The IPsec implementation for Data ONTAP conforms to the Internet
Engineering Task Force (IETF) Security Architecture for the
Internet Protocol (RFC 2401) and related protocols.
You might want to know about these restrictions before you begin inplementing IPsec on your storage system and its clients.
The IPsec implementation for Data ONTAP has some restrictions that might affect its implementation on your storage system and its clients.
Data ONTAP's IPsec implementation conforms to the Internet Engineering Task Force (IETF) Security Architecture for the Internet Protocol (RFC 2401) and related protocols.
These restrictions apply to IPsec implementation with Data ONTAP:
- Only clients running Solaris or Windows 2000 or later are
supported for IPsec connections.
The following authentication methods are supported:
- For Solaris—preshared keys authentication and certificate authentication.
- For Windows—preshared keys authentication, certificate authentication, and Kerberos authentication; however, Kerberos authentication is available only for Windows Domains, not Windows Workgroups.
- Between storage systems—preshared keys authentication and certificate authentication.
The following restrictions apply to these authentication methods:
- Data ONTAP supports preshared keys and Kerberos key exchange mechanisms, but it cannot be configured to use a specific mechanism. Instead, Data ONTAP relies on the client to specify which key exchange mechanism to use.
- For certificate authentication, Data ONTAP supports v3 certificates in accordance with RFC 3280, but it does not support Certificate Revocation Lists (CRLs).
- You cannot configure parameters associated with SA, for example, how long the SA is valid, how many bytes of data can pass through the SA, in Data ONTAP. Instead, Data ONTAP uses the parameters that the client provides.
- IPsec encryption of traffic over 10GbE TOE NICs is not processed at line rate.
For more information about implementation and standards, see the
na_ipsec(1) man page.