HP 1606 Fabric OS FCIP Administrators Guide v6.4.0 (53-1001766-01, November 20 - Page 35

IPSec implementation over FCIP tunnels 2 • Jumbo frames are not supported for IPsec. • There is no RAS message support for IPsec. • IPsec can only be configured on IPv4 based tunnels. IPSec for the 7800 and FX8-24 blade AES-GCM-ESP is used as a single, pre-defined mode of operation for protecting all TCP traffic over an FCIP tunnel. AES-GCM-ESP is described in RFC-4106. Key features are listed below: • Encryption is provided by AES with 256 bit keys. • The IKEv2 key exchange protocol is used by peer switches and blades for mutual authentication. • IKEv2 uses UDP port 500 to communicate between the peer switches or blades. • All IKE traffic is protected using AES-GCM-ESP encryption. • Authentication requires the generation and configuration of 32 byte pre-shared secrets for each peer switch or blade. • An SHA-512 hash message authentication code (HMAC) is used to check data integrity and detect third party tampering. • PRF is used to strengthen security. The PRF algorithm generates output that appears to be random data, using the SHA-512 HMAC as the seed value. • A 2048 bit Diffie-Hellman (DH) group is used for both IKEv2 and IPSec key generation. • The SA lifetime limits the length of time a key is used. When the SA lifetime expires, a new key is generated, limiting the amount of time an attacker has to decipher a key. Depending on the length of time expired or the length of the data being transferred, parts of a message maybe protected by different keys generated as the SA lifetime expires. For the 7800 switch and FX8-24 blade, the SA lifetime is approximately eight hours, or two gigabytes of data, whichever occurs first. • ESP is used as the transport mode. ESP uses a hash algorithm to calculate and verify an authentication value, and also encrypts the IP datagram. • A circuit in a non-secure tunnel can use the same GbE interface as a circuit in a secure tunnel. Each circuit can have a route configured on that GbE interface. Enabling IPSec and IKE policies IPSec is enabled as an option the portcfg fciptunnel create and modify commands. The -i option is used to activate IPSec. The -K option is used to specify the IKE key.The IKE Key must be a shared 32 character string. Both ends of the secure tunnel must be configured with the same key string. If both ends are not configured with the same key, the tunnel will not come up. The following examples show IPSec and IKE keys enabled for traffic from VE_ports 16 and 17 across multiple FCIP circuits. portcfg fciptunnel 16 create 192.168.0.90 192.168.0.80 50000 -x 0 -d c0 -i -K12345678901234567890123456789012 portcfg fcipcircuit 16 create 1 192.168.1.90 192.168.1.80 50000 -x 0 portcfg fcipcircuit 16 create 2 192.168.2.90 192.168.2.80 50000 -x 0 portcfg fcipcircuit 16 create 3 192.168.3.90 192.168.3.80 50000 -x 0 portcfg fcipcircuit 16 create 4 192.168.4.90 192.168.4.80 50000 -x 0 portcfg fcipcircuit 16 create 5 192.168.5.90 192.168.5.80 50000 -x 0 Fabric OS FCIP Administrator's Guide 21 53-1001766-01