Fabric OS Administrator's Guide v7.0.0 (53-1002148-02, June 2011)
Fabric OS Administrator’s Guide 313
53-1002148-02
In-flight encryption and compression overview
14
Authentication and key generation
The DH-CHAP (Diffie Hellman - Challenge Handshake Authentication Protocol) protocol must be
configured along with the DH group 4 for port level authentication as a prerequisite for in-flight
encryption. Pre-shared secret keys must be configured on the devices at either end of the ISL to
perform authentication. Authentication secrets greater than 32 characters are recommended for
stronger encryption keys.. Once the link is authenticated, the keys are generated and exchanged.
These encryption keys never expire. While the port remains online, the keys generated for the port
remain the same. When a port is disabled, segmented, or taken offline, a new set of keys is
generated when the port is enabled again.
All members of a trunk group use the same set of keys as the master port. Slave ports do not
exchange keys. If the master port goes offline causing an E_Port change, the trunk continues to
use the same set of keys.
Availability considerations
For FC16-32 or FC 16-48 blades, if the two ports configured for encryption or compression within
the same chip are not configured for trunking, it is recommended to connect each ISL to a different
chip on the peer switch. Similarly, configure the two ports on the other chip of the blade. If the ports
are configured for trunking, it is recommended to connect each trunk group to different chips of the
peer switch. Configuring all 4 ports of the blade with this suggested configuration will provide
redundancy in the event of encryption/compression port failures.
For the Brocade 6510, if its two ports are not configured for trunking, it is recommended to connect
each ISL to different chips of the peer switch.
NOTE
if any port in the chip with encryption/compression enabled encounters rare error conditions that
would need error recovery to be performed on the encryption engine within that chip, it causes all
encryption/compression enabled ports (maximum of two ports) on that chip to go offline.
VF mode considerations
The E_Ports in the user-created logical switch, base switch, or default switch can support
encryption and compression. You can configure encryption on XISL ports, but not on LISL ports.
However, frames from the LISL ports are implicitly encrypted or compressed as they pass through
encryption/compression enabled XISL ports.
If an encryption or compression enabled port needs to be moved from one logical switch to another
logical switch, the movement of the port is blocked. You must disable the encryption and
compression configurations before moving the port, and then enable encryption and compression
after the port has moved.
Recommendation for compression
When configuring compression on long distance ports, it is recommended to configure the long
distance ports with double the number of buffers. This can be done by configuring the port with
long distance LS mode and specifying the number of buffers to allocate to the port.