ANSI INCITS 426-2007 for Information Technology C Fibre Channel C Security Protocols (FC-SP).pdf

1、American National StandardDeveloped byfor Information Technology Fibre Channel Security Protocols(FC-SP)ANSI INCITS 426-2007ANSIINCITS426-2007ANSIINCITS 426-2007American National Standardfor Information Technology Fibre Channel Security Protocols(FC-SP)SecretariatInformation Technology Industry Coun

2、cilApproved February 1, 2007 American National Standards Institute, Inc.AbstractThis standard describes the protocols used to implement security in a Fibre Channel fabric. This stan-dard includes the definition of protocols to authenticate Fibre Channel entities, protocols to set up ses-sion keys, p

3、rotocols to negotiate the parameters required to ensure frame-by-frame integrity andconfidentiality, and protocols to establish and distribute policies across a Fibre Channel fabric.Approval of an American National Standard requires review by ANSI that therequirements for due process, consensus, and

4、 other criteria for approval havebeen met by the standards developer.Consensus is established when, in the judgement of the ANSI Board ofStandards Review, substantial agreement has been reached by directly andmaterially affected interests. Substantial agreement means much more thana simple majority,

5、 but not necessarily unanimity. Consensus requires that allviews and objections be considered, and that a concerted effort be madetowards their resolution.The use of American National Standards is completely voluntary; theirexistence does not in any respect preclude anyone, whether he has approvedth

6、e standards or not, from manufacturing, marketing, purchasing, or usingproducts, processes, or procedures not conforming to the standards.The American National Standards Institute does not develop standards andwill in no circumstances give an interpretation of any American NationalStandard. Moreover

7、, no person shall have the right or authority to issue aninterpretation of an American National Standard in the name of the AmericanNational Standards Institute. Requests for interpretations should beaddressed to the secretariat or sponsor whose name appears on the titlepage of this standard.CAUTION

8、 NOTICE: This American National Standard may be revised orwithdrawn at any time. The procedures of the American National StandardsInstitute require that action be taken periodically to reaffirm, revise, orwithdraw this standard. Purchasers of American National Standards mayreceive current informatio

9、n on all standards by calling or writing the AmericanNational Standards Institute.American National StandardPublished byAmerican National Standards Institute, Inc.25 West 43rd Street, New York, NY 10036Copyright 2007 by Information Technology Industry Council (ITI)All rights reserved.No part of this

10、 publication may be reproduced in anyform, in an electronic retrieval system or otherwise,without prior written permission of ITI, 1250 Eye Street NW, Washington, DC 20005. Printed in the United States of AmericaCAUTION: The developers of this standard have requested that holders of patents that may

11、 be re-quired for the implementation of the standard disclose such patents to the publisher. However, nei-ther the developers nor the publisher have undertaken a patent search in order to identify which, ifany, patents may apply to this standard. As of the date of publication of this standard, follo

12、wingcalls for the identification of patents that may be required for the implementation of the standard,notice of one or more such claims has been received. By publication of this standard, no positionis taken with respect to the validity of this claim or of any rights in connection therewith. The k

13、nownpatent holder(s) has (have), however, filed a statement of willingness to grant a license underthese rights on reasonable and nondiscriminatory terms and conditions to applicants desiring to ob-tain such a license. Details may be obtained from the publisher. No further patent search is con-ducte

14、d by the developer or publisher in respect to any standard it processes. No representation ismade or implied that this is the only license that may be required to avoid infringement in the use ofthis standard.iContentsPageForeword viiIntroduction x1 Scope . 12 Normative References . 22.1 Overview 22

15、.2 Approved references 22.3 References under development . 22.4 Other References . 23 Definitions and conventions . 53.1 Overview 53.2 Definitions 53.3 Editorial Conventions . 83.4 Abbreviations, acronyms, and symbols . 103.5 Keywords . 113.6 T10 Vendor ID 123.7 Sorting 123.7.1 Sorting alphabetic ke

16、ys 123.7.2 Sorting numeric keys . 123.8 Terminate Communication . 123.9 State Machine notation 134 Structure and Concepts . 154.1 Overview 154.2 FC-SP Compliance 154.3 Fabric Security Architecture . 154.4 Authentication Infrastructure 154.5 Authentication 164.6 Security Associations . 174.7 Cryptogr

