Ipsec for the 8 gbps platforms, Qos, dscp, and vlans – Brocade Network Advisor SAN User Manual v12.3.0 User Manual
Page 998
946
Brocade Network Advisor SAN User Manual
53-1003154-01
QOS, DSCP, and VLANs
22
IPSec for the 8 Gbps platforms
The 8 Gbps platforms use AES-GCM-ESP as a single, pre-defined mode of operation for protecting
all TCP traffic over an FCIP tunnel. AES-GCM-ESP is described in RFC-4106. Key features are listed
below:
•
Encryption is provided by AES with 256 bit keys.
•
The IKEv2 key exchange protocol is used by peer switches and blades for mutual
authentication.
•
IKEv2 uses UDP port 500 to communicate between the peer switches or blades.
•
All IKE traffic is protected using AES-GCM-ESP encryption.
•
Authentication requires the generation and configuration of 32 byte pre-shared secrets for
each peer switch or blade.
•
An SHA-512 hash message authentication code (HMAC) is used to check data integrity and
detect third party tampering.
•
PRF is used to strengthen security. The PRF algorithm generates output that appears to be
random data, using the SHA-512 HMAC as the seed value.
•
A 2048 bit Diffie-Hellman (DH) group is used for both IKEv2 and IPSec key generation.
•
The SA lifetime limits the length of time a key is used. When the SA lifetime expires, a new key
is generated, limiting the amount of time an attacker has to decipher a key. Depending on the
length of time expired or the length of the data being transferred, parts of a message maybe
protected by different keys generated as the SA lifetime expires. For the 8 Gbps Extension
Switch and Blade, the SA lifetime is approximately eight hours, or two gigabytes of data,
whichever occurs first.
•
ESP is used as the transport mode. ESP uses a hash algorithm to calculate and verify an
authentication value, and also encrypts the IP datagram.
QOS, DSCP, and VLANs
Quality of Service (QoS) refers to policies for handling differences in data traffic. These policies are
based on data characteristics and delivery requirements. For example, ordinary data traffic is
tolerant of delays and dropped packets, but voice and video data are not. QoS policies provide a
framework for accommodating these differences in data as it passes through a network.
QoS for Fibre Channel traffic is provided through internal QoS priorities. Those priorities can be
mapped to TCP/IP network priorities. There are two options for TCP/IP network-based QoS:
•
Layer three DiffServ code Points (DSCP).
•
VLAN tagging and Layer two class of service (L2CoS).