Ipsec For The 7800 And Fx8-24 Blade; Enabling Ipsec And Ike Policies - Brocade Communications Systems 8 Administrator's Manual

•
•
•

IPSec for the 7800 and FX8-24 blade

AES-GCM-ESP is used as a single, pre-defined mode of operation for protecting all TCP traffic over
an FCIP tunnel. AES-GCM-ESP is described in RFC-4106. Key features are listed below:
•
•
•
•
•
•
•
•
•
•
•

Enabling IPSec and IKE policies

IPSec is enabled as an option the portcfg fciptunnel create and modify commands. The -i option is
used to activate IPSec. The -K option is used to specify the IKE key.The IKE Key must be a shared
32 character string. Both ends of the secure tunnel must be configured with the same key
string. If both ends are not configured with the same key, the tunnel will not come up. The
following examples show IPSec and IKE keys enabled for traffic from VE_ports 16 and 17 across
multiple FCIP circuits.
portcfg fciptunnel
-K12345678901234567890123456789012
portcfg fcipcircuit 16 create 1 192.168.1.90 192.168.1.80 50000 -x 0
portcfg fcipcircuit 16 create 2 192.168.2.90 192.168.2.80 50000 -x 0
portcfg fcipcircuit 16 create 3 192.168.3.90 192.168.3.80 50000 -x 0
portcfg fcipcircuit 16 create 4 192.168.4.90 192.168.4.80 50000 -x 0
portcfg fcipcircuit 16 create 5 192.168.5.90 192.168.5.80 50000 -x 0
Fabric OS FCIP Administrator's Guide
53-1001766-01
Jumbo frames are not supported for IPsec.
There is no RAS message support for IPsec.
IPsec can only be configured on IPv4 based tunnels.
Encryption is provided by AES with 256 bit keys.
The IKEv2 key exchange protocol is used by peer switches and blades for mutual
authentication.
IKEv2 uses UDP port 500 to communicate between the peer switches or blades.
All IKE traffic is protected using AES-GCM-ESP encryption.
Authentication requires the generation and configuration of 32 byte pre-shared secrets for
each peer switch or blade.
An SHA-512 hash message authentication code (HMAC) is used to check data integrity and
detect third party tampering.
PRF is used to strengthen security. The PRF algorithm generates output that appears to be
random data, using the SHA-512 HMAC as the seed value.
A 2048 bit Diffie-Hellman (DH) group is used for both IKEv2 and IPSec key generation.
The SA lifetime limits the length of time a key is used. When the SA lifetime expires, a new key
is generated, limiting the amount of time an attacker has to decipher a key. Depending on the
length of time expired or the length of the data being transferred, parts of a message maybe
protected by different keys generated as the SA lifetime expires. For the 7800 switch and
FX8-24 blade, the SA lifetime is approximately eight hours, or two gigabytes of data, whichever
occurs first.
ESP is used as the transport mode. ESP uses a hash algorithm to calculate and verify an
authentication value, and also encrypts the IP datagram.
A circuit in a non-secure tunnel can use the same GbE interface as a circuit in a secure tunnel.
Each circuit can have a route configured on that GbE interface.
16 create
IPSec implementation over FCIP tunnels
192.168.0.90 192.168.0.80 50000 -x 0 -d c0 -i
2
21