1、American National StandardDeveloped byfor Information Technology Fibre Channel Security Protocols - 2 (FC-SP-2)INCITS 496-2012INCITS 496-2012Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license f
2、rom IHS-,-,-Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-INCITS 496-2012American National Standardfor Information Technology Fibre Channel Security Protocols - 2 (FC-SP-2)Sec
3、retariatInformation Technology Industry CouncilApproved October 25, 2012American National Standards Institute, Inc.AbstractThis standard describes the protocols used to implement security in a Fibre Channel fabric. This stan-dard includes the definition of protocols to authenticate Fibre Channel ent
4、ities, protocols to set up ses-sion keys, protocols to negotiate the parameters required to ensure frame-by-frame integrity andconfidentiality, and protocols to establish and distribute policies across a Fibre Channel fabric.Copyright American National Standards Institute Provided by IHS under licen
5、se with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-Approval of an American National Standard requires review by ANSI that therequirements for due process, consensus, and other criteria for approval havebeen met by the standards developer.Consensus is esta
6、blished when, in the judgement of the ANSI Board ofStandards Review, substantial agreement has been reached by directly andmaterially affected interests. Substantial agreement means much more thana simple majority, but not necessarily unanimity. Consensus requires that allviews and objections be con
7、sidered, and that a concerted effort be madetowards their resolution.The use of American National Standards is completely voluntary; theirexistence does not in any respect preclude anyone, whether he has approvedthe standards or not, from manufacturing, marketing, purchasing, or usingproducts, proce
8、sses, or procedures not conforming to the standards.The American National Standards Institute does not develop standards andwill in no circumstances give an interpretation of any American NationalStandard. Moreover, no person shall have the right or authority to issue aninterpretation of an American
9、 National Standard in the name of the AmericanNational Standards Institute. Requests for interpretations should beaddressed to the secretariat or sponsor whose name appears on the titlepage of this standard.CAUTION NOTICE: This American National Standard may be revised orwithdrawn at any time. The p
10、rocedures of the American National StandardsInstitute require that action be taken periodically to reaffirm, revise, orwithdraw this standard. Purchasers of American National Standards mayreceive current information on all standards by calling or writing the AmericanNational Standards Institute.Amer
11、ican National StandardPublished byAmerican National Standards Institute, Inc.25 West 43rd Street, New York, NY 10036Copyright 2012 by Information Technology Industry Council (ITI)All rights reserved.No part of this publication may be reproduced in anyform, in an electronic retrieval system or otherw
12、ise,without prior written permission of ITI, 1101 K Street NW, Suite 610, Washington, DC 20005. Printed in the United States of AmericaCAUTION: The developers of this standard have requested that holders of patents that may be re-quired for the implementation of the standard disclose such patents to
13、 the publisher. However, nei-ther the developers nor the publisher have undertaken a patent search in order to identify which, ifany, patents may apply to this standard. As of the date of publication of this standard, followingcalls for the identification of patents that may be required for the impl
14、ementation of the standard,notice of one or more such claims has been received. By publication of this standard, no positionis taken with respect to the validity of this claim or of any rights in connection therewith. The knownpatent holder(s) has (have), however, filed a statement of willingness to
15、 grant a license underthese rights on reasonable and nondiscriminatory terms and conditions to applicants desiring to ob-tain such a license. Details may be obtained from the publisher. No further patent search is con-ducted by the developer or publisher in respect to any standard it processes. No r
16、epresentation ismade or implied that this is the only license that may be required to avoid infringement in the use ofthis standard.Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,
17、-,-iContents PageForeword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
18、 xxi1 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Normative References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22.1 Overview . . .
19、. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22.2 Approved references . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22.3 References under development . . . . . . . . . . .
20、 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22.4 Other References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Definitions and conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
21、. . . . . . . . . . . . 63.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63.2 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63.
22、3 Editorial Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93.4 Abbreviations, acronyms, and symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113.5 Keywords . . . . . . . . . . . . . . . . . . . . . .
23、 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123.6 T10 Vendor ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133.7 Sorting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
24、 . . . . . . . . . . . . . . . . . . . . . . . 133.7.1 Sorting alphabetic keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133.7.2 Sorting numeric keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133.8 Terminat
25、e Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133.9 State Machine notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143.10 Using numbers in hash functions and concatenation function
26、s . . . . . . . . . . . . . . . . . 154 Structure and Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
27、. 164.2 FC-SP-2 Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164.3 Fabric Security Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164.4 Authentication Infrastructure . . . . . .
28、. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164.5 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174.6 Security Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
29、 . . . . . . . . . . . . . . . . . . . 184.7 Cryptographic Integrity and Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184.7.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184.7.2 ESP_Head
30、er Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194.7.3 CT_Authentication Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204.8 Authorization (Access Control) . . . . . . . . . . . . . . . . . . . . . . . . . .
31、. . . . . . . . . . . . . . . . . 224.8.1 Policy Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224.8.2 Policy Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234.8.3 Policy Distri
32、bution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234.8.4 Policy Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234.9 Name Format . . . . . . . . . . . . . . . . . . . . . . . . . . .
33、. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Authentication Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
34、. . . . . . . . . . . . 245.2 Authentication Messages Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255.2.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255.2.2 SW_ILS Authentication
35、 Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255.2.3 ELS Authentication Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275.2.4 Fields Common to All AUTH Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
36、.2.5 Vendor Specific Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295.3 Authentication Messages Common to Authentication Protocols . . . . . . . . . . . . . . . . . . 295.3.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
37、. . . . . . . . . . . . . . . . . . . . 29Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-ii5.3.2 AUTH_Negotiate Message . . . . . . . . . . . . . . . . . . . . . . . . . . . .
38、. . . . . . . . . . . . 305.3.3 Names used in Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315.3.4 Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325.3.5 Diffie-Hellman Groups . . . . . .
39、. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325.3.6 Accepting an AUTH_Negotiate Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335.3.7 AUTH_Reject Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335.3.8
40、AUTH_Done Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365.4 DH-CHAP Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375.4.1 Protocol Operations . . . . . . . . . . . . . . . . . . . . .
41、 . . . . . . . . . . . . . . . . . . . . . . . . . 375.4.2 AUTH_Negotiate DH-CHAP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395.4.3 DHCHAP_Challenge Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405.4.4 DHCHAP_Reply Message . . . . . . .
42、 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415.4.5 DHCHAP_Success Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435.4.6 Key Generation for the Security Association Management Protocol . . . . . . . . . 445.4.7 Reuse of Diffie-Hellman Expo
43、nential . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445.4.8 DH-CHAP Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445.5 FCAP Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
44、. . . . . . 475.5.1 Protocol Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475.5.2 AUTH_Negotiate FCAP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505.5.3 FCAP_Request Message . . . . . . . . . . . . . . . . .
45、. . . . . . . . . . . . . . . . . . . . . . . . 515.5.4 FCAP_Acknowledge Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545.5.5 FCAP_Confirm Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565.5.6 Key Generation for the S
46、ecurity Association Management Protocol . . . . . . . . . 565.5.7 Reuse of Diffie-Hellman Exponential . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565.6 FCPAP Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
47、.6.1 Protocol Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575.6.2 AUTH_Negotiate FCPAP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605.6.3 FCPAP_Init Message . . . . . . . . . . . . . . . . . . . . . . . . . .
48、. . . . . . . . . . . . . . . . . . 615.6.4 FCPAP_Accept Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625.6.5 FCPAP_Complete Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635.6.6 Key Generation for the Security Association Management Protocol . . . . . . . . . 635.6.7 Reuse of Diffie-Hellman Exponential . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635.7 FCEAP Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
