Brocade Web Tools Administrator's Guide - Supporting Fabric OS v7.0.0 (53-1002152-01, March 2012)
Web Tools Adminstrator’s Guide 205
53-1002152-01
IPsec over FCIP
16
For example, if a 200 MB file is transferred with a 100 MB lifetime, at least two keys are generated.
If a communication takes one hour, and you specify a lifetime of 300 seconds (five minutes), more
than 12 keys may be generated to complete the communication.
The SA lifetime limits the length of time a key is used before it is replaced by a new key, thus
limiting the amount of time a given key is available to a potential attacker. Part of a message may
be protected by an old key, while new keys protect the remainder of the message, so even if an
attacker deciphers one key, only a portion of the message is vulnerable.
Diffie-Hellman groups
Diffie-Hellman (DH) groups are used to determine the length of the base prime numbers for the
Diffie-Hellman exchange. Diffie-Hellman key exchange is a cryptographic protocol that allows two
parties that have no prior knowledge of each other to jointly establish a shared secret key over an
insecure communications channel.
DH group choices are 1(modp768), 2(modp1024), 14(modp2048), and 18(modp8192). Each
group provides an incrementally more secure key exchange by providing more bits (768, 1024,
2048, 8192).
Authentication methods
The methods used to authenticate the IKE peer are preshared key (psk), DSS digital signature
(dss), and RSA digital signature (rsasig):
• A Preshared key (PSK) is a shared secret that is shared between two parties over a secure
channel before it is used. Typically, the PSK is a password or pass phrase. PSKs are created in
the end systems used by the two parties. There are several tools available to help select a
strong key that will work with various operating systems. When choosing a tool and creating a
PSK, keep in mind that the cryptographic strength of a key generally increases with length.
• The Digital Signature Standard (DSS) makes use of a private key to generate a digital
signature. Each user possesses a private and public key pair. Signature generation can be
performed only by the possessor of the user's private key. The digital signature is sent to the
intended verifier in a message. The verifier of the message and signature verifies the signature
by using the sender's public key.
• The RSA digital signature process uses a private key to encrypt only the message digest. The
encrypted message digest becomes the digital signature and is attached to the original data.
To verify the contents of digitally signed data, the recipient generates a new message digest
from the data that was received, decrypts the original message digest with the originator's
public key, and compares the decrypted digest with the newly generated digest. If the two
digests match, the integrity of the message is verified. The identity of the originator also is
confirmed because the public key can decrypt only data that has been encrypted with the
corresponding private key.
IPsec over FCIP
FR4-81i blades use FCIP protocol to IP to carry Fibre Channel traffic over IP networks. IPsec can be
used to secure the IP flows over an FCIP tunnel.
At a high level, the steps to take are:
• Access the IPsec Policies dialog box.
• Create an IKE policy for authentication.