BS ISO/IEC 14165-432:2022:2024 Edition
$215.11
Information technology. Fibre channel – Security Protocols. 2 (FC-SP-2)
| Published By | Publication Date | Number of Pages |
| BSI | 2024 | 312 |
PDF Catalog
| PDF Pages | PDF Title |
|---|---|
| 2 | undefined |
| 4 | Contents |
| 17 | FOREWORD |
| 19 | INTRODUCTION |
| 20 | 1 Scope |
| 21 | 2 Normative references |
| 25 | 3 Terms, definitions, symbols, abbreviated terms, and conventions 3.1 Terms and definitions |
| 32 | 3.2 Symbols and abbreviated terms |
| 33 | 3.3 Editorial conventions Tables Table 1 โ ISO and American conventions |
| 34 | 3.4 Keywords |
| 35 | 3.5 T10 Vendor ID 3.6 Sorting |
| 36 | 3.7 Terminate communication |
| 37 | 3.8 State machine notation 3.9 Using numbers in hash functions and concatenation functions Figures Figure 1 โ State machine example |
| 39 | 4 Structure and Concepts 4.1 Overview 4.2 FC-SP-2 Compliance 4.3 Fabric Security Architecture 4.4 Authentication Infrastructure |
| 40 | 4.5 Authentication Figure 2 โ Relationship between Authentication Protocols and Security Associations |
| 41 | 4.6 Security Associations 4.7 Cryptographic Integrity and Confidentiality 4.7.1 Overview |
| 42 | 4.7.2 ESP_Header Processing Figure 3 โ Logical Model for Integrity and Confidentiality Protection with ESP_Header |
| 43 | 4.7.3 CT_Authentication Processing |
| 44 | Figure 4 โ Logical Model for Integrity and Confidentiality Protection with CT_Authentication |
| 45 | 4.8 Authorization (Access Control) 4.8.1 Policy Definition 4.8.2 Policy Enforcement |
| 46 | 4.8.3 Policy Distribution 4.8.4 Policy Check 4.9 Name Format Table 2 โ Name Format |
| 47 | 5 Authentication Protocols 5.1 Overview Figure 5 โ A Generic Authentication Transaction |
| 48 | 5.2 Authentication Messages Structure 5.2.1 Overview |
| 49 | 5.2.2 SW_ILS Authentication Messages Table 3 โ AUTH_ILS Message Format Table 4 โ AUTH_ILS Flags |
| 50 | 5.2.3 ELS Authentication Messages Table 5 โ B_AUTH_ILS Message Format Table 6 โ AUTH_ELS Message Format Table 7 โ AUTH_ELS Flags |
| 51 | 5.2.4 Fields Common to All AUTH Messages Table 8 โ AUTH Message Codes |
| 52 | 5.2.5 Vendor Specific Messages 5.3 Authentication Messages Common to Authentication Protocols 5.3.1 Overview Table 9 โ Vendor Specific Message Payload Format |
| 53 | 5.3.2 AUTH_Negotiate Message Table 10 โ AUTH_Negotiate Message Payload |
| 54 | 5.3.3 Names used in Authentication Table 11 โ Authentication Protocol Identifiers Table 12 โ AUTH_Negotiate Vendor Specific Protocol Parameters Table 13 โ Names used in Authentication |
| 55 | 5.3.4 Hash Functions 5.3.5 Diffie-Hellman Groups Table 14 โ Hash Functions Identifiers Table 15 โ Diffie-Hellman Group Identifiers (part 1 of 2) |
| 56 | 5.3.6 Accepting an AUTH_Negotiate Message 5.3.7 AUTH_Reject Message Table 15 โ Diffie-Hellman Group Identifiers (part 2 of 2) |
