Fabric OS Administrator’s Guide 311
53-1002446-01
In-flight encryption and compression overview
14
How encryption and compression are enabled
This feature provides encryption and decryption or compression and decompression between two
E_Ports across an ISL. You can enable encryption or compression or both on an E_Port on a per
port basis. By default, this feature is disabled on all ports on a switch.
Encryption and compression capabilities and configurations from each end of the ISL are
exchanged during E_Port initialization. Capabilities and configurations must match, otherwise port
segmentation or disablement occurs. If the port was configured for compression, then the
compression feature is enabled.
If the port was configured for encryption, authentication is performed and the keys needed for
encryption are generated. The encryption feature is enabled if authentication is successful. If
authentication fails, then the ports are segmented.
Authentication and key generation
The Diffie Hellman - Challenge Handshake Authentication Protocol (DH-CHAP) protocol must be
configured along with the DH group 4 for port level authentication as a prerequisite for in-flight
encryption. Pre-shared secret keys must be configured on the devices at either end of the ISL to
perform authentication. Authentication secrets greater than 32 characters are recommended for
stronger encryption keys.. Once the link is authenticated, the keys are generated and exchanged.
In-flight encryption uses DH-CHAP authentication (SHA-1 algorithm) followed by Internet Key
Exchange (IKE) protocol (HMAC-SHA-512 algorithm) to generate the keys.
These encryption keys never expire. While the port remains online, the keys generated for the port
remain the same. When a port is disabled, segmented, or taken offline, a new set of keys is
generated when the port is enabled again.
All members of a trunk group use the same set of keys as the master port. Slave ports do not
exchange keys. If the master port goes offline causing an E_Port change, the trunk continues to
use the same set of keys.
Availability considerations
For FC16-32 or FC16-48 blades, if the two ports configured for encryption or compression within
the same ASIC are not configured for trunking, it is recommended to connect each ISL to a different
ASIC on the peer switch. Similarly, configure the two ports on the other ASIC of the blade. If the
ports are configured for trunking, it is recommended to connect each trunk group to different ASICs
of the peer switch. Configuring all 4 ports of the blade with this suggested configuration will
provide redundancy in the event of encryption/compression port failures.
For the Brocade 6510, if its two ports are not configured for trunking, it is recommended to connect
each ISL to different ASICs of the peer switch.
If any port on the ASIC with encryption or compression enabled encounters rare error conditions that
would need error recovery to be performed on the encryption engine within that ASIC, it causes all
encryption or compression enabled ports (maximum of two ports) on that ASIC to go offline.
To Next Page
Loading...
Need help?
General