Authentication and key generation, Availability considerations – Dell POWEREDGE M1000E User Manual
Page 398
398
Fabric OS Administrator’s Guide
53-1002745-02
In-flight encryption and compression overview
14
portHealth: No Fabric Watch License
Authentication: None
portDisableReason: None
portCFlags: 0x1
portFlags: 0x10000103 PRESENT ACTIVE E_PORT T_PORT T_MASTER G_PORT
U_PORT ENCRYPT LOGIN
LocalSwcFlags: 0x0
portType: 24.0
portState: 1 Online
Protocol: FC
portPhys: 6 In_Sync portScn: 1 Online Trunk master port
port generation number: 44
state transition count: 12
Authentication and key generation
The following points apply to authentication and Key generation on the supported devices:
•
The Diffie-Hellman - Challenge Handshake Authentication Protocol (DH-CHAP) protocol must be
configured along with the DH group 4 for port level authentication as a prerequisite for in-flight
encryption. Pre-shared secret keys must be configured on the devices at either end of the ISL
to perform authentication. Authentication secrets greater than 32 characters are
recommended for stronger encryption keys. Once the link is authenticated, the keys are
generated and exchanged.
•
Authentication and key generation only apply to ports that are configured for encryption.
They do not apply to ports that are only configured for compression.
•
In-flight encryption uses DH-CHAP authentication (SHA-1 algorithm) followed by Internet Key
Exchange (IKE) protocol (HMAC-SHA-512 algorithm) to generate the keys.
•
These encryption keys never expire. While the port remains online, the keys generated for the
port remain the same. When a port is disabled, segmented, or taken offline, a new set of keys
is generated when the port is enabled again.
•
All members of a trunk group use the same set of keys as the master port. Slave ports do not
exchange keys. If the master port goes offline causing an E_Port or EX_Port change, the trunk
continues to use the same set of keys.
Availability considerations
For FC16-32 or FC16-48 blades, if the two ports configured for encryption or compression within
the same ASIC are not configured for trunking, it is recommended to connect each ISL to a different
ASIC on the peer switch. Similarly, configure the two ports on the other ASIC of the blade. If the
ports are configured for trunking, it is recommended to connect each trunk group to different ASICs
of the peer switch. Configuring all 4 ports of the blade with this suggested configuration will
provide redundancy in the event of encryption/compression port failures.
For Brocade 6510 and 6520 switches, if the two ports are not configured for trunking, we
recommend that you connect each ISL to different ASICs on the peer switch.
NOTE
If any port on the ASIC with encryption or compression enabled encounters rare error conditions that
would need error recovery to be performed on the encryption engine within that ASIC, it causes all
encryption or compression-enabled ports on that ASIC to go offline.