| 57 | Figure 6 โ Example of AUTH_Reject Table 16 โ AUTH_Reject Message Payload Table 17 โ AUTH_Reject Reason Codes |
| 58 | Table 18 โ AUTH_Reject Reason Code Explanations Table 19 โ Error Conditions (part 1 of 2) |
| 59 | 5.3.8 AUTH_Done Message Table 19 โ Error Conditions (part 2 of 2) |
| 60 | 5.4 DH-CHAP Protocol 5.4.1 Protocol Operations Figure 7 โ A DH-CHAP Protocol Transaction Example |
| 61 | Table 20 โ Mathematical Notation for DH-CHAP |
| 62 | 5.4.2 AUTH_Negotiate DH-CHAP Parameters Table 21 โ AUTH_Negotiate DH-CHAP Protocol Parameters Table 22 โ AUTH_Negotiate DH-CHAP Parameter Format Table 23 โ AUTH_Negotiate DH-CHAP Parameter Tags |
| 63 | 5.4.3 DHCHAP_Challenge Message Table 24 โ DHCHAP_Challenge Message Payload |
| 64 | 5.4.4 DHCHAP_Reply Message |
| 65 | Table 25 โ DHCHAP_Reply Message Payload |
| 66 | 5.4.5 DHCHAP_Success Message Table 26 โ DHCHAP_Success Message Payload |
| 67 | 5.4.6 Key Generation for the Security Association Management Protocol 5.4.7 Reuse of Diffie-Hellman Exponential 5.4.8 DH-CHAP Security Considerations |
| 69 | 5.5 FCAP Protocol 5.5.1 Protocol Operations Table 27 โ Mathematical Notation for FCAP |
| 70 | Figure 8 โ A FCAP Protocol Transaction Example |
| 72 | 5.5.2 AUTH_Negotiate FCAP Parameters Table 28 โ AUTH_Negotiate FCAP Protocol Parameters Table 29 โ AUTH_Negotiate FCAP Parameter Format Table 30 โ AUTH_Negotiate FCAP Parameter Tags |
| 73 | 5.5.3 FCAP_Request Message Table 31 โ FCAP_Request Message Payload |
| 74 | Table 32 โ FCAP Certificate Format Table 33 โ Certificate Formats Table 34 โ FCAP usage of X.509v3 Certificate fields (part 1 of 2) |
| 75 | Table 34 โ FCAP usage of X.509v3 Certificate fields (part 2 of 2) |
| 76 | 5.5.4 FCAP_Acknowledge Message Table 35 โ FCAP Nonce Format Table 36 โ Nonce Formats Table 37 โ FCAP_Acknowledge Message Payload |
| 77 | Table 38 โ FCAP Signature Format Table 39 โ Signature Formats |
| 78 | 5.5.5 FCAP_Confirm Message 5.5.6 Key Generation for the Security Association Management Protocol Table 40 โ FCAP_Confirm Message Payload |
| 79 | 5.5.7 Reuse of Diffie-Hellman Exponential |
| 80 | 5.6 FCPAP Protocol 5.6.1 Protocol Operations Table 41 โ Mathematical Notation for FCPAP |
| 81 | Figure 9 โ A FCPAP Protocol Transaction Example |
| 83 | 5.6.2 AUTH_Negotiate FCPAP Parameters Table 42 โ AUTH_Negotiate FCPAP Protocol Parameters Table 43 โ AUTH_Negotiate FCPAP Parameter Format Table 44 โ AUTH_Negotiate FCPAP Parameter Tags |
| 84 | 5.6.3 FCPAP_Init Message Table 45 โ FCPAP_Init Message Payload |
| 85 | 5.6.4 FCPAP_Accept Message 5.6.5 FCPAP_Complete Message Table 46 โ FCPAP_Accept Message Payload Table 47 โ FCPAP_Complete Message Payload |
| 86 | 5.6.6 Key Generation for the Security Association Management Protocol 5.6.7 Reuse of Diffie-Hellman Exponential |
| 87 | 5.7 FCEAP Protocol 5.7.1 Protocol Operations 5.7.2 AUTH_Negotiate FCEAP Parameters Figure 10 โ A FCEAP Protocol Transaction Example |