17、aphic Integrity and Confidentiality 174.7.1 Overview 174.7.2 ESP_Header Processing . 184.7.3 CT_Authentication Processing . 194.8 Authorization (Access Control) 214.8.1 Policy Definition . 214.8.2 Policy Enforcement 224.8.3 Policy Distribution 224.8.4 Policy Check 224.9 Name Format . 22iiPage5 Authe

18、ntication Protocols 235.1 Overview 235.2 Authentication Messages Structure . 245.2.1 Overview 245.2.2 SW_ILS Authentication Messages 245.2.3 ELS Authentication Messages . 265.2.4 Fields Common to All AUTH Messages 275.2.5 Vendor Specific Messages 285.3 Authentication Messages Common to Authenticatio

19、n Protocols . 285.3.1 Overview 285.3.2 AUTH_Negotiate Message 295.3.3 Names used in Authentication . 305.3.4 Hash Functions 305.3.5 Diffie-Helmann Groups 315.3.6 AUTH_Reject Message . 325.3.7 AUTH_Done Message . 355.4 DH-CHAP Protocol 365.4.1 Protocol Operations . 365.4.2 AUTH_Negotiate DH-CHAP Para

20、meters . 385.4.3 DHCHAP_Challenge Message 395.4.4 DHCHAP_Reply Message . 405.4.5 DHCHAP_Success Message 425.4.6 Key Generation for the Security Association Management Protocol 435.4.7 Reuse of Diffie-Hellman Exponential . 435.4.8 DH-CHAP Security Considerations . 435.5 FCAP Protocol . 455.5.1 Protoc

21、ol Operations . 455.5.2 AUTH_Negotiate FCAP Parameters . 485.5.3 FCAP_Request Message 495.5.4 FCAP_Acknowledge Message 525.5.5 FCAP_Confirm Message . 545.5.6 Key Generation for the Security Association Management Protocol 545.5.7 Reuse of Diffie-Hellman Exponential . 545.6 FCPAP Protocol . 555.6.1 P

22、rotocol Operations . 555.6.2 AUTH_Negotiate FCPAP Parameters . 585.6.3 FCPAP_Init Message 595.6.4 FCPAP_Accept Message 605.6.5 FCPAP_Complete Message 605.6.6 Key Generation for the Security Association Management Protocol 615.6.7 Reuse of Diffie-Hellman Exponential . 615.7 AUTH_ILS Specification 625

23、.7.1 Overview 625.7.2 AUTH_ILS Request Sequence 635.7.3 AUTH_ILS Reply Sequence 64iiiPage5.8 B_AUTH_ILS Specification 645.8.1 Overview 645.8.2 B_AUTH_ILS Request Sequence 665.8.3 B_AUTH_ILS Reply Sequence 675.9 AUTH_ELS Specification . 675.9.1 Overview 675.9.2 AUTH_ELS Request Sequence . 695.9.3 AUT

24、H_ELS Reply Sequence . 705.9.4 AUTH_ELS Fragmentation 705.9.5 Authentication and Login 745.10 Re-Authentication . 755.11 Timeouts 766 Security Association Management Protocol . 776.1 Introduction 776.1.1 General Overview 776.1.2 IKE_SA_Init Overview 796.1.3 IKE_Auth Overview 796.1.4 IKE_Create_Child

25、_SA Overview 806.2 SA Management Messages . 816.2.1 General Structure . 816.2.2 IKE_Header Payload 816.2.3 Chaining Header 826.2.4 AUTH_Reject Message Use 846.3 IKE_SA_Init Message 846.3.1 Overview 846.3.2 Security_Association Payload 856.3.3 Key_Exchange Payload . 966.3.4 Nonce Payload . 966.4 IKE_

26、Auth Message 966.4.1 Overview 966.4.2 Encrypted Payload . 986.4.3 Identification Payload . 996.4.4 Authentication Payload 1006.4.5 Traffic Selector Payload . 1006.4.6 Certificate Payload . 1026.4.7 Certificate Request Payload . 1036.5 IKE_Create_Child_SA Message 1056.6 IKE_Informational Message . 10

