Home » HP Manuals » Storage Devices » HP 8/8 » Manual Viewer

HP 8/8 Fabric OS Administrator's Guide v6.4.0 (53-1001763-01, June 2010) - Page 207

Security associations, Authentication and encryption algorithms, IPsec proposal

Add to My Manuals
Save this manual to your list of manuals

Page 207 highlights

Management interface security 7 To protect the integrity of the IP datagram, the IPsec protocols use hash message authentication codes (HMAC). To derive this HMAC, the IPsec protocols use hash algorithms like MD5 and SHA to calculate a hash based on a secret key and the contents of the IP datagram. This HMAC is then included in the IPsec protocol header and the receiver of the packet can check the HMAC if it has access to the secret key. To protect against denial of service attacks, the IPsec protocols use a sliding window. Each packet gets assigned a sequence number and is only accepted if the packet's number is within the window or newer. Older packets are immediately discarded. This protects against replay attacks where the attacker records the original packets and replays them later. Security associations A security association (SA) is the collection of security parameters and authenticated keys that are negotiated between IPsec peers. For the peers to be able to encapsulate and decapsulate the IPsec packets, they need a way to store the secret keys, algorithms, and IP addresses involved in the communication. All these parameters needed for the protection of the IP datagram are stored in a security association (SA). The security associations are in turn stored in a security association database (SADB). An IPsec security association is a construct that specifies security properties that are recognized by communicating hosts. The properties of the SA are the security protocol (AH or ESP), destination IP address, and Security Parameter Index (SPI) number. SPI is an arbitrary 32-bit value contained in IPsec protocol headers (AH or ESP) and an IPsec SA is unidirectional. Because most communication is peer-to-peer or client-to-server, two SAs must be present to secure traffic in both directions. An SA specifies the IPsec protocol (AH or ESP), the algorithms used for encryption and authentication, and the expiration definitions used in security associations of the traffic. IKE uses these values in negotiations to create IPsec SAs. You must create an SA prior to creating an SA-proposal. You cannot modify an SA once it is created. Use the ipsecConfig --flush manual-sa command to remove all SA entries from the kernel SADB and re-create the SA. For more information on the ipSecConfig command, refer to the Fabric OS Command Reference. IPsec proposal The IPsec sa-proposal defines an SA or an SA bundle. An SA is a set of parameters that define how the traffic is protected using IPsec. These are the IPsec protocols to use for an SA, either AH or ESP, and the encryption and authentication algorithms to use to protect the traffic. For SA bundles, [AH, ESP] is the supported combination. Authentication and encryption algorithms IPsec uses different protocols to ensure the authentication, integrity, and confidentiality of the communication. Encapsulating Security Payload (ESP) provides confidentiality, data integrity and data source authentication of IP packets, and protection against replay attacks. Authentication Header (AH) provides data integrity, data source authentication, and protection against replay attacks, but unlike ESP, AH does not provide confidentiality. In AH and ESP, hmac_md5 and hmac_sha1 are used as authentication algorithms. Only in ESP, 3des_cbc, blowfish_cbc, aes256_cbc and null_enc are used as encryption algorithms. Use Table 41 on page 168 when configuring the authentication algorithm. Fabric OS Administrator's Guide 167 53-1001763-01