| 88 | 5.7.3 FCEAP_Request Message 5.7.4 FCEAP_Response Message Table 48 โ FCEAP_Request Message Payload Table 49 โ FCEAP_Response Message Payload |
| 89 | 5.7.5 FCEAP_Success Message 5.7.6 FCEAP_Failure Message Table 50 โ FCEAP_Success Message Payload Table 51 โ FCEAP_Failure Message Payload |
| 90 | 5.7.7 AUTH_Reject Use 5.7.8 AUTH_ELS and AUTH_ILS Size Requirements Figure 11 โ A Failing FCEAP Protocol Transaction Example |
| 91 | 5.7.9 Supported EAP Methods 5.7.10 Key Generation for the Security Association Management Protocol Table 52 โ Supported EAP Methods |
| 92 | 5.8 AUTH_ILS Specification 5.8.1 Overview |
| 93 | 5.8.2 AUTH_ILS Request Sequence Figure 12 โ FC-2 AUTH_ILS Mapping Example for the E_Port to E_Port Case |
| 94 | 5.8.3 AUTH_ILS Reply Sequence 5.9 B_AUTH_ILS Specification 5.9.1 Overview Table 53 โ AUTH_ILS SW_RJT Reasons Table 54 โ AUTH_ILS SW_ACC Payload |
| 95 | Figure 13 โ Usage of B_AUTH_ILS |
| 96 | 5.9.2 B_AUTH_ILS Request Sequence Figure 14 โ FC-2 B_AUTH_ILS Mapping Example |
| 97 | 5.9.3 B_AUTH_ILS Reply Sequence 5.10 AUTH_ELS Specification 5.10.1 Overview Table 55 โ B_AUTH_ILS SW_RJT Reasons Table 56 โ B_AUTH_ILS SW_ACC Payload |
| 99 | 5.10.2 AUTH_ELS Request Sequence Figure 15 โ FC-2 AUTH_ELS Mapping Example for the Nx_Port to Nx_Port Case |
| 100 | 5.10.3 AUTH_ELS Reply Sequence 5.10.4 AUTH_ELS Fragmentation Table 57 โ AUTH_ELS LS_RJT Reasons Table 58 โ AUTH_ELS LS_ACC Payload |
| 101 | Figure 16 โ AUTH_ELS Fragmentation Process |
| 102 | Figure 17 โ Use of the Sequence Number Bit Example |
| 103 | Figure 18 โ FC-2 Authentication Mapping with AUTH_ELS Fragmentation Example |
| 104 | 5.10.5 Authentication and Login Table 59 โ Security Bit Applicability Table 60 โ Security Bit usage with FLOGI |
| 105 | 5.11 Re-Authentication Table 61 โ Security Bit usage with PLOGI Table 62 โ Login LS_RJT Reasons |
| 106 | 5.12 Timeouts |
| 107 | 6 Security Association Management Protocol 6.1 Overview 6.1.1 General Figure 19 โ An SA Management Transaction Example |
| 108 | Table 63 โ IKE Payloads Summary |
| 109 | 6.1.2 IKE_SA_Init Overview 6.1.3 IKE_Auth Overview |
| 110 | 6.1.4 IKE_Create_Child_SA Overview 6.2 SA Management Messages 6.2.1 General Structure |
| 111 | 6.2.2 IKE_Header Payload Table 64 โ IKE_Header Payload Format |
| 112 | 6.2.3 Chaining Header Table 65 โ IKE Flags Table 66 โ Chaining Header Format |
| 113 | Table 67 โ IKE Payload Type Values |
| 114 | 6.2.4 AUTH_Reject Message Use 6.3 IKE_SA_Init Message 6.3.1 Overview Table 68 โ Chaining Flags |
| 115 | 6.3.2 Security_Association Payload Figure 20 โ An IKE_SA_Init exchange Table 69 โ IKE_SA_Init Message Payload |
| 117 | Table 70 โ Examples of Proposals |
| 118 | Table 71 โ Security_Association Payload Format |
| 119 | Table 72 โ Security Protocol Identifiers Table 73 โ Transforms Definition |
| 120 | Table 74 โ Transform Type Values |