27、66.6.1 Overview 1066.6.2 Notify Payload 1086.6.3 Delete Payload . 1116.6.4 Vendor_ID Payload 1126.7 Interaction with the Authentication Protocols 1136.7.1 Overview 1136.7.2 Concatenation of Authentication and SA Management Transactions . 113ivPage6.7.3 SA Management Transaction as Authentication Tra

28、nsaction. 1156.8 IKEv2 Protocol Details . 1166.8.1 Use of Retransmission Timers . 1166.8.2 Use of Sequence Numbers for Message_IDs . 1166.8.3 Overlapping Requests . 1176.8.4 State Synchronization and Connection Timeouts 1176.8.5 Cookies and Anti-Clogging Protection . 1176.8.6 Cryptographic Algorithm

29、s Negotiation . 1176.8.7 Rekeying 1176.8.8 Traffic Selector Negotiation . 1176.8.9 Nonces . 1186.8.10 Reuse of Diffie-Hellman Exponential . 1186.8.11 Generating Keying Material . 1186.8.12 Generating Keying Material for the IKE_SA 1186.8.13 Authentication of the IKE_SA 1186.8.14 Generating Keying Ma

30、terial for Child_SAs 1196.8.15 Rekeying IKE_SAs using the IKE_Create_Child_SA exchange. 1196.8.16 IKE_Informational Messages outside of an IKE_SA 1196.8.17 Error Handling 1196.8.18 Conformance Requirements 1196.8.19 Rekeying IKE_SAs when Refreshing Authentication . 1207 Fabric Policies 1217.1 Polici

31、es Definition 1217.1.1 Overview 1217.1.2 Names used to define Policies 1237.1.3 Policy Summary Object . 1257.1.4 Switch Membership List Object . 1267.1.5 Node Membership List Object . 1317.1.6 Switch Connectivity Object 1357.1.7 IP Management List Object . 1377.1.8 Attribute Object 1407.2 Policies E

32、nforcement 1427.2.1 Overview 1427.2.2 Switch-to-Switch Connections . 1427.2.3 Switch-to-Node Connections . 1437.2.4 In-Band Management Access to a Switch . 1447.2.5 IP Management Access to a Switch 1457.2.6 Direct Management Access to a Switch 1467.2.7 Authentication Enforcement . 1477.3 Policies Ma

33、nagement 1477.3.1 Management Interface . 1477.3.2 Fabric Distribution 1497.3.3 Relationship between Security Policy Server Requests and Fabric Actions . 1527.3.4 Policy Objects Support 1527.3.5 Optional Data . 1567.3.6 Detailed Management Specification 1577.4 Policies Check . 1657.4.1 Overview 165vP

34、age7.4.2 CPS Request Sequence 1657.4.3 CPS Reply Sequence 1667.5 Policy Summation ELSs . 1667.5.1 Overview 1667.5.2 Query Security Attributes (QSA) Version 2 1667.5.3 Registered Fabric Change Notification (RFCN) . 1687.5.4 Fabric Change Notification Specification . 1697.6 Zoning Policies . 1707.6.1

35、Overview 1707.6.2 Management Requests 1707.6.3 Fabric Operations . 1737.6.4 Zoning Ordering Rules . 1787.6.5 The Client-Server Protocol . 1798 Combinations of Security Protocols 1838.1 Entity Authentication Overview 1838.2 Terminology . 1838.3 Scope of Security Relationships 1848.3.1 N_Port_ID Virtu

36、alization . 1848.3.2 Nx_Port Entity to a Fabric Entity 1848.3.3 Nx_Port Entity to Nx_Port Entity 1858.4 Entity Authentication Model 1858.5 Abstract Services for Entity Authentication 1878.5.1 Overview 1878.5.2 Authentication Service . 1878.5.3 Security Service . 1888.5.4 FC-2 Service 1888.6 Nx_Port

37、to Fabric Authentication (NFA) State Machine . 1938.6.1 Overview 1938.6.2 NFA States . 1948.6.3 NFA Events 1958.6.4 NFA Transitions . 1958.7 Fabric from Nx_Port Authentication (FNA) State Machine . 2018.7.1 Overview 2018.7.2 FNA States . 2028.7.3 FNA Events 2038.7.4 FNA Transitions . 2038.8 Nx_Port