Section	Page
Contents	5
Figures	25
Tables	29
About This Document	33
In this chapter	33
How this document is organized	33
Supported hardware and software	34
What’s new in this document	35
Document conventions	35
Text formatting	36
Command syntax conventions	36
Notes, cautions, and warnings	36
Key terms	37
Notice to the reader	37
Additional information	37
Brocade resources	37
Other industry resources	38
Getting technical help	38
Document feedback	39
Understanding Fibre Channel Services	43
In this chapter	43
Fibre Channel services overview	43
The Management Server	44
Platform services	44
Platform services in a Virtual Fabric	45
Enabling platform services	45
Disabling platform services	45
Management server database	45
Displaying the management server ACL	46
Adding a member to the ACL	46
Deleting a member from the ACL	47
Viewing the contents of the management server database	48
Clearing the management server database	48
Topology discovery	49
Displaying topology discovery status	49
Enabling topology discovery	49
Disabling topology discovery	49
Device login	50
Principal switch	50
E_Port login	50
Fabric login	51
Port login process	51
RSCN causes	52
High availability of daemon processes	52
Performing Basic Configuration Tasks	55
In this chapter	55
Fabric OS overview	55
Fabric OS command line interface	56
Console sessions using the serial port	56
Telnet or SSH sessions	57
Getting help on a command	58
Password modification	58
Default account passwords	59
The Ethernet interface on your switch	60
Virtual Fabrics and the Ethernet interface	60
Displaying the network interface settings	61
Static Ethernet addresses	62
DHCP activation	63
IPv6 autoconfiguration	64
Date and time settings	65
Setting the date and time	65
Time zone settings	66
Network time protocol	67
Domain IDs	68
Displaying the domain IDs	69
Setting the domain ID	70
Switch names	70
Customizing the switch name	70
Chassis names	71
Customizing chassis names	71
Switch activation and deactivation	71
Disabling a switch	71
Enabling a switch	71
Switch and enterprise-class platform shutdown	71
Powering off a Brocade switch	72
Powering off a Brocade enterprise-class platform	72
Basic connections	73
Device connection	73
Switch connection	73
Performing Advanced Configuration Tasks	75
In this chapter	75
PIDs and PID binding overview	75
Core PID addressing mode	76
Fixed addressing mode	76
10-bit addressing mode	76
256-area addressing mode	77
WWN-based PID assignment	77
Ports	79
Setting port names	81
Port identification by slot and port number	81
Port identification by port area ID	81
Port identification by index	81
Swapping port area IDs	82
Port activation and deactivation	82
Setting port speeds	83
Setting the same speed for all ports on the switch	84
Blade terminology and compatibility	84
CP blades	86
Core blades	86
Port and application blade compatibility	86
FX8-24 compatibility notes	88
Enabling and disabling blades	88
Enabling blades	88
Disabling blades	90
Blade swapping	90
Swapping blades	91
Swapping blades	92
Power management	93
Powering off a port blade	93
Powering on a port blade	93
Equipment status	94
Checking switch operation	94
Verifying High Availability features (directors and enterprise-class platforms only)	94
Verifying fabric connectivity	95
Verifying device connectivity	95
Track and control switch changes	96
Enabling the track changes feature	96
Displaying the status of the track changes feature	97
Viewing the switch status policy threshold values	97
Setting the switch status policy threshold values	97
Audit log configuration	99
Auditable event classes	100
Verifying host syslog prior to configuring the audit log	100
Configuring an audit log for specific event classes	101
Routing Traffic	103
About this chapter	103
Routing overview	103
Path versus route selection	104
FSPF	104
Fibre Channel NAT	105
Inter-switch links	106
Buffer credits	107
Virtual Channels	107
Gateway links	109
Configuring a link through a gateway	110
Inter-chassis links	111
Supported topologies	112
Routing policies	113
Displaying the current routing policy	114
Exchange-based routing	114
Port-based routing	114
AP route policy	115
Routing in Virtual Fabrics	115
Route selection	116
Dynamic Load Sharing	116
Static route assignment	117
Frame order delivery	118
Forcing in-order frame delivery across topology changes	118
Restoring out-of-order frame delivery across topology changes	118
Lossless Dynamic Load Sharing on ports	119
Lossless core	120
Configuring Lossless Dynamic Load Sharing	120
Lossless Dynamic Load Sharing in Virtual Fabrics	120
Frame Redirection	121
Creating a frame redirect zone	122
Deleting a frame redirect zone	122
Viewing redirect zones	122
Managing User Accounts	123
In this chapter	123
User accounts overview	123
Role-Based Access Control (RBAC)	124
The management channel	127
Local database user accounts	128
Default accounts	128
Local account passwords	129
Local account database distribution	130
Distributing the local user database	130
Accepting distribution of user databases on the local switch	130
Rejecting distributed user databases on the local switch	130
Password policies	131
Password strength policy	131
Password history policy	132
Password expiration policy	133
Account lockout policy	133
The boot PROM password	135
Setting the boot PROM password for a switch with a recovery string	135
Setting the boot PROM password for a director with a recovery string	136
Setting the boot PROM password for a switch without a recovery string	137
Setting the boot PROM password for a director without a recovery string	138
The authentication model using RADIUS and LDAP	139
Setting the switch authentication mode	141
Fabric OS user accounts	141
Fabric OS users on the RADIUS server	142
The RADIUS server	145
LDAP configuration and Microsoft Active Directory	151
