Home » Dell Manuals » Hubs & Switches » Dell Brocade G620 » Manual Viewer

Dell Brocade G620 Brocade 8.0.1 Fabric OS Administratiors Guide - Page 250

Security associations, IPsec proposal, Authentication and encryption algorithms

Add to My Manuals
Save this manual to your list of manuals

Page 250 highlights

Configuring Security Policies IPsec protocols protect IP datagram integrity using hash message authentication codes (HMAC). Using hash algorithms with the contents of the IP datagram and a secret key, the IPsec protocols generate this HMAC and add it to the protocol header. The receiver must have access to the secret key in order to decode the hash. IPsec protocols use a sliding window to assist in flow control, The IPsec protocols also use this sliding window to provide protection against replay attacks in which an attacker attempts a denial of service attack by replaying an old sequence of packets. IPsec protocols assign a sequence number to each packet. The recipient accepts each packet only if its sequence number is within the window. It discards older packets. Security associations A security association (SA) is the collection of security parameters and authenticated keys that are negotiated between IPsec peers to protect the IP datagram. A security association database (SADB) is used to store these SAs. Information in these SAs--IP addresses, secret keys, algorithms, and so on--is used by peers to encapsulate and decapsulate the IPsec packets An IPsec security association is a construct that specifies security properties that are recognized by communicating hosts. The properties of the SA are the security protocol (AH or ESP), destination IP address, and Security Parameter Index (SPI) number. SPI is an arbitrary 32-bit value contained in IPsec protocol headers (AH or ESP) and an IPsec SA is unidirectional. Because most communication is peer-to-peer or client-to-server, two SAs must be present to secure traffic in both directions. An SA specifies the IPsec protocol (AH or ESP), the algorithms used for encryption and authentication, and the expiration definitions used in security associations of the traffic. IKE uses these values in negotiations to create IPsec SAs. You must create an SA prior to creating an SA-proposal. You cannot modify an SA once it is created. Use the ipSecConfig --flush manual-sa command to remove all SA entries from the kernel SADB and recreate the SA. IPsec proposal The IPsec sa-proposal defines an SA or an SA bundle. An SA is a set of parameters that define how the traffic is protected using IPsec. These are the IPsec protocols to use for an SA, either AH or ESP, and the encryption and authentication algorithms to use to protect the traffic. For SA bundles, [AH, ESP] is the supported combination. Authentication and encryption algorithms IPsec uses different protocols to ensure the authentication, integrity, and confidentiality of the communication. Encapsulating Security Payload (ESP) provides confidentiality, data integrity and data source authentication of IP packets, and protection against replay attacks. Authentication Header (AH) provides data integrity, data source authentication, and protection against replay attacks, but unlike ESP, AH does not provide confidentiality. In AH and ESP, hmac_md5 and hmac_sha1 are used as authentication algorithms. Only in ESP, 3des_cbc, blowfish_cbc, aes256_cbc and null_enc are used as encryption algorithms. Use Table 55 when configuring the authentication algorithm. TABLE 55 Algorithms and associated authentication policies Algorithm Encryption Level hmac_md5 128-bit hmac_sha1 160-bit Policy AH, ESP AH, ESP Description A stronger MAC because it is a keyed hash inside a keyed hash. When MD5 or SHA-1 is used in the calculation of an HMAC; the resulting MAC algorithm is termed HMAC-MD5 or HMAC-SHA-1 accordingly. 250 Brocade Fabric OS Administration Guide, 8.0.1 53-1004111-02

