Understanding Common Criteria and FIPS Terminology and Supported Cryptographic Algorithms
Use the definitions of Common Criteria and FIPS terms, and supported algorithms to help you understand Junos OS in FIPS mode.
The FIPS maintenance role is not supported on Junos OS in FIPS mode.
An IPsec SA is required for fixed-configuration switches running Junos OS in FIPS mode because the Routing Engine communicates with system processes through logical connections; therefore, the switch requires an internal, manual IPsec SA to protect those logical communications when the switch is running in FIPS mode. By default design, the switch has some innate characteristics of a master switch in a Virtual Chassis, and this use of logical communications is one such characteristic. In a multimember Virtual Chassis, the master switch’s Routing Engine would send control messages to the Routing Engines of the other member switches by using those built-in logical communications. Do not configure a Virtual Chassis in FIPS mode. Note, however, that the IPsec SA is required on your single switch to protect the built-in logical connections.
Supported Cryptographic Algorithms
For FIPS 140-2 compliance, use only FIPS-approved cryptographic algorithms In Junos OS in FIPS mode.
The following cryptographic algorithms are supported in FIPS mode. Symmetric methods use the same key for encryption and decryption, while asymmetric methods use different keys for encryption and decryption.
3DES is supported only in FIPS.