ANSI INCITS426-2007 Information technology - Fibre Channel Security Protocols (FC-SP)《信息技术.光纤信道安全协议(FC-SP)》.pdf

1、American National StandardDeveloped byfor Information Technology Fibre Channel Security Protocols(FC-SP)ANSI INCITS 426-2007ANSIINCITS426-2007Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license

2、from IHS-,-,-Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-ANSIINCITS 426-2007American National Standardfor Information Technology Fibre Channel Security Protocols(FC-SP)Secre

3、tariatInformation Technology Industry CouncilApproved February 1, 2007 American National Standards Institute, Inc.AbstractThis standard describes the protocols used to implement security in a Fibre Channel fabric. This stan-dard includes the definition of protocols to authenticate Fibre Channel enti

4、ties, protocols to set up ses-sion keys, protocols to negotiate the parameters required to ensure frame-by-frame integrity andconfidentiality, and protocols to establish and distribute policies across a Fibre Channel fabric.Copyright American National Standards Institute Provided by IHS under licens

5、e with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-Approval of an American National Standard requires review by ANSI that therequirements for due process, consensus, and other criteria for approval havebeen met by the standards developer.Consensus is estab

6、lished when, in the judgement of the ANSI Board ofStandards Review, substantial agreement has been reached by directly andmaterially affected interests. Substantial agreement means much more thana simple majority, but not necessarily unanimity. Consensus requires that allviews and objections be cons

7、idered, and that a concerted effort be madetowards their resolution.The use of American National Standards is completely voluntary; theirexistence does not in any respect preclude anyone, whether he has approvedthe standards or not, from manufacturing, marketing, purchasing, or usingproducts, proces

8、ses, or procedures not conforming to the standards.The American National Standards Institute does not develop standards andwill in no circumstances give an interpretation of any American NationalStandard. Moreover, no person shall have the right or authority to issue aninterpretation of an American

9、National Standard in the name of the AmericanNational Standards Institute. Requests for interpretations should beaddressed to the secretariat or sponsor whose name appears on the titlepage of this standard.CAUTION NOTICE: This American National Standard may be revised orwithdrawn at any time. The pr

10、ocedures of the American National StandardsInstitute require that action be taken periodically to reaffirm, revise, orwithdraw this standard. Purchasers of American National Standards mayreceive current information on all standards by calling or writing the AmericanNational Standards Institute.Ameri

11、can National StandardPublished byAmerican National Standards Institute, Inc.25 West 43rd Street, New York, NY 10036Copyright 2007 by Information Technology Industry Council (ITI)All rights reserved.No part of this publication may be reproduced in anyform, in an electronic retrieval system or otherwi

12、se,without prior written permission of ITI, 1250 Eye Street NW, Washington, DC 20005. Printed in the United States of AmericaCAUTION: The developers of this standard have requested that holders of patents that may be re-quired for the implementation of the standard disclose such patents to the publi

13、sher. However, nei-ther the developers nor the publisher have undertaken a patent search in order to identify which, ifany, patents may apply to this standard. As of the date of publication of this standard, followingcalls for the identification of patents that may be required for the implementation

14、 of the standard,notice of one or more such claims has been received. By publication of this standard, no positionis taken with respect to the validity of this claim or of any rights in connection therewith. The knownpatent holder(s) has (have), however, filed a statement of willingness to grant a l

15、icense underthese rights on reasonable and nondiscriminatory terms and conditions to applicants desiring to ob-tain such a license. Details may be obtained from the publisher. No further patent search is con-ducted by the developer or publisher in respect to any standard it processes. No representat

16、ion ismade or implied that this is the only license that may be required to avoid infringement in the use ofthis standard.Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-Copyrig

17、ht American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-ContentsPageForeword viiIntroduction x1 Scope . 12 Normative References . 22.1 Overview 22.2 Approved references 22.3 References under d

18、evelopment . 22.4 Other References . 23 Definitions and conventions . 53.1 Overview 53.2 Definitions 53.3 Editorial Conventions . 83.4 Abbreviations, acronyms, and symbols . 103.5 Keywords . 113.6 T10 Vendor ID 123.7 Sorting 123.7.1 Sorting alphabetic keys 123.7.2 Sorting numeric keys . 123.8 Termin

19、ate Communication . 123.9 State Machine notation 134 Structure and Concepts . 154.1 Overview 154.2 FC-SP Compliance 154.3 Fabric Security Architecture . 154.4 Authentication Infrastructure 154.5 Authentication 164.6 Security Associations . 174.7 Cryptographic Integrity and Confidentiality 174.7.1 Ov

20、erview 174.7.2 ESP_Header Processing . 184.7.3 CT_Authentication Processing . 194.8 Authorization (Access Control) 214.8.1 Policy Definition . 214.8.2 Policy Enforcement 224.8.3 Policy Distribution 22i4.8.4 Policy Check 224.9 Name Format . 22Copyright American National Standards Institute Provided b

