Ipsec Implementation Over Fcip Tunnels; Limitations Using Ipsec Over Fcip Tunnels; Ipsec For The 7800 Switch And Fx8-24 Blade - Brocade Communications Systems StoreFabric SN6500B Administrator's Manual

2

IPsec implementation over FCIP tunnels

IPsec implementation over FCIP tunnels

Internet Protocol security (IPsec) uses cryptographic security to ensure private, secure
communications over Internet Protocol networks. IPsec supports network-level data integrity, data
confidentiality, data origin authentication, and replay protection. It helps secure your SAN against
network-based attacks from untrusted computers.
The following describes the sequence of events that invokes the IPsec protocol.
1. IPsec and Internet Key Exchange (IKE) policies are created and assigned on peer switches or
2. Traffic from an IPsec peer with the lower local IP address initiates the IKE negotiation process.
3. IKE negotiates security association (SA) parameters, setting up matching SAs in the peers.
4. Data is transferred between IPsec peers based on the IPsec parameters and keys stored in the
5. SA lifetimes terminate through deletion or by timing out. An SA lifetime equates to

Limitations using IPsec over FCIP tunnels

The following limitations apply to using IPsec:
•
•
•
•
•
•
•
NOTE
IPsec is not allowed with the --connection-type FCIP tunnel option set to anything other than default.

IPsec for the 7800 switch and FX8-24 blade

Advanced Encryption Standard, Galois/Counter Mode, Encapsulating Security Payload
(AES-GCM-ESP) is used as a single, predefined mode of operation for protecting all TCP traffic over
an FCIP tunnel. AES-GCM-ESP is described in RFC 4106. The following list contains key features of
AES-GCM-ESP:
•
•
30
blades on both ends of the FCIP tunnel.
Some of the negotiated SA parameters include encryption and authentication algorithms,
Diffie-Hellman key exchange, and SAs.
SA database.
approximately two billion frames of traffic passed through the SA.
Network Address Translation (NAT) is not supported.
Authentication Header (AH) is not supported.
IPsec-specific statistics are not supported.
There is no RAS message support for IPsec.
IPsec can only be configured on IPv4-based tunnels.
Older versions of the FX8-24 blade do not support IPsec on group 22-31. For these blades, a
RASLOG warning message will display that blade is not at correct version to support IPsec
enabled tunnels on VEs 22-31.
To enable IPsec with Fabric OS v7.0.0 and later, both ends of the tunnel must use v7.0.0 and
later.
Encryption is provided by AES with 256-bit keys.
The IKEv2 key exchange protocol is used by peer switches and blades for mutual
authentication.
Fabric OS FCIP Administrator's Guide
53-1002748-01