2.2.71 FW_PHASE2_CRYPTO_SUITE

This structure describes an IPsec Phase 2 (or quick mode) cryptographic suite. A cryptographic suite is a proposal of a set of algorithms and parameters that specify how different types of enforcement and protection are suggested to be performed. It also suggests timeouts for which a key is valid and at which re-keying operations should be performed.

 typedef struct _tag_FW_PHASE2_CRYPTO_SUITE {
   [range(FW_CRYPTO_PROTOCOL_INVALID+1,FW_CRYPTO_PROTOCOL_MAX-1)] 
     FW_CRYPTO_PROTOCOL_TYPE Protocol;
   FW_CRYPTO_HASH_TYPE AhHash;
   FW_CRYPTO_HASH_TYPE EspHash;
   FW_CRYPTO_ENCRYPTION_TYPE Encryption;
   unsigned long dwTimeoutMinutes;
   unsigned long dwTimeoutKBytes;
   unsigned long dwP2CryptoSuiteFlags;
 } FW_PHASE2_CRYPTO_SUITE,
  *PFW_PHASE2_CRYPTO_SUITE;

Protocol: This field is of type FW_CRYPTO_PROTOCOL_TYPE, and it specifies the IPsec enforcement protocol combination suggested for this suite.

AhHash: This field is of type FW_CRYPTO_HASH_TYPE. It specifies the hash (integrity protection) algorithm for this suite proposal when using the authentication header protocol.

EspHash: This field is of type FW_CRYPTO_HASH_TYPE. It specifies the hash (integrity protection) algorithm for this suite proposal when using the ESP protocol.

Encryption: This field is of type FW_CRYPTO_ENCRYPTION_TYPE. It specifies the encryption algorithm for this suite proposal.

dwTimeoutMinutes: This is the timeout or lifetime of the key used in this proposal defined in minutes.

dwTimeoutKBytes: This is the timeout or lifetime of the key used in this proposal defined in kilobytes processed with this configuration.

dwP2CryptoSuiteFlags: This field is reserved and is not used. It MUST be set to 0x00000000.

The following are semantic validation checks that Phase 2 cryptographic suites MUST pass:

  • The dwTimeoutMinutes field MUST be greater than or equal to 5 and less than or equal to 2,879.

  • The dwTimeoutKBytes field MUST be greater than or equal to 20,480 and less than or equal to 2,147,483,647.

  • If the Protocol field is FW_CRYPTO_PROTOCOL_AH or FW_CRYPTO_PROTOCOL_BOTH, the AhHash field MUST NOT be equal to FW_CRYPTO_HASH_NONE.

  • If the Protocol field is FW_CRYPTO_PROTOCOL_BOTH, the AhHash field MUST be equal to the EspHash field.

  • If the Protocol field is FW_CRYPTO_PROTOCOL_BOTH or FW_CRYPTO_PROTOCOL_ESP, EspHash MUST NOT be set to FW_CRYPTO_HASH_NONE or Encryption MUST NOT be set to FW_CRYPTO_ENCRYPTION_NONE, but not both.