phase1, then the IPsec SAs can also be compromised.
PFS allows for separate
keying material to be used anytime an IPsec SA needs to be created.
This configuration requires a
DH group selection which could be the same value as IKE Phase 1 (e.g., DH-2) or it could be different
(e.g., DH-5).
Although the DH groups could be configured the same between Phase 1 and Phase 2,
the exchanges are different and different values are used respectively.
PFS is optional and should
only be used if the security policy dictates it.
What are Security Association Lifetimes?
What is the difference between using a time value and
using a byte value?
Why are they different between Phase 1 and Phase 2?
What do they do?
The SA Lifetime value determines either (a) how long in seconds an SA should be used or (b) the
amount of data an SA should be used to provide confidentiality and authentication before being
discarded.
In most cases, the more data that is protected by a single set of keys, the more vulnerable
that key is to being discovered.
The SA lifetimes allow for the administrator to use different keys for
data protection on a regular basis.
These lifetimes are also flexible enough to say the following:
“Protect up to one Gigabyte of data or protect up to eight hours, whichever comes first, with one set
of keys”.
The Lifetime values allow for new keys to be renegotiated by IKE without administrator
intervention.
Conventionally, the IKE Phase 1 SA is given a longer lifetime than the IKE Phase 2 SAs
because there is greater overhead in negotiation an IKE Phase 1 SA and not as much data is
transferred using the IKE Phase 1 SA (only IKE Phase 2 SA negotiations).
However, all of these values
are configurable on the basis of what is needed to comply with a given security policy.
For a quick overview of IKE and the configuration of Phase 1 and Phase 2, let’s look at the HP
Jetdirect advanced configuration screens to review all the configuration parameters.
Refer to Figure
29 - IKE Phase 1:
Figure 29 – IKE Phase 1
Here we make the selection between Main and Aggressive mode.
For HP Jetdirect, we will always
recommend that Main Mode be used.
The Diffie-Hellman groups are also there for our Phase 1