Authentication servers on the switch	154
Configuring local authentication as backup	155
Configuring Protocols	157
In this chapter	157
Security protocols	157
Secure Copy	158
Setting up SCP for configUploads and downloads	159
Secure Shell protocol	159
SSH public key authentication	160
Secure Sockets Layer protocol	162
Browser and Java support	162
SSL configuration overview	163
Certificate authorities	163
The browser	165
Root certificates for the Java Plug-in	166
Simple Network Management Protocol	167
SNMP and Virtual Fabrics	168
The security level	169
The snmpConfig command	169
Telnet protocol	169
Blocking Telnet	169
Unblocking Telnet	170
Listener applications	171
Ports and applications used by switches	171
Port configuration	172
Configuring Security Policies	173
In this chapter	173
ACL policies overview	173
How the ACL policies are stored	173
Policy members	174
ACL policy management	174
Displaying ACL policies	175
Saving changes without activating the policies	175
Activating policy changes	175
Deleting an ACL policy	175
Adding a member to an existing ACL policy	176
Removing a member from an ACL policy	176
Aborting unsaved policy changes	176
FCS policies	177
FCS policy restrictions	177
Ensuring fabric domains share policies	178
Creating an FCS policy	178
Modifying the order of FCS switches	179
FCS policy distribution	179
DCC policies	180
DCC policy restrictions	181
Creating a DCC policy	181
Deleting a DCC policy	182
SCC policies	183
Creating an SCC policy	183
Authentication policy for fabric elements	184
E_Port authentication	185
Device authentication policy	187
AUTH policy restrictions	187
Authentication protocols	188
Secret key pairs for DH-CHAP	189
FCAP configuration overview	190
Fabric-wide distribution of the Auth policy	193
IP Filter policy	193
Creating an IP Filter policy	193
Cloning an IP Filter policy	194
Displaying an IP Filter policy	194
Saving an IP Filter policy	194
Activating an IP Filter policy	194
Deleting an IP Filter policy	195
IP Filter policy rules	195
IP Filter policy enforcement	197
Adding a rule to an IP Filter policy	197
Deleting a rule to an IP Filter policy	197
Aborting an IP Filter transaction	197
IP Filter policy distribution	198
Policy database distribution	198
Database distribution settings	199
ACL policy distribution to other switches	200
Fabric-wide enforcement	200
Notes on joining a switch to the fabric	202
Management interface security	204
Configuration examples	205
IPsec protocols	206
Security associations	207
Authentication and encryption algorithms	207
IPsec policies	208
IKE policies	209
Creating the tunnel	210
Example of an End-to-End Transport Tunnel mode	212
Maintaining the Switch Configuration File	215
In this chapter	215
Configuration settings	215
Configuration file format	216
Configuration file backup	218
Uploading a configuration file in interactive mode	219
Configuration file restoration	220
Restrictions	220
Configuration download without disabling a switch	222
Configurations across a fabric	224
Downloading a configuration file from one switch to another same model switch	224
Security considerations	224
Configuration management for Virtual Fabrics	224
Uploading a configuration file from a switch with Virtual Fabrics enabled	225
Restoring logical switch configuration using configDownload	225
Restrictions	226
Brocade configuration form	227
Installing and Maintaining Firmware	229
In this chapter	229
Firmware download process overview	229
Upgrading and downgrading firmware	230
Considerations for FICON CUP environments	231
HA sync state	231
Preparing for a firmware download	232
Connected switches	233
Finding the switch firmware version	233
Obtain and decompress firmware	233
Firmware download on switches	234
Switch firmware download process overview	234
Firmware download on an enterprise-class platform	236
Enterprise-class platform firmware download process overview	236
Firmware download from a USB device	240
Enabling USB	240
Viewing the USB file system	240
Downloading from USB using the relative path	240
Downloading from USB using the absolute path	240
FIPS Support	241
Public and Private Key Management	241
The firmwareDownload Command	241
Power-on Firmware Checksum Test	242
Test and restore firmware on switches	243
Testing a different firmware version on a switch	243
Test and restore firmware on enterprise-class platforms	244
Testing different firmware versions on enterprise-class platforms	245
Validating a firmware download	247
Managing Virtual Fabrics	249
In this chapter	249
Virtual Fabrics overview	249
Logical switch overview	250
Default logical switch	250
Logical switches and fabric IDs	252
Port assignment in logical switches	252
Logical switches and connected devices	253
Logical fabric overview	254
Logical fabric and ISLs	255
Logical fabric and ISL sharing	256
Management model for logical switches	259
Account management and Virtual Fabrics	260
Supported platforms for Virtual Fabrics	260
Supported port configurations in the Brocade 5100, 5300, and VA-40FC	260
Supported port configurations in the Brocade DCX and DCX-4S	261
Virtual Fabrics interaction with other Fabric OS features	261
Limitations and restrictions of Virtual Fabrics	262
Restrictions on moving ports	263
Enabling Virtual Fabrics mode	263
Disabling Virtual Fabrics mode	264
Configuring logical switches to use basic configuration values	265
Creating a logical switch or base switch	265
Executing a command in a different logical fabric context	267
Deleting a logical switch	268
Adding and removing ports on a logical switch	269
Displaying logical switch configuration	270
Changing the fabric ID of a logical switch	270
Changing a logical switch to a base switch	271
Setting up IP addresses for a Virtual Fabric	272
Removing an IP address for a Virtual Fabric	272
