IPSec records

Table 1 lists the changes made to the IPSec SMF record type 119 in z/OS V1R13.

Table 2 lists the changes made to the IPSec SMF record type 119 in z/OS V1R12.

Table 1. Summary of new and changed Communications Server SMF record type 119 - IPSec records in z/OS V1R13
Record type Record field Release Description Reason for change
IPSec IKE tunnel activation and refresh, IPSec IKE tunnel deactivation and expire IPSec common IKE tunnel specific section V1R13 Subtype 73 is updated; offset 206(x'CE') for the field SMF119IS_IKETunNATTLevel supports two additional values:
  • SMF119IS_IKETUN_NATTV2 (6)
  • SMF119IS_IKETUN_NATTV2ZOS (7)
The following fields previously reported 0 for all IKEv2 tunnels because NAT traversal was not supported for IKEv2. They are now set appropriately when an IKEv2 tunnel traverses one or more NAT devices:
  • SMF119IS_IKETunLclNAT
  • SMF119IS_IKETunRmtNAT
  • SMF119IS_IKETunRmtNAPT
  • SMF119IS_IKETunCanInitP1
  • SMF119IS_IKETunRmtUDPPort
 Network address translation traversal support for IKE version 2
IPSec dynamic tunnel activation and refresh, IPSec dynamic tunnel deactivation, IPSec dynamic tunnel added, and IPSec dynamic tunnel removed Dynamic tunnel section V1R13 The following fields previously reported 0 for all IKEv2 tunnels because NAT traversal was not supported for IKEv2. They are now set appropriately when an IKEv2 tunnel traverses one or more NAT devices:
  • SMF119IS_IPDynLclNAT
  • SMF119IS_IPDynRmtNAT
  • SMF119IS_IPDynRmtNAPT
  • SMF119IS_IPDynRmtGW
  • SMF119IS_IPDynRmtZOS
  • SMF119IS_IPDynCanInitP2
  • SMF119IS_IKETunRmtUDPPort
  • SMF119IS_IPDynSrcNATOA
  • SMF119IS_IPDynDstNATOA
 Network address translation traversal support for IKE version 2
Table 2. Summary of new and changed Communications Server SMF record type 119 - IPSec records in z/OS V1R12
Record type Record field Release Description Reason for change
IPSec IKE tunnel activation and refresh, IPSec IKE tunnel deactivation and expire IPSec common IKE tunnel specific section V1R12 Subtype 73 has the following updates:
  • Offset 0 (x'0') has a new bit for FIPS mode:
    • x'02000000', SMF119IS_IKETunFIPS140.
  • Offset 198(x'C6') for the SMF119IS_IKETunAuthAlg record has new values and also changed descriptions of existing values. The new values are:
    • SMF119IS_AUTH_HMAC_SHA2_256_128 (7)
    • SMF119IS_AUTH_AES128_XCBC (9)
    • SMF119IS_AUTH_HMAC_SHA2_384_192 (13)
    • SMF119IS_AUTH_HMAC_SHA2_512_256 (14)
    The following existing values have changed descriptions:
    • SMF119IS_AUTH_HMAC_MD5 (38)
    • SMF119IS_AUTH_HMAC_SHA1 (39)
    • SMF119IS_AUTH_HMAC_MD5_96 (40)
    • SMF119IS_AUTH_HMAC_SHA1_96 (41)
  • Offset 199(x'C7') for the SMF119IS_IKETunEncryptAlg record has a changed possible value. The old value was SMF119IS_ENCR_AES(12) and the new value is SMF119IS_ENCR_AES_CBC (12).
  • Offset 204('xCC') for record SMF119IS_IKETunPeerAuthMethod has the following new values:
    • SMF119IS_IKETUN_ECDSA_256 (4)
    • SMF119IS_IKETUN_ECDSA_384 (5)
    • SMF119IS_IKETUN_ECDSA_521 (6)
  • Offset 238(x'EE') for the SMF119IS_IKETunPseudoRandomFunc record has the following new values:
    • SMF119IS_AUTH_HMAC_SHA2_256 (15)
    • SMF119IS_AUTH_HMAC_SHA2_384 (16)
    • SMF119IS_AUTH_HMAC_SHA2_512 (17)
    • SMF119IS_AUTH_AES128_XCBC (18)
  • Offset 239(x'EF') for record SMF119IS_IKETunLocalAuthMethod has the following new values:
    • SMF119IS_IKETUN_ECDSA_256 (4)
    • SMF119IS_IKETUN_ECDSA_384 (5)
    • SMF119IS_IKETUN_ECDSA_521 (6)
  • 252(x'FC') offset has a new record for SMF119IS_IKETunEncryptKeyLength.
 IKE version 2 support
IPSec IKE tunnel activation and refresh, IPSec IKE tunnel deactivation and expire (continued) IPSec common IKE tunnel specific section (continued) V1R12
Subtype 75 has the following updates:
  • Offset 96(x'60') has a new bit for FIPS mode: x'40000000', SMF119IS_IPTunFIPS140
  • Offset 138(x'8A') for the SMF119IS_IPTunAuthAlg record has new values and also changed descriptions of existing values. The new values are:
    • SMF119IS_AUTH_NULL (0)
    • SMF119IS_AUTH_AES_GMAC_128 (4)
    • SMF119IS_AUTH_AES_GMAC_256 (6)
    • SMF119IS_AUTH_HMAC_SHA2_256_128 (7)
    • SMF119IS_AUTH_AES128_XCBC_96 (9)
    • SMF119IS_AUTH_HMAC_SHA2_384_192 (13)
    • SMF119IS_AUTH_HMAC_SHA2_512_256 (14)
    The following existing values have changed descriptions:
    • SMF119IS_AUTH_HMAC_MD5 (38)
    • SMF119IS_AUTH_HMAC_SHA1 (39)
  • Offset 139(x'8B') for the SMF119IS_IPTunEncryptAlg record has a new value:
    • SMF119IS_ENCR_AES_GCM_16 (20)

    It also has a changed value; the value SMF119IS_ENCR_AES (12) changed to SMF119IS_ENCR_AES_CBC (12).

  • Offset 160(x'A0') has a new record for SMF119IS_IPTunEncryptKeyLength.
 IKE version 2 support
Parent topic: SMF record type 119 enhancements