Section	Page
Brocade Fabric OS Administration Guide, 8.0.1	1
Preface	19
Document conventions	19
Text formatting conventions	19
Command syntax conventions	19
Notes, cautions, and warnings	20
Brocade resources	20
Contacting Brocade Technical Support	20
Brocade customers	20
Brocade OEM customers	21
Document feedback	21
About This Document	23
Supported hardware and software	23
Brocade Gen 5 (16-Gbps) fixed-port Switches	23
Brocade Gen 5 (16-Gbps) DCX 8510 Directors	23
Brocade Gen 6 fixed-port Switches	23
Brocade Gen 6 Directors	24
What's new in this document for 8.0.1	24
Understanding Fibre Channel Services	25
Fibre Channel services overview	25
Management server	26
Platform services	26
Platform services and Virtual Fabrics	26
Enabling platform services	27
Disabling platform services	27
Management server database	27
Displaying the management server ACL	27
Adding a member to the ACL	28
Deleting a member from the ACL	29
Viewing the contents of the management server database	30
Clearing the management server database	30
Topology discovery	31
Displaying topology discovery status	31
Enabling topology discovery	31
Disabling topology discovery	31
Device login	32
Principal switch	32
E_Port login process	33
Fabric login process	33
Port login process	33
RSCNs	33
Duplicate Port World Wide Name	34
Device recovery	34
High availability of daemon processes	34
FL_Port and arbitrated loop support	35
Performing Basic Configuration Tasks	37
Fabric OS overview	37
Fabric OS command line interface	37
Console sessions using the serial port	38
Connecting to Fabric OS through the serial port	38
Telnet or SSH sessions	38
Rules for Telnet connections	39
Connecting to Fabric OS using Telnet	39
Getting help on a command	40
Viewing a history of command line entries	41
cliHistory	41
cliHistory --show	42
cliHistory --showuser username	42
cliHistory --showall	42
cliHistory --help	42
Notes	43
Using fosexec to run commands on remote switches or domains	43
Password modification	45
Default account passwords	46
Changing the default account passwords at login	46
The switch Ethernet interface	46
Brocade Directors	46
Brocade switches	47
Virtual Fabrics and the Ethernet interface	47
Management Ethernet port bonding	47
Supported Brocade Backbones and Directors	48
Setting up the second Ethernet port on a CP8 blade	48
Displaying the network interface settings	48
Resetting the management network interface error counters	49
Static Ethernet addresses	49
Setting the static addresses for the Ethernet network interface	50
Setting the static addresses for the chassis management IP interface	50
DHCP activation	51
Notes on DHCP	51
Enabling DHCP for IPv4 in fixed-port devices	51
Disabling DHCP for IPv4 in fixed-port devices	52
Enabling DHCP for IPv4 in Directors	52
Configuring DHCPv6 for IPv6	53
Configuring Stateless DHCPv6	54
IPv6 autoconfiguration	55
Setting IPv6 autoconfiguration	55
Setting the Ethernet interface mode and speed	56
Date and time settings	56
Setting the date and time	57
Time zone settings	57
Setting the time zone	58
Setting the time zone interactively	58
Network Time Protocol	59
Synchronizing the local time with an external source	60
NTP configuration distribution to Access Gateways	60
Domain IDs	61
Domain ID issues	61
Displaying the domain IDs	62
Setting the domain ID	62
Switch names	63
Customizing the switch name	63
Chassis names	63
Customizing chassis names	63
Fabric name	64
Configuring the fabric name	64
High availability considerations for fabric names	64
Upgrade and downgrade considerations for fabric names	64
Switch activation and deactivation	64
Disabling a switch	65
Enabling a switch	65
Disabling a chassis	65
Enabling a chassis	66
Device shutdown	66
Powering off a Brocade switch	66
Powering off a Brocade Director	66
Basic connections	67
Device connection	67
Switch connection	67
Performing Advanced Configuration Tasks	69
Port identifiers (PIDs) and PID binding overview	69
Core PID addressing mode	69
Fixed addressing mode	70
10-bit addressing (mode 0)	70
256-area addressing (mode 1 and mode 2)	70
Zero-based addressing (mode 1)	71
Port-based addressing (mode 2)	71
WWN-based PID assignment	71
Virtual Fabrics considerations for WWN-based PID assignment	71
NPIV	72
Enabling automatic PID assignment	72
Assigning a static PID	72
Clearing PID binding	72
Showing PID assignments	73
Ports	73
Port Types	73
Director port blades	73
Setting port names	74
Port identification by slot and port number	75