21、y IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHSPage5 Authentication Protocols 235.1 Overview 235.2 Authentication Messages Structure . 245.2.1 Overview 245.2.2 SW_ILS Authentication Messages 245.2.3 ELS Authentication Messages . 265.2.4 Fi

22、elds Common to All AUTH Messages 275.2.5 Vendor Specific Messages 285.3 Authentication Messages Common to Authentication Protocols . 285.3.1 Overview 285.3.2 AUTH_Negotiate Message 295.3.3 Names used in Authentication . 305.3.4 Hash Functions 305.3.5 Diffie-Helmann Groups 315.3.6 AUTH_Reject Message

23、 . 325.3.7 AUTH_Done Message . 355.4 DH-CHAP Protocol 365.4.1 Protocol Operations . 365.4.2 AUTH_Negotiate DH-CHAP Parameters . 385.4.3 DHCHAP_Challenge Message 395.4.4 DHCHAP_Reply Message . 405.4.5 DHCHAP_Success Message 425.4.6 Key Generation for the Security Association Management Protocol 435.4

24、.7 Reuse of Diffie-Hellman Exponential . 435.4.8 DH-CHAP Security Considerations . 435.5 FCAP Protocol . 455.5.1 Protocol Operations . 455.5.2 AUTH_Negotiate FCAP Parameters . 485.5.3 FCAP_Request Message 495.5.4 FCAP_Acknowledge Message 525.5.5 FCAP_Confirm Message . 545.5.6 Key Generation for the

25、Security Association Management Protocol 545.5.7 Reuse of Diffie-Hellman Exponential . 545.6 FCPAP Protocol . 555.6.1 Protocol Operations . 555.6.2 AUTH_Negotiate FCPAP Parameters . 585.6.3 FCPAP_Init Message 595.6.4 FCPAP_Accept Message 605.6.5 FCPAP_Complete Message 605.6.6 Key Generation for the

26、Security Association Management Protocol 615.6.7 Reuse of Diffie-Hellman Exponential . 615.7 AUTH_ILS Specification 625.7.1 Overview 625.7.2 AUTH_ILS Request Sequence 63ii5.7.3 AUTH_ILS Reply Sequence 64-,-,-Copyright American National Standards Institute Provided by IHS under license with ANSI Not

27、for ResaleNo reproduction or networking permitted without license from IHS-,-,-Page5.8 B_AUTH_ILS Specification 645.8.1 Overview 645.8.2 B_AUTH_ILS Request Sequence 665.8.3 B_AUTH_ILS Reply Sequence 675.9 AUTH_ELS Specification . 675.9.1 Overview 675.9.2 AUTH_ELS Request Sequence . 695.9.3 AUTH_ELS

28、Reply Sequence . 705.9.4 AUTH_ELS Fragmentation 705.9.5 Authentication and Login 745.10 Re-Authentication . 755.11 Timeouts 766 Security Association Management Protocol . 776.1 Introduction 776.1.1 General Overview 776.1.2 IKE_SA_Init Overview 796.1.3 IKE_Auth Overview 796.1.4 IKE_Create_Child_SA Ov

29、erview 806.2 SA Management Messages . 816.2.1 General Structure . 816.2.2 IKE_Header Payload 816.2.3 Chaining Header 826.2.4 AUTH_Reject Message Use 846.3 IKE_SA_Init Message 846.3.1 Overview 846.3.2 Security_Association Payload 856.3.3 Key_Exchange Payload . 966.3.4 Nonce Payload . 966.4 IKE_Auth M

30、essage 966.4.1 Overview 966.4.2 Encrypted Payload . 986.4.3 Identification Payload . 996.4.4 Authentication Payload 1006.4.5 Traffic Selector Payload . 1006.4.6 Certificate Payload . 1026.4.7 Certificate Request Payload . 1036.5 IKE_Create_Child_SA Message 1056.6 IKE_Informational Message . 1066.6.1

31、 Overview 1066.6.2 Notify Payload 1086.6.3 Delete Payload . 1116.6.4 Vendor_ID Payload 1126.7 Interaction with the Authentication Protocols 1136.7.1 Overview 1136.7.2 Concatenation of Authentication and SA Management iiiTransactions . 113Copyright American National Standards Institute Provided by IH

32、S under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-Page6.7.3 SA Management Transaction as Authentication Transaction. 1156.8 IKEv2 Protocol Details . 1166.8.1 Use of Retransmission Timers . 1166.8.2 Use of Sequence Numbers for Message_IDs . 1

33、166.8.3 Overlapping Requests . 1176.8.4 State Synchronization and Connection Timeouts 1176.8.5 Cookies and Anti-Clogging Protection . 1176.8.6 Cryptographic Algorithms Negotiation . 1176.8.7 Rekeying 1176.8.8 Traffic Selector Negotiation . 1176.8.9 Nonces . 1186.8.10 Reuse of Diffie-Hellman Exponent