38、to Nx_Port Authentication (NNA) State Machine . 2118.8.1 Overview 2118.8.2 NNA States 2128.8.3 NNA Events 2138.8.4 NNA Transitions . 2138.9 Additional Security State Machines 2208.9.1 E_Port to E_Port Security Checks . 2208.9.2 B_Port Security Checks . 2218.9.3 Switch Security Checks with Virtual Fa

39、brics 2218.9.4 N_Port Security Checks with Virtual Fabrics 223viPage8.10 Impact on Other Standards 223AnnexesA FC-SP Compliance Summary 225A.1 Compliance Elements 225A.1.1 Overview 225A.1.2 FC-SP Compliance 226A.1.3 Conventions . 226A.2 Authentication Compliance Elements 227A.2.1 AUTH-A . 227A.2.2 A

40、UTH-B . 228A.2.3 AUTH-C1 . 229A.2.4 AUTH-C2 . 230A.3 SA Management Compliance Elements 231A.3.1 Algorithms Support 231A.3.2 SA-A 233A.3.3 SA-B 234A.3.4 SA-C1 236A.3.5 SA-C2 238A.4 Policy Compliance Elements . 240A.4.1 POL-A1 240A.4.2 POL-A2 241A.4.3 POL-A3 242A.4.4 POL-B3 243B Random Number Generati

41、on and RADIUS Deployment . 245B.1 Overview 245B.1.1 Objectives of this Annex 245B.1.2 Random Number Generator 245B.1.3 Secret Storage . 246B.2 RADIUS Servers 246B.2.1 Overview 246B.2.2 Digest Algorithm 247B.3 RADIUS Messages 247B.3.1 Message Types . 247B.3.2 Radius Attributes . 248B.4 RADIUS Authent

42、ication . 251viiPageB.4.1 RADIUS Authentication Method . 251B.4.2 RADIUS Authentication with NULL DH algorithm 252B.4.3 Bidirectional Authentication with RADIUS 254B.4.4 RADIUS Authentication with DH option . 255C Examples of Proposals Negotiation for the SA Management Protocol . 257D Guidelines for

43、 Mapping Access Control Requirements to Fabric Policies . 258E Pre FC-SP Fabric Policy Implementations . 259E.1 Overview 259E.2 Fabric Management Policy Set 259E.2.1 Fabric Management Policy Set Overview 259E.2.2 FMPS Hierarchy Model 259E.2.3 Policy Description . 259E.2.4 Policy Distribution . 260E.

44、2.5 Signature, Version Stamp, and Timestamp . 260E.2.6 FMPS Object Structure 261E.2.7 Fabric Initialization And Fabric Join Procedures 261E.2.8 FMPS Payload Format . 264E.3 Fabric Binding 271E.3.1 Fabric Binding Overview 271E.3.2 Joining Switches 272E.3.3 Managing User-Initiated Change Requests . 27

45、2E.3.4 Fabric Binding Objects . 272E.3.5 Fabric Binding Commands . 272E.3.6 Exchange Fabric Membership Data (EFMD) . 273E.3.7 Exchange Security Attributes (ESA) 275E.3.8 Query Security Attributes (QSA) Version 1 278Figures1 State Machine Example . 132 Relationship between Authentication Protocols an

46、d Security Associations 163 Logical Model for Integrity and Confidentiality Protection with ESP_Header. 184 Logical Model for Integrity and Confidentiality Protection with CT_Authentication 20viiiPage5 A Generic Authentication Transaction . 236 Example of AUTH_Reject 327 A DH-CHAP Protocol Transacti

47、on Example 368 A FCAP Protocol Transaction Example. 469 A FCPAP Protocol Transaction Example 5610 FC-2 AUTH_ILS Mapping Example for the E_Port to E_Port Case 6311 Usage of B_AUTH_ILS 6512 FC-2 B_AUTH_ILS Mapping Example 6613 FC-2 AUTH_ELS Mapping Example for the Nx_Port to Nx_Port Case 6914 AUTH_ELS Fragmentation Process 7115 Use of the Sequence Number Bit Example . 7216 FC-2 Authentication Mappi