Port identification by port area ID	75
Port identification by index	75
Dynamic Portname	75
Dynamic port name format	79
Configuring a device-switch connection	81
Swapping port area IDs	81
Enabling a port	82
Disabling a port	82
Port decommissioning	83
Setting port speeds	83
Setting all ports on a switch to the same speed	84
Setting port speed for a port octet	84
Setting maximum auto-negotiated port speed	86
Decoding fdmiShow command output	86
Blade terminology and compatibility	87
CP blades	88
Core blades	89
Port and application blade compatibility	89
Enabling and disabling blades	89
Enabling blades	89
Exceptions in enabling 48-port and 64-port blades	90
Disabling blades	90
Blade swapping	90
How blades are swapped	91
Swapping blades	94
Disabling switches	95
Power management	95
Powering off a port blade or core blade	95
Powering on a port blade or core blade	96
Equipment status	96
Checking switch operation	96
Verifying High Availability features (Backbones and Directors only)	96
Verifying fabric connectivity	97
Verifying device connectivity	97
Audit log configuration	97
Verifying host syslog prior to configuring the audit log	98
Configuring an audit log for specific event classes	99
Configuring remote syslog servers	99
Using secure syslog CA certificates	100
Hostname support for syslogAdmin command	100
Duplicate PWWN handling during device login	101
Setting 0, First login precedence	101
Setting 1, Second login precedence	101
Setting 2, Mixed precedence	102
Setting the behavior for handling duplicate PWWNs	102
Forward error correction	103
FEC limitations	103
Enabling forward error correction	103
Disabling forward error correction	104
Enabling or disabling FEC for long-distance ports	105
Displaying and clearing the FEC counters	105
FEC-via-TTS	105
Routing Traffic	107
Routing overview	107
Paths and route selection	107
FSPF	107
Fibre Channel NAT	109
Inter-switch links	109
Buffer credits	111
Congestion versus over-subscription	111
Virtual channels	111
Gateway links	112
Configuring a link through a gateway	113
Routing policies	114
Notes	114
Displaying the current routing policy	114
Port-based routing	114
Exchange-based routing	115
Device-based routing	115
Dynamic Path Selection	115
Displaying a dynamic path selection group for reachable domains	115
Route selection	116
Dynamic Load Sharing	116
Setting DLS	117
Frame order delivery	117
Forcing in-order frame delivery across topology changes	118
Restoring out-of-order frame delivery across topology changes	118
Enabling Frame Viewer	118
Using Frame Viewer to understand why frames are dropped	119
Displaying discarded frames by back-end port in Frame Viewer	119
Lossless Dynamic Load Sharing on ports	120
Lossless core	121
ICL limitations	121
Configuring Lossless Dynamic Load Sharing	121
Lossless Dynamic Load Sharing in Virtual Fabrics	122
How DLS affects other logical switches in the fabric	122
Two-hop Lossless DLS route update	122
Configuring Two-hop Lossless DLS	123
Frame Redirection	123
Creating a frame redirect zone	124
Deleting a frame redirect zone	125
Viewing frame redirect zones	125
Buffer-to-Buffer Credits and Credit Recovery	127
Buffer credit management	127
Buffer-to-buffer flow control	127
Optimal buffer credit allocation	128
Considerations for calculating buffer credits	128
Fibre Channel gigabit values reference definition	128
Buffer credit allocation based on full-size frames	129
Fibre Channel data frames	129
Allocating buffer credits based on full-sized frames	129
Calculating the number of buffers required based on full-size frames	130
Allocating buffer credits based on average-size frames	131
Configuring buffers for a single port directly	132
Configuring buffers using frame size	132
Calculating the number of buffers required given the distance, speed, and frame size	132
Allocating buffer credits for F_Ports	133
Monitoring buffers in a port group	134
Buffer credits per switch or blade model	135
Formula for Gen-6 32-Gbps devices	135
Formula for Gen-5 16-Gbps and older devices	135
Maximum configurable distances for Extended Fabrics	136
Formula for Gen-6 32-Gbps devices	136
Formula for Gen-5 16-Gbps and older devices	137
Downgrade considerations	137
When a port is configured with -framesize and -distance options	138
When a port is configured with the -buffers option	138
Configuring credits for a single VC	138
Increasing credits for normal distance E_Ports	138
Buffer credit recovery	139
Buffer credit recovery over an E_Port	139