34、ial . 1186.8.11 Generating Keying Material . 1186.8.12 Generating Keying Material for the IKE_SA 1186.8.13 Authentication of the IKE_SA 1186.8.14 Generating Keying Material for Child_SAs 1196.8.15 Rekeying IKE_SAs using the IKE_Create_Child_SA exchange. 1196.8.16 IKE_Informational Messages outside o

35、f an IKE_SA 1196.8.17 Error Handling 1196.8.18 Conformance Requirements 1196.8.19 Rekeying IKE_SAs when Refreshing Authentication . 1207 Fabric Policies 1217.1 Policies Definition 1217.1.1 Overview 1217.1.2 Names used to define Policies 1237.1.3 Policy Summary Object . 1257.1.4 Switch Membership Lis

36、t Object . 1267.1.5 Node Membership List Object . 1317.1.6 Switch Connectivity Object 1357.1.7 IP Management List Object . 1377.1.8 Attribute Object 1407.2 Policies Enforcement 1427.2.1 Overview 1427.2.2 Switch-to-Switch Connections . 1427.2.3 Switch-to-Node Connections . 1437.2.4 In-Band Management

37、 Access to a Switch . 1447.2.5 IP Management Access to a Switch 1457.2.6 Direct Management Access to a Switch 1467.2.7 Authentication Enforcement . 1477.3 Policies Management 1477.3.1 Management Interface . 1477.3.2 Fabric Distribution 1497.3.3 Relationship between Security Policy Server Requests an

38、d Fabric Actions . 1527.3.4 Policy Objects Support 1527.3.5 Optional Data . 1567.3.6 Detailed Management Specification 1577.4 Policies Check . 165iv7.4.1 Overview 165Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking pe

39、rmitted without license from IHS-,-,-Page7.4.2 CPS Request Sequence 1657.4.3 CPS Reply Sequence 1667.5 Policy Summation ELSs . 1667.5.1 Overview 1667.5.2 Query Security Attributes (QSA) Version 2 1667.5.3 Registered Fabric Change Notification (RFCN) . 1687.5.4 Fabric Change Notification Specificatio

40、n . 1697.6 Zoning Policies . 1707.6.1 Overview 1707.6.2 Management Requests 1707.6.3 Fabric Operations . 1737.6.4 Zoning Ordering Rules . 1787.6.5 The Client-Server Protocol . 1798 Combinations of Security Protocols 1838.1 Entity Authentication Overview 1838.2 Terminology . 1838.3 Scope of Security

41、Relationships 1848.3.1 N_Port_ID Virtualization . 1848.3.2 Nx_Port Entity to a Fabric Entity 1848.3.3 Nx_Port Entity to Nx_Port Entity 1858.4 Entity Authentication Model 1858.5 Abstract Services for Entity Authentication 1878.5.1 Overview 1878.5.2 Authentication Service . 1878.5.3 Security Service .

42、 1888.5.4 FC-2 Service 1888.6 Nx_Port to Fabric Authentication (NFA) State Machine . 1938.6.1 Overview 1938.6.2 NFA States . 1948.6.3 NFA Events 1958.6.4 NFA Transitions . 1958.7 Fabric from Nx_Port Authentication (FNA) State Machine . 2018.7.1 Overview 2018.7.2 FNA States . 2028.7.3 FNA Events 2038

43、.7.4 FNA Transitions . 2038.8 Nx_Port to Nx_Port Authentication (NNA) State Machine . 2118.8.1 Overview 2118.8.2 NNA States 2128.8.3 NNA Events 2138.8.4 NNA Transitions . 2138.9 Additional Security State Machines 2208.9.1 E_Port to E_Port Security Checks . 2208.9.2 B_Port Security Checks . 2218.9.3

44、Switch Security Checks with Virtual Fabrics 221v8.9.4 N_Port Security Checks with Virtual Fabrics 223Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-Page8.10 Impact on Other Sta

45、ndards 223AnnexesA FC-SP Compliance Summary 225A.1 Compliance Elements 225A.1.1 Overview 225A.1.2 FC-SP Compliance 226A.1.3 Conventions . 226A.2 Authentication Compliance Elements 227A.2.1 AUTH-A . 227A.2.2 AUTH-B . 228A.2.3 AUTH-C1 . 229A.2.4 AUTH-C2 . 230A.3 SA Management Compliance Elements 231A.

46、3.1 Algorithms Support 231A.3.2 SA-A 233A.3.3 SA-B 234A.3.4 SA-C1 236A.3.5 SA-C2 238A.4 Policy Compliance Elements . 240A.4.1 POL-A1 240A.4.2 POL-A2 241A.4.3 POL-A3 242A.4.4 POL-B3 243B Random Number Generation and RADIUS Deployment . 245B.1 Overview 245B.1.1 Objectives of this Annex 245B.1.2 Random Number Generator 245B.1.3 Secret Storage . 246B.2 RADIUS Servers 246B.2.1 Overview 246B.2.2 Digest Algorithm 247B.3 RADIUS Messages 247B.3.1 Message Types . 247B.3.2 Radius Attributes