Configuring a logical switch to use XISLs	272
Changing the context to a different logical fabric	273
Creating a logical fabric using XISLs	274
Administering Advanced Zoning	277
In this chapter	277
Special zones	277
Zoning overview	278
Zone types	279
Zone objects	280
Zone aliases	281
Zone configurations	282
Zoning enforcement	282
Considerations for zoning architecture	283
Best practices for zoning	284
Broadcast zones	284
Broadcast zones and Admin Domains	284
Broadcast zones and FC-FC routing	285
High availability considerations with broadcast zones	286
Loop devices and broadcast zones	286
Broadcast zones and default zoning	286
Zone aliases	286
Creating an alias	286
Adding members to an alias	287
Removing members from an alias	287
Deleting an alias	288
Viewing an alias in the defined configuration	288
Zone creation and maintenance	289
Creating a zone	289
Adding devices (members) to a zone	289
Removing devices (members) from a zone	290
Deleting a zone	290
Viewing a zone in the defined configuration	291
Validating a zone	291
Default zoning mode	292
Setting the default zoning mode	292
Viewing the current default zone access mode	293
Zoning database size	293
Zoning configurations	293
Creating a zoning configuration	294
Adding zones (members) to a zoning configuration	294
Removing zones (members) from a zone configuration	295
Enabling a zone configuration	295
Disabling a zone configuration	296
Deleting a zone configuration	296
Clearing changes to a configuration	297
Viewing all zone configuration information	297
Viewing selected zone configuration information	298
Viewing the configuration in the effective zone database	298
Clearing all zone configurations	298
Zone object maintenance	299
Copying a zone object	299
Deleting a zone object	299
Renaming a zone object	300
Zoning configuration management	301
New switch or fabric additions	301
Fabric segmentation and zoning	303
Security and zoning	303
Zone merging scenarios	304
Traffic Isolation Zoning	307
In this chapter	307
Traffic Isolation Zoning overview	307
TI zone failover	308
FSPF routing rules and traffic isolation	310
Enhanced TI zones	312
Traffic Isolation Zoning over FC routers	313
TI within an edge fabric	314
TI within a backbone fabric	315
Limitations of TI zones over FC routers	316
General rules for TI zones	316
Supported configurations for Traffic Isolation Zoning	317
Additional configuration rules for enhanced TI zones	318
Trunking with TI zones	318
Limitations and restrictions of Traffic Isolation Zoning	318
Admin Domain considerations for Traffic Isolation Zoning	319
Virtual Fabric considerations for Traffic Isolation Zoning	319
Traffic Isolation Zoning over FC routers with Virtual Fabrics	321
Creating a TI zone	322
Creating a TI zone in a base fabric	324
Modifying TI zones	324
Changing the state of a TI zone	325
Deleting a TI zone	326
Displaying TI zones	326
Setting up TI over FCR (sample procedure)	327
Administering NPIV	331
In this chapter	331
NPIV overview	331
Upgrade considerations	332
Fixed addressing mode	332
10-bit addressing mode	332
Configuring NPIV	333
Enabling and disabling NPIV	334
Viewing NPIV port configuration information	334
Viewing virtual PID login information	336
Interoperability for Merged SANs	337
In this chapter	337
Interoperability overview	337
Connectivity solutions	338
Domain ID offset modes	339
Configuring the Domain_ID offset	341
McDATA Fabric mode configuration restrictions	341
McDATA Open Fabric mode configuration restrictions	342
Interoperability support for logical switches	342
Switch configurations for interoperability	343
Enabling McDATA Open Fabric mode	343
Enabling McDATA Fabric mode	344
Enabling Brocade Native mode	345
Zone management in interoperable fabrics	346
Zoning restrictions	346
Zone name restrictions	347
Zoning modes	347
Setting the safe zone mode on a stand-alone switch	348
Setting the safe zone mode fabric-wide	348
Disabling safe zone mode	348
Effective zone configuration	349
Saving the effective zone configuration to the Defined Database	349
Frame Redirection in interoperable fabrics	350
Traffic Isolation zones in interoperable fabrics	350
Brocade SANtegrity implementation in mixed fabric SANS	351
Fabric OS Layer 2 Fabric Binding	351
E_Port authentication between Fabric OS and M-EOS switches	351
Switch authentication policy	353
Dumb switch authentication	355
Authentication of EX_Port, VE_Port, and VEX_Port connections	356
Authentication of VE_Port-to-VE_Port connections	357
Authentication of VEX_Port-to-VE_Port connections	360
Authentication of VEX_Port-to-VEX_Port connections	361
FCR SANtegrity	361
Fabric Binding behavior in a mixed fabric	362
Translate domains do not have Preferred or Insistent Domain ID behavior.	362
Configuring the preferred domain ID and the insistent domain ID	362
FICON implementation in a mixed fabric	363
Fabric OS version change restrictions in an interoperable environment	363
Coordinated Hot Code Load	364
Bypassing the Coordinated HCL check on firmware download	364
Coordinated HCL on switches firmware downloads	365
Upgrade and downgrade considerations for HCL for interoperability	365
McDATA-aware features	365
McDATA-unaware features	366
M-EOS feature limitations in mixed fabrics	368
Supported hardware in an interoperable environment	369
Supported features in an interoperable environment	371
Unsupported features in an interoperable environment	374
Managing Administrative Domains	375
In this chapter	375
Administrative Domains overview	375
Admin Domain features	377
Requirements for Admin Domains	377
Admin Domain access levels	378
User-defined Administrative Domains	378
System-defined Administrative Domains	378
Admin Domains and login	380
Admin Domain member types	381
Admin Domains and switch WWN	382
Admin Domain compatibility, availability, and merging	384