Buffer credit recovery over an F_Port	139
Buffer credit recovery over an EX_Port	140
Enabling and disabling buffer credit recovery	140
Credit loss detection	141
Back-end credit loss detection and recovery support on Brocade 6520 switches	141
Enabling back-end credit loss detection and recovery for link reset thresholds	141
Performing link reset for loss of sync from peer ports	142
Back-end credit loss detection and recovery for link faults	143
Managing User Accounts	145
User accounts overview	145
Role-Based Access Control	145
Role permissions	146
Management channel	147
Managing user-defined roles	147
Creating a user-defined role	147
Assigning a user-defined role to a user	148
Configuring time-based access	148
Local database user accounts	149
Default accounts	149
Displaying account information	150
Creating an account	150
Deleting an account	150
Changing account parameters	150
Local account passwords	151
Changing the password for the current login account	151
Changing the password for a different account	151
Local user account database distribution	151
Distributing the local user database	151
Accepting distributed user databases on the local switch	152
Rejecting distributed user databases on the local switch	152
Password policies	152
Password strength policy	152
Password history policy	153
Password expiration policy	154
Account lockout policy	155
Enabling the admin lockout policy	155
Unlocking an account	155
Disabling the admin lockout policy	155
Denial of service implications	155
Changing the root password without the old password	156
Configuring the password hash type	156
The boot PROM password	157
Setting the boot PROM password for a switch with a recovery string	157
Setting the boot PROM password for a Backbones and Directors with a recovery string	158
Setting the boot PROM password for a switch without a recovery string	159
Setting the boot PROM password for a Backbone or Director without a recovery string	159
Remote authentication	160
Remote authentication configuration	160
Client/server model	160
Authentication server data	161
Switch configuration	161
Supported LDAP options	161
Command options	162
Setting the switch authentication mode	163
Fabric OS user accounts	163
Fabric OS users on the RADIUS server	164
Windows 2012 IAS	164
Linux FreeRADIUS server	165
RADIUS configuration with Virtual Fabrics	166
Setting up a RADIUS server	166
Configuring RADIUS server support with Linux	167
Adding the Brocade attributes to the server	167
Creating the user	167
Enabling clients	168
Configuring RADIUS server support with Windows 2012	168
RSA RADIUS server	171
Setting up the RSA RADIUS server	172
Obfuscation of RADIUS shared secret	173
LDAP configuration and Microsoft Active Directory	174
Configuring Microsoft Active Directory LDAP service	174
Creating a user	175
Creating a group	175
Assigning the group (role) to the user	175
Adding a Virtual Fabric list	175
Adding attributes to the Active Directory schema	176
LDAP configuration and OpenLDAP	176
OpenLDAP server configuration overview	176
Enabling group membership	177
Adding entries to the directory	177
Assigning a user to a group	178
Assigning the LDAP role to a switch role	178
Modifying an entry	178
Adding a Virtual Fabric list	178
TACACS+ service	180
TACACS+ configuration overview	180
Configuring the TACACS+ server on Linux	180
The tac_plus.cfg file	180
Adding a user and assigning a role	181
Configuring Virtual Fabric lists	181
Configuring the password expiration date	181
Configuring a Windows TACACS+ server	182
Remote authentication configuration on the switch	182
Adding an authentication server to the switch configuration	182
Enabling and disabling remote authentication	182
Deleting an authentication server from the configuration	183
Changing an authentication server configuration	183
Changing the order in which authentication servers are contacted for service	183
Displaying the current authentication configuration	183
Configuring local authentication as backup	184
Configuring Protocols	185
Security protocols	185
Secure Copy	186
Setting up SCP for configuration uploads and downloads	187
Secure Shell protocol	187
SSH public key authentication	187
Allowed-user	188
Configuring incoming SSH authentication	188
Configuring outgoing SSH authentication	189
Deleting public keys on the switch	189
Deleting private keys on the switch	190
Generate and install hostkey on a switch	190
Managing SecCryptoCfg templates	190
Format and rule of the template	190
