Use of IKEv2 in the Fibre Channel Security Association Management Protocol
RFC 4595

 
Document Type RFC - Informational (July 2006; Errata)
Was draft-maino-fcsp (individual in sec area)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html
Stream WG state (None)
Consensus Unknown
Document shepherd No shepherd assigned
IESG IESG state RFC 4595 (Informational)
Telechat date
Responsible AD Russ Housley
Send notices to fmaino@cisco.com, black_david@emc.com
Network Working Group                                           F. Maino
Request for Comments: 4595                                 Cisco Systems
Category: Informational                                         D. Black
                                                         EMC Corporation
                                                               July 2006

                          Use of IKEv2 in the
         Fibre Channel Security Association Management Protocol

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   This document describes the use of IKEv2 to negotiate security
   protocols and transforms for Fibre Channel as part of the Fibre
   Channel Security Association Management Protocol.  This usage
   requires that IKEv2 be extended with Fibre-Channel-specific security
   protocols, transforms, and name types.  This document specifies these
   IKEv2 extensions and allocates identifiers for them.  Using new IKEv2
   identifiers for Fibre Channel security protocols avoids any possible
   confusion between IKEv2 negotiation for IP networks and IKEv2
   negotiation for Fibre Channel.

Maino & Black                Informational                      [Page 1]
RFC 4595                     IKEv2 in FC-SP                    July 2006

Table of Contents

   1. Introduction ....................................................3
      1.1. Requirements Notation ......................................3
   2. Overview ........................................................4
   3. Fibre Channel Security Protocols ................................5
      3.1. ESP_Header Protocol ........................................6
      3.2. CT_Authentication Protocol .................................7
   4. The FC SA Management Protocol ...................................9
      4.1. Fibre Channel Name Identifier ..............................9
      4.2. ESP_Header and CT_Authentication Protocol ID ...............9
      4.3. CT_Authentication Protocol Transform Identifiers ..........10
      4.4. Fibre Channel Traffic Selectors ...........................10
      4.5. Negotiating Security Associations for FC and IP ...........12
   5. Security Considerations ........................................12
   6. IANA Considerations ............................................13
   7. References .....................................................14
      7.1. Normative References ......................................14
      7.2. Informative References ....................................14

Maino & Black                Informational                      [Page 2]
RFC 4595                     IKEv2 in FC-SP                    July 2006

1.  Introduction

   Fibre Channel (FC) is a gigabit-speed network technology primarily
   used for Storage Networking.  Fibre Channel is standardized in the
   T11 [T11] Technical Committee of the InterNational Committee for
   Information Technology Standards (INCITS), an American National
   Standard Institute (ANSI) accredited standards committee.

   FC-SP (Fibre Channel Security Protocols) is a T11 Technical Committee
   working group that has developed the "Fibre Channel Security
   Protocols" standard [FC-SP], a security architecture for Fibre
   Channel networks.

   The FC-SP standard defines a set of protocols for Fibre Channel
   networks that provides:

   1.  device-to-device (hosts, disks, switches) authentication;

   2.  management and establishment of secrets and security
       associations;

   3.  data origin authentication, integrity, anti-replay protection,
       confidentiality; and

   4.  security policies distribution.

   Within this framework, a Fibre Channel device can verify the identity
   of another Fibre Channel device and establish a shared secret that
   will be used to negotiate security associations for security
   protocols applied to Fibre Channel frames and information units.  The
   same framework allows for distributions within a Fibre Channel fabric
   of policies that will be enforced by the fabric.

   FC-SP has adapted the IKEv2 protocol [RFC4306] to provide
   authentication of Fibre Channel entities and setup of security
   associations.

1.1.  Requirements Notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].
Show full document text