Manualshelf

Reference Guide

ManualsBrandsDell ManualsComputer equipmentPowerConnect B-8000
41424344454647484950
Fabric OS FCIP Administrator’s Guide 29
53-1002474-01
IPsec implementation over FCIP tunnels
2
Limitations using IPsec over FCIP tunnels
The following limitations apply to using IPsec:
Network Address Translation (NAT) is not supported.
Authentication Header (AH) is not supported.
IPsec-specific statistics are not supported.
There is no RAS message support for IPsec.
IPsec can only be configured on IPv4-based tunnels.
IPsec is only supported on VE group 12-21 and not on group 22-31 on an FX8-24 blade.
To enable IPsec with Fabric OS v7.0.0 and later, both ends of the tunnel must use v7.0.0 and
later.
NOTE
IPsec is not allowed with the --connection-type FCIP tunnel option set to anything other than default.
IPsec for the 7800 switch and FX8-24 blade
Advanced Encryption Standard, Galois/Counter Mode, Encapsulating Security Payload
(AES-GCM-ESP) is used as a single, predefined mode of operation for protecting all TCP traffic over
an FCIP tunnel. AES-GCM-ESP is described in RFC 4106. The following list contains key features of
AES-GCM-ESP:
Encryption is provided by AES with 256-bit keys.
The IKEv2 key exchange protocol is used by peer switches and blades for mutual
authentication.
IKEv2 uses UDP port 500 to communicate between the peer switches or blades.
All IKE traffic is protected using AES-GCM-ESP encryption.
Authentication requires the generation and configuration of 32-byte pre-shared secrets for
each tunnel.
An SHA-512 hash message authentication code (HMAC) is used to check data integrity and
detect third-party tampering.
Pseudo-random function (PRF) is used to strengthen security. The PRF algorithm generates
output that appears to be random data, using the SHA-512 HMAC as the seed value.
A 2048-bit Diffie-Hellman (DH) group is used for both IKEv2 and IPsec key generation.
The SA lifetime limits the length of time a key is used. When the SA lifetime expires, a new key
is generated, limiting the amount of time an attacker has to decipher a key. Depending on the
length of time expired or the length of the data being transferred, parts of a message may be
protected by different keys generated as the SA lifetime expires. For the 7800 switch and
FX8-24 blade, the SA lifetime is approximately eight hours or two billion frames of data.
Encapsulating Security Payload (ESP) is used as the transport mode. ESP uses a hash
algorithm to calculate and verify an authentication value, and also encrypts the IP datagram.
A circuit in a non-secure tunnel can use the same GbE interface as a circuit in a secure tunnel.
Each circuit can have a route configured on that GbE interface.