Default secCryptoCfg templates	191
Default_generic	191
Default_strong	192
Default_fips	193
Default_cc	194
Configuring the ciphers, KEX, and MAC algorithms	194
Secure Sockets Layer protocol	195
Browser and Java support	195
SSL configuration overview	195
Certificate authorities	196
Generating a public/private key pair	196
Generating and storing a Certificate Signing Request	196
Obtaining certificates	197
Installing a switch certificate	198
Generating self-signed certificates	199
The browser	199
Checking and installing root certificates on Internet Explorer	199
Checking and installing root certificates on Mozilla Firefox	199
Root certificates for the Java plugin	200
Installing a root certificate to the Java plugin	200
Simple Network Management Protocol	200
SNMP Manager	201
SNMP Agent	201
Management Information Base	201
Basic SNMP operation	201
Configuring SNMP using CLI	202
Configuring SNMP security level	202
Supported protocol configurations for SNMPv3 users	203
Configuring SNMPv3 user/traps	203
Telnet protocol	211
Blocking Telnet	211
Unblocking Telnet	212
Listener applications	213
Ports and applications used by switches	213
Port configuration	214
Configuring Security Policies	215
ACL policies overview	215
How the ACL policies are stored	215
Virtual Fabric considerations for ACL policies	215
Policy members	216
ACL policy management	216
Displaying ACL policies	216
Saving changes without activating the policies	216
Activating ACL policy changes	217
Deleting an ACL policy	217
Adding a member to an existing ACL policy	217
Removing a member from an ACL policy	218
Abandoning unsaved ACL policy changes	218
FCS policies	218
FCS policy restrictions	219
Ensuring fabric domains share policies	220
Creating an FCS policy	220
Modifying the order of FCS switches	220
FCS policy distribution	221
Device Connection Control policies	222
Virtual Fabrics considerations	222
DCC policy restrictions	222
Creating a DCC policy	223
Deleting a DCC policy	224
DCC policy behavior with Fabric-Assigned PWWNs	224
SCC Policies	226
Virtual Fabrics considerations for SCC policies	226
Creating an SCC policy	226
Authentication policy for fabric elements	227
Virtual Fabrics considerations	228
E_Port authentication	228
Virtual Fabrics considerations	228
Configuring E_Port authentication	228
Re-authenticating E_Ports	229
Device authentication policy	230
Virtual Fabrics considerations	230
Configuring device authentication	230
AUTH policy restrictions	230
Authentication protocols	231
Viewing the current authentication parameter settings for a switch	231
Setting the authentication protocol	231
Secret key pairs for DH-CHAP	232
Characteristics of a secret key pair	232
Viewing the list of secret key pairs in the current switch database	232
Note about Access Gateway switches	233
Setting a secret key pair	233
FCAP configuration overview	233
Generating the key and CSR for FCAP	234
Exporting the CSR for FCAP	234
Importing CA for FCAP	235
Importing the FCAP switch certificate	235
Starting FCAP authentication	235
Fabric-wide distribution of the authorization policy	236
IP Filter policy	236
Virtual Fabrics considerations for IP Filter policy	236
Creating an IP Filter policy	236
Cloning an IP Filter policy	236
Displaying an IP Filter policy	237
Saving an IP Filter policy	237
Activating an IP Filter policy	237
Deleting an IP Filter policy	237
IP Filter policy rules	238
Source address	238
Destination port	238
Protocol	239
Action	239
Traffic type and destination IP	239
Implicit filter rules	240
Default policy rules	240
IP Filter policy enforcement	240
Adding a rule to an IP Filter policy	241
Deleting a rule from an IP Filter policy	241
Aborting an IP Filter transaction	241
IP Filter policy distribution	241
Policy database distribution	242
Database distribution settings	243
Displaying the database distribution settings	243
Enabling local switch protection	243
Disabling local switch protection	244
ACL policy distribution to other switches	244
Distributing the local ACL policies	244
Fabric-wide enforcement	244
Displaying the fabric-wide consistency policy	245
Setting the fabric-wide consistency policy	245
Notes on joining a switch to the fabric	245
Matching fabric-wide consistency policies	246
Non-matching fabric-wide consistency policies	246
Management interface security	247
Configuration examples	248
Endpoint-to-endpoint transport or tunnel	248
Gateway-to-gateway tunnel	248
Endpoint-to-gateway tunnel	249
RoadWarrior configuration	249

