DCFM Professional User Manual
251
53-1001773-01
IPsec and IKE implementation over FCIP
12
IPsec and IKE implementation over FCIP
Internet Protocol security (IPsec) uses cryptographic security to ensure private, secure
communications over Internet Protocol networks. IPsec supports network-level data integrity, data
confidentiality, data origin authentication, and replay protection. It helps secure your SAN against
network-based attacks from untrusted computers, attacks that can result in the denial-of-service of
applications, services, or the network, data corruption, and data and user credential theft. IPsec
does not require you to configure separate security for each application that uses TCP/IP.
When configuring for IPsec, however, you must ensure that the same policies are defined in the
switches or blades at each end of the FCIP tunnel. IPsec works on FCIP tunnels with or without
compression, FCIP Fastwrite, and tape acceleration. IPsec can only be created on tunnels using
IPv4 addressing.
IPsec for the 4 Gbps platforms
IPsec uses some terms that you should be familiar with before beginning your configuration. These
are standard terms, but are included here for your convenience.
Term
Definition
AES
Advanced Encryption Standard. FIPS 197 endorses the Rijndael encryption algorithm as the
approved AES for use by US Government organizations and others to protect sensitive
information. It replaces DES as the encryption standard.
AES-XCBC
Cipher Block Chaining. A key-dependent one-way hash function (MAC) used with AES in
conjunction with the Cipher-Block-Chaining mode of operation, suitable for securing messages
of varying lengths, such as IP datagrams.
AH
Authentication Header - like ESP, AH provides data integrity, data source authentication, and
protection against replay attacks but does not provide confidentiality.
DES
Data Encryption Standard is the older encryption algorithm that uses a 56-bit key to encrypt
blocks of 64-bit plain text. Because of the relatively shorter key length, it is not a secured
algorithm and no longer approved for Federal use.
3DES
Triple DES is a more secure variant of DES. It uses three different 56-bit keys to encrypt blocks
of 64-bit plain text. The algorithm is FIPS-approved for use by Federal agencies.
ESP
Encapsulating Security Payload is the IPsec protocol that provides confidentiality, data integrity
and data source authentication of IP packets, and protection against replay attacks.
IKE
Internet Key Exchange is defined in RFC 2407, RFC 2408 and RFC 2409. IKEv2 is defined in
RFC 4306. IKE uses a Diffie-Hellman key exchange to set up a shared session secret, from
which cryptographic keys are derived and communicating parties are authenticated. The IKE
protocol creates a security association (SA) for both parties.
MD5
Message Digest 5, like SHA-1, is a popular one-way hash function used for authentication and
data integrity.
SHA
Secure Hash Algorithm, like MD5, is a popular one-way hash function used for authentication
and data integrity.
MAC
Message Authentication Code is a key-dependent, one-way hash function used for generating
and verifying authentication data.
HMAC
A stronger MAC because it is a keyed hash inside a keyed hash.
SA
Security Association is the collection of security parameters and authenticated keys that are
negotiated between IPsec peers.
Summary of Contents for Brocade BladeSystem 4/12
Page 1: ...53 1001773 01 14 April 2010 DCFM Professional User Manual Supporting DCFM 10 4 X ...
Page 3: ...DCFM Professional User Manual iii 53 1001773 01 ...
Page 4: ...iv DCFM Professional User Manual 53 1001773 01 ...
Page 88: ...56 DCFM Professional User Manual 53 1001773 01 Seed switch 2 ...
Page 146: ...114 DCFM Professional User Manual 53 1001773 01 Customizing the main window 4 ...
Page 152: ...120 DCFM Professional User Manual 53 1001773 01 Launching HCM Agent 5 ...
Page 246: ...214 DCFM Professional User Manual 53 1001773 01 Syslog forwarding 8 ...
Page 262: ...230 DCFM Professional User Manual 53 1001773 01 Generating zoning reports 10 ...
Page 662: ...630 DCFM Professional User Manual 53 1001773 01 ...