Data integrity and confidentiality is a top priority for Cisco's customers. Storage networks may span large areas or multiple sites, and relying solely on physical security is not practical. Two requirements that are essential for secure communications are authentication and encryption.
Current Cisco® MDS 9000 Family switches support peer authentication according to the Fibre Channel Security Protocol (FC-SP) standard using the Diffie-Hellman Challenge Handshake Authentication Protocol (DH-CHAP), but this does not prevent unwanted activities such as traffic interception. To ensure data integrity and privacy, data must be encrypted.
Cisco TrustSec Fibre Channel Link Encryption addresses customer needs for data integrity and privacy.
Cisco TrustSec Fibre Channel Link Encryption Overview
Cisco TrustSec Fibre Channel Link Encryption is an extension of the FC-SP standard and uses the existing FC-SP architecture. Starting with Cisco MDS 9000 NX-OS Software Release 4.2(1), Fibre Channel data traveling between E-ports on 8-Gbps modules is encrypted. Cisco uses the 128-bit Advanced Encryption Standard (AES) encryption algorithm and enables either AES-Galois/Counter Mode (GCM) or AES-Galois Message Authentication Code (AES-GMAC). AES-GCM encrypts and authenticates frames, and AES-GMAC authenticates only the frames that are being passed between the two peers. Encryption is performed at line rate by encapsulating frames at egress with encryption using the GCM authentication mode with 128-bit AES encryption. At ingress, frames are decrypted and authenticated with integrity checks.
There are two primary use cases for Cisco TrustSec Fibre Channel Link Encryption. In the first use case, customers are communicating outside the data center over native Fibre Channel (for example, dark fiber, Coarse Wavelength-Division Multiplexing [CWDM] or Dense Wavelength-Division Multiplexing [DWDM]). In the second use case, encryption is performed within the data center for security-focused customers such as defense and intelligence services. This feature is competitively unique and should provide a clear differentiator for campus and metropolitan area network (MAN) deployments and high-security accounts.
Figure 1 illustrates the Cisco TrustSec Fibre Channel Link Encryption feature.
Figure 1. Cisco TrustSec Fibre Channel Link Encryption
Cisco TrustSec Fibre Channel Link Encryption hardware and software integration with the Cisco MDS 9000 Family makes link-by-link encryption easier to deploy and manage. Cisco TrustSec Fibre Channel Link Encryption is configured and provisioned using Cisco MDS NX-OS and Cisco Fabric Manager; no new management software is required.
To perform encryption between the switches, a security association needs to be established. An administrator must manually configure the security association before the encryption can take place. The security association includes parameters such as encryption keys and salt that are required for encryption. You can set up to 2000 security associations per switch. Key management is not required, and keys are stored locally on the switch.
To use Cisco TrustSec Fibre Channel Link Encryption, Cisco MDS 9000 NX-OS Release 4.2(1) or later must be installed on the Cisco MDS Family switches.
Cisco TrustSec Fibre Channel Link Encryption is supported between E-ports on the following third-generation 8-Gbps switching modules:
The Cisco TrustSec Fibre Channel Link Encryption feature is included with the Cisco MDS 9000 Enterprise license. Customers who already have an installed Cisco MDS Enterprise license can use this feature; no additional licenses are required.