Methods and apparatus for security over fibre channel
First Claim
1. A method for processing frames in a fibre channel network having a first network entity and a second network entity, the method comprising:
- receiving a first frame at the first network entity from the second network entity in the fibre channel network, wherein the first frame is associated with a fabric login (FLOGI) or port login (PLOGI) message;
identifying a security enable parameter in the first frame, wherein the security enable parameter is used by the second network entity, when the second network entity is added to the fibre channel network, to determine if the first network entity has authentication capability or supports other security functions;
transmitting an acknowledgment to the second network entity that the first network entity has authentication capability or supports other security functions, the acknowledgment including algorithm information and a salt parameter;
receiving a second frame at the first network entity from the second network entity;
identifying a security control indicator in the second frame from the second network entity, wherein the security control indicator is used to determine if the second frame is encrypted or authenticated;
determining at the first network entity that a security association identifier associated with the second frame corresponds to an entry in a security database;
decrypting a first portion of the second frame by using algorithm information contained in the entry in the security database.
3 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatus are provided for improving both node-based and message-based security in a fibre channel network. Entity to entity authentication and key exchange services can be included in existing initialization messages used for introducing fibre channel network entities into a fibre channel fabric, or with specific messages exchanged over an already initialized communication channel. Both per-message authentication and encryption mechanisms can be activated using the authentication and key exchange services. Messages passed between fibre channel network entities can be encrypted and authenticated using information provided during the authentication sequence. Security services such as per-message authentication, confidentiality, integrity protection, and anti-replay protection can be implemented.
87 Citations
23 Claims
-
1. A method for processing frames in a fibre channel network having a first network entity and a second network entity, the method comprising:
-
receiving a first frame at the first network entity from the second network entity in the fibre channel network, wherein the first frame is associated with a fabric login (FLOGI) or port login (PLOGI) message; identifying a security enable parameter in the first frame, wherein the security enable parameter is used by the second network entity, when the second network entity is added to the fibre channel network, to determine if the first network entity has authentication capability or supports other security functions; transmitting an acknowledgment to the second network entity that the first network entity has authentication capability or supports other security functions, the acknowledgment including algorithm information and a salt parameter; receiving a second frame at the first network entity from the second network entity; identifying a security control indicator in the second frame from the second network entity, wherein the security control indicator is used to determine if the second frame is encrypted or authenticated; determining at the first network entity that a security association identifier associated with the second frame corresponds to an entry in a security database; decrypting a first portion of the second frame by using algorithm information contained in the entry in the security database. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for transmitting encrypted frames in a fibre channel network having a first network entity and a second network entity, the method comprising:
-
transmitting a first fibre channel frame having a source corresponding to the first network entity and a destination corresponding to the second network entity, the first fibre channel frame including a security enable parameter, wherein the first fibre channel frame is associated with a fabric login (FLOGI) or a port login (PLOGI) message, wherein the security enable parameter is used by the first network entity, when the first network entity is added to the fibre channel network, to determine if the second network entity has authentication capability or supports other security functions; receiving an acknowledgment from the second network entity indicating that the second network entity has authentication capability or supports other security functions, the acknowledgement including key and algorithm information and a salt parameter; inserting key and algorithm information from the second network entity into a security database; identifying a second fibre channel frame having a source corresponding to the first network entity and a destination corresponding to the second network entity; determining if the second fibre channel frame corresponds to the selectors of an entry in a security database; encrypting a first portion of the second fibre channel frame using key and algorithm information associated with the entry in the security database; providing a security control indicator in the second fibre channel frame, wherein the security control indicator is used to determine if the frame is encrypted or authenticated; transmitting the second fibre channel frame to the second network entity. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. An apparatus for transmitting encrypted frames in a fibre channel network having a first network entity and a second network entity, the apparatus comprising:
-
means for transmitting a first fibre channel frame having a source corresponding to the first network entity and a destination corresponding to the second network entity, the first fibre channel frame including a security enable parameter, wherein the first fibre channel frame is associated with a fabric login (FLOGI) or a port login (PLOGI) message, wherein the security enable parameter is used by the first network entity, when the first network entity is added to the fibre channel network, to determine if the second network entity has authentication capability or supports other security functions; means for receiving an acknowledgment from the second network entity indicating that the second network entity has authentication capability or supports other security functions, the acknowledgement including key and algorithm information and a salt parameter; means for inserting key and algorithm information from the second network entity into a security database; means for identifying a second fibre channel frame having a source corresponding to the first network entity and a destination corresponding to the second network entity; means for determining if the second fibre channel frame corresponds to the selectors of an entry in a security database; means for encrypting a first portion of the second fibre channel frame using key and algorithm information associated with the entry in the security database; means for providing a security control indicator in the second fibre channel frame, wherein the security control indicator is used to determine if the frame is encrypted or authenticated; means for transmitting the second fibre channel frame to the second network entity.
-
Specification