Match case Limit results 1 per page

IPsec protocols protect IP datagram integrity using hash message authentication codes (HMAC). Using hash algorithms with the

contents of the IP datagram and a secret key, the IPsec protocols generate this HMAC and add it to the protocol header. The receiver

must have access to the secret key in order to decode the hash.

IPsec protocols use a sliding window to assist in flow control, The IPsec protocols also use this sliding window to provide protection

against replay attacks in which an attacker attempts a denial of service attack by replaying an old sequence of packets. IPsec protocols

assign a sequence number to each packet. The recipient accepts each packet only if its sequence number is within the window. It

discards older packets.

Security associations

A security association (SA) is the collection of security parameters and authenticated keys that are negotiated between IPsec peers to

protect the IP datagram. A security association database (SADB) is used to store these SAs. Information in these SAs--IP addresses,

secret keys, algorithms, and so on--is used by peers to encapsulate and decapsulate the IPsec packets

An IPsec security association is a construct that specifies security properties that are recognized by communicating hosts. The

properties of the SA are the security protocol (AH or ESP), destination IP address, and Security Parameter Index (SPI) number. SPI is an

arbitrary 32-bit value contained in IPsec protocol headers (AH or ESP) and an IPsec SA is unidirectional. Because most communication

is peer-to-peer or client-to-server, two SAs must be present to secure traffic in both directions. An SA specifies the IPsec protocol (AH

or ESP), the algorithms used for encryption and authentication, and the expiration definitions used in security associations of the traffic.

IKE uses these values in negotiations to create IPsec SAs. You must create an SA prior to creating an SA-proposal. You cannot modify

an SA once it is created. Use the

ipSecConfig --flush manual-sa

command to remove all SA entries from the kernel SADB and re-

create the SA.

IPsec proposal

The IPsec sa-proposal defines an SA or an SA bundle. An SA is a set of parameters that define how the traffic is protected using IPsec.

These are the IPsec protocols to use for an SA, either AH or ESP, and the encryption and authentication algorithms to use to protect the

traffic.

For SA bundles, [AH, ESP] is the supported combination.

Authentication and encryption algorithms

IPsec uses different protocols to ensure the authentication, integrity, and confidentiality of the communication. Encapsulating Security

Payload (ESP) provides confidentiality, data integrity and data source authentication of IP packets, and protection against replay attacks.

Authentication Header (AH) provides data integrity, data source authentication, and protection against replay attacks, but unlike ESP, AH

does not provide confidentiality.

In AH and ESP, hmac_md5 and hmac_sha1 are used as authentication algorithms. Only in ESP, 3des_cbc, blowfish_cbc, aes256_cbc

and null_enc are used as encryption algorithms. Use

Table 55

when configuring the authentication algorithm.

TABLE 55

Algorithms and associated authentication policies

Algorithm

Encryption Level

Policy

Description

hmac_md5

128-bit

AH, ESP

A stronger MAC because it is a

keyed hash inside a keyed hash.

When MD5 or SHA-1 is used in the

calculation of an HMAC; the

resulting MAC algorithm is termed

HMAC-MD5 or HMAC-SHA-1

accordingly.

hmac_sha1

160-bit

AH, ESP

Configuring Security Policies

Brocade Fabric OS Administration Guide, 8.0.1

250

53-1004111-02