Match case Limit results 1 per page

Fabric OS Administrator’s Guide

167

53-1001763-01

Management interface security

To protect the integrity of the IP datagram, the IPsec protocols use hash message authentication

codes (HMAC). To derive this HMAC, the IPsec protocols use hash algorithms like MD5 and SHA to

calculate a hash based on a secret key and the contents of the IP datagram. This HMAC is then

included in the IPsec protocol header and the receiver of the packet can check the HMAC if it has

access to the secret key.

To protect against denial of service attacks, the IPsec protocols use a sliding window. Each packet

gets assigned a sequence number and is only accepted if the packet's number is within the window

or newer. Older packets are immediately discarded. This protects against replay attacks where the

attacker records the original packets and replays them later.

Security associations

A security association (SA) is the collection of security parameters and authenticated keys that are

negotiated between IPsec peers. For the peers to be able to encapsulate and decapsulate the

IPsec packets, they need a way to store the secret keys, algorithms, and IP addresses involved in

the communication. All these parameters needed for the protection of the IP datagram are stored

in a security association (SA). The security associations are in turn stored in a security association

database (SADB).

An IPsec security association is a construct that specifies security properties that are recognized by

communicating hosts. The properties of the SA are the security protocol (AH or ESP), destination IP

address, and Security Parameter Index (SPI) number. SPI is an arbitrary 32-bit value contained in

IPsec protocol headers (AH or ESP) and an IPsec SA is unidirectional. Because most

communication is peer-to-peer or client-to-server, two SAs must be present to secure traffic in both

directions. An SA specifies the IPsec protocol (AH or ESP), the algorithms used for encryption and

authentication, and the expiration definitions used in security associations of the traffic. IKE uses

these values in negotiations to create IPsec SAs. You must create an SA prior to creating an

SA-proposal. You cannot modify an SA once it is created. Use the

ipsecConfig

flush manual-sa

command to remove all SA entries from the kernel SADB and re-create the SA. For more

information on the

ipSecConfig

command, refer to the

Fabric OS Command Reference

IPsec proposal

The IPsec sa-proposal defines an SA or an SA bundle. An SA is a set of parameters that define how

the traffic is protected using IPsec. These are the IPsec protocols to use for an SA, either AH or ESP,

and the encryption and authentication algorithms to use to protect the traffic. For SA bundles,

[AH, ESP] is the supported combination.

Authentication and encryption algorithms

IPsec uses different protocols to ensure the authentication, integrity, and confidentiality of the

communication. Encapsulating Security Payload (ESP) provides confidentiality, data integrity and

data source authentication of IP packets, and protection against replay attacks. Authentication

Header (AH) provides data integrity, data source authentication, and protection against replay

attacks, but unlike ESP, AH does not provide confidentiality.

In AH and ESP, hmac_md5 and hmac_sha1 are used as authentication algorithms. Only in ESP,

3des_cbc, blowfish_cbc, aes256_cbc and null_enc are used as encryption algorithms. Use

Table 41

on page 168 when configuring the authentication algorithm.