DCFM Enterprise User Manual (53-1001775-01, June 2010)
DCFM Enterprise User Manual 385
53-1001775-01
IPSec for the 8 Gbps platforms
16
The following limitations apply to using IPsec:
• IPsec is not supported on 10GbE ports.
• IPsec-specific statistics are not supported.
• To change the configuration of a secure tunnel, you must delete the tunnel and recreate it.
• There is no RAS message support for IPsec.
• IPsec can only be configured on IPv4 based tunnels.
• Secure Tunnels cannot be defined with VLAN Tagged connections.
• For the 4 Gbps Router, Extension switch and blade:
- IPv6, NAT, and AH are not supported when IPsec is implemented.
- You can only create a single secure tunnel on a port; you cannot create a nonsecure tunnel
on the same port as a secure tunnel.
- Jumbo frames are not supported.
IPSec for the 8 Gbps platforms
The 8 Gbps platforms use AES-GCM-ESP as a single, pre-defined mode of operation for protecting
all TCP traffic over an FCIP tunnel. AES-GCM-ESP is described in RFC-4106. Key features are listed
below:
• Encryption is provided by AES with 256 bit keys.
• The IKEv2 key exchange protocol is used by peer switches and blades for mutual
authentication.
• IKEv2 uses UDP port 500 to communicate between the peer switches or blades.
• All IKE traffic is protected using AES-GCM-ESP encryption.
• Authentication requires the generation and configuration of 32 byte pre-shared secrets for
each peer switch or blade.
• An SHA-512 hash message authentication code (HMAC) is used to check data integrity and
detect third party tampering.
• PRF is used to strengthen security. The PRF algorithm generates output that appears to be
random data, using the SHA-512 HMAC as the seed value.
• A 2048 bit Diffie-Hellman (DH) group is used for both IKEv2 and IPSec key generation.
• The SA lifetime limits the length of time a key is used. When the SA lifetime expires, a new key
is generated, limiting the amount of time an attacker has to decipher a key. Depending on the
length of time expired or the length of the data being transferred, parts of a message maybe
protected by different keys generated as the SA lifetime expires. For the 7800 switch and
FX8-24 blade, the SA lifetime is approximately eight hours, or two gigabytes of data, whichever
occurs first.
• ESP is used as the transport mode. ESP uses a hash algorithm to calculate and verify an
authentication value, and also encrypts the IP datagram.