Compression – Brocade Fabric OS Administrators Guide (Supporting Fabric OS v7.3.0) User Manual

NOTE
If trunking is enabled, be aware that the ports creating the bandwidth limitation will form a trunk group,
while the rest of the ports will be segmented.

You can also decommission any port that has in-flight encryption and compression enabled. Refer to

Port decommissioning

on page 74 for details on decommissioning ports.

Authentication and key generation for encryption and compression

The following points apply to authentication and key generation on the supported devices:

• Authentication and key generation only apply to ports that are configured for encryption. They do not

apply to ports that are only configured for compression.

• The in-flight encryption protocol supports the AES-GCM authenticated encryption block cipher mode.

A key, Initial Vector (IV), segment number, and salt are required to encrypt the data before it is
transmitted, and to decode the data after it is received on the other end of the link.

• In-flight encryption feature uses DH-CHAP(Diffie Hellman – Challenge Handshake Authentication

Protocol) or Fibre Channel Authentication Protocol (FCAP) for authentication and key generation for
secure frame transaction.

• In the in-flight encryption process, a session key will be generated during authentication phase and it

will be used in IKE(Internet Key Exchange) protocol session to generate and exchange encryption/
decryption keys for packet encryption/decryption between two devices.

• For in-flight encryption using DH-CHAP, DH-CHAP must be configured along with DH group 4 and

pre-shared secret keys on the devices on both ends of the ISL as a pre-requisite. Authentication
secrets greater than 32 characters are recommended for stronger encryption keys. Once the link is
authenticated, the keys are generated and exchanged.

• For in-flight encryption using FCAP, FCAP must be configured along with DH group 4 and certificates

(CA and switch) at both ends of ISL as a pre-requisite.

• The encryption keys never expire. While the port remains online, the keys generated for the port

remain the same. When a port is disabled, segmented, or taken offline, a new set of keys is
generated when the port is enabled again.

• All members of a trunk group use the same set of keys as the master port. Slave ports do not

exchange keys. If the master port goes offline causing an E_Port or EX_Port change, the trunk
continues to use the same set of keys.

Availability considerations for encryption and compression

To provide redundancy in the event of encryption or compression port failures, you should connect each
ISL or trunk group to different ASICs on the peer switch.

For FC16-32 or FC16-48 or FC16-64 blades, if the two ports configured for encryption or compression
within the same ASIC are not configured for trunking, it is recommended to connect each ISL to a
different ASIC on the peer switch. Similarly, configure the two ports on the other ASIC of the blade. If
the ports are configured for trunking, it is recommended to connect each trunk group to different ASICs
on the peer switch.

For Brocade 6510 and 6520 switches, and 16 Gbps embedded switches, if the two ports are not
configured for trunking, it is recommended that you connect each ISL to different ASICs on the peer
switch.

Authentication and key generation for encryption and compression

Fabric OS Administrators Guide

411

53-1003130-01