Manualshelf

Brocade Fabric OS FCIP Administrator's Guide v7.1.0 (53-1002748-01, March 2013)

ManualsBrandsHP ManualsStorageHP StoreFabric SN6000B 16Gb 48/24 Port Side Air Intake Fibre Channel Switch
41424344454647484950
30 Fabric OS FCIP Administrator’s Guide
53-1002748-01
IPsec implementation over FCIP tunnels
2
IPsec implementation over FCIP tunnels
Internet Protocol security (IPsec) uses cryptographic security to ensure private, secure
communications over Internet Protocol networks. IPsec supports network-level data integrity, data
confidentiality, data origin authentication, and replay protection. It helps secure your SAN against
network-based attacks from untrusted computers.
The following describes the sequence of events that invokes the IPsec protocol.
1. IPsec and Internet Key Exchange (IKE) policies are created and assigned on peer switches or
blades on both ends of the FCIP tunnel.
2. Traffic from an IPsec peer with the lower local IP address initiates the IKE negotiation process.
3. IKE negotiates security association (SA) parameters, setting up matching SAs in the peers.
Some of the negotiated SA parameters include encryption and authentication algorithms,
Diffie-Hellman key exchange, and SAs.
4. Data is transferred between IPsec peers based on the IPsec parameters and keys stored in the
SA database.
5. SA lifetimes terminate through deletion or by timing out. An SA lifetime equates to
approximately two billion frames of traffic passed through the SA.
Limitations using IPsec over FCIP tunnels
The following limitations apply to using IPsec:
Network Address Translation (NAT) is not supported.
Authentication Header (AH) is not supported.
IPsec-specific statistics are not supported.
There is no RAS message support for IPsec.
IPsec can only be configured on IPv4-based tunnels.
Older versions of the FX8-24 blade do not support IPsec on group 22-31. For these blades, a
RASLOG warning message will display that blade is not at correct version to support IPsec
enabled tunnels on VEs 22-31.
To enable IPsec with Fabric OS v7.0.0 and later, both ends of the tunnel must use v7.0.0 and
later.
NOTE
IPsec is not allowed with the --connection-type FCIP tunnel option set to anything other than default.
IPsec for the 7800 switch and FX8-24 blade
Advanced Encryption Standard, Galois/Counter Mode, Encapsulating Security Payload
(AES-GCM-ESP) is used as a single, predefined mode of operation for protecting all TCP traffic over
an FCIP tunnel. AES-GCM-ESP is described in RFC 4106. The following list contains key features of
AES-GCM-ESP:
Encryption is provided by AES with 256-bit keys.
The IKEv2 key exchange protocol is used by peer switches and blades for mutual
authentication.