| 121 | Table 75 โ Encryption Algorithms Transform_IDs (Transform Type 1) Table 76 โ Pseudo-random Functions Transform_IDs (Transform Type 2) |
| 122 | Table 77 โ Integrity Algorithms Transform_IDs (Transform Type 3) Table 78 โ Diffie-Hellman Group Transform_IDs (Transform Type 4) |
| 123 | Table 79 โ Mandatory Transform Types Table 80 โ Mandatory and Recommended Transform_IDs (part 1 of 2) |
| 124 | Table 80 โ Mandatory and Recommended Transform_IDs (part 2 of 2) |
| 125 | Table 81 โ Transform Attributes Definition Table 82 โ Attribute Type Values |
| 126 | 6.3.3 Key_Exchange Payload 6.3.4 Nonce Payload 6.4 IKE_Auth Message 6.4.1 Overview Table 83 โ Key_Exchange Payload Format Table 84 โ Nonce Payload Format |
| 127 | Figure 21 โ An IKE_Auth exchange Table 85 โ IKE_Auth Message Payload |
| 128 | 6.4.2 Encrypted Payload Table 86 โ IKE Payloads Contained in the IKE_Auth Message Table 87 โ Encrypted Payload Format |
| 129 | 6.4.3 Identification Payload Table 88 โ Identification Payload Format Table 89 โ Type Identifiers |
| 130 | 6.4.4 Authentication Payload 6.4.5 Traffic Selector Payload Table 90 โ Authentication Payload Format Table 91 โ Authentication Methods Table 92 โ Traffic Selector Payload Format |
| 131 | Table 93 โ Traffic Selector Definition Table 94 โ TS Type Identifiers |
| 132 | 6.4.6 Certificate Payload Table 95 โ Certificate Payload Format |
| 133 | 6.4.7 Certificate Request Payload Table 96 โ Certificate Encodings |
| 134 | Table 97 โ Certificate Request Payload Format |
| 135 | 6.5 IKE_Create_Child_SA Message Figure 22 โ An IKE_Create_Child_SA exchange |
| 136 | 6.6 IKE_Informational Message 6.6.1 Overview Table 98 โ IKE_Create_Child_SA Message Payload Table 99 โ IKE Payloads Contained in the IKE_Create_Child_SA Message |
| 137 | Figure 23 โ An IKE_Informational exchange Table 100 โ IKE_Informational Message Payload |
| 138 | 6.6.2 Notify Payload Table 101 โ IKE Payloads Contained in the IKE_Informational Message Table 102 โ Notify Payload Format |
| 139 | Table 103 โ Notify Message Types – Errors (part 1 of 2) |
| 140 | Table 103 โ Notify Message Types – Errors (part 2 of 2) |
| 141 | 6.6.3 Delete Payload Table 104 โ Notify Message Types – Status |
| 142 | 6.6.4 Vendor_ID Payload Table 105 โ Delete Payload Format |
| 143 | 6.7 Interaction with the Authentication Protocols 6.7.1 Overview 6.7.2 Concatenation of Authentication and SA Management Transactions Table 106 โ Vendor_ID Payload Format |
| 145 | 6.7.3 SA Management Transaction as Authentication Transaction Figure 24 โ Concatenation of Authentication and SA Management Transactions |
| 146 | 6.8 IKEv2 Protocol Details 6.8.1 Use of Retransmission Timers 6.8.2 Use of Sequence Numbers for Message_IDs Figure 25 โ An IKEv2-AUTH Transaction |
| 147 | 6.8.3 Overlapping Requests 6.8.4 State Synchronization and Connection Timeouts 6.8.5 Cookies and Anti-Clogging Protection 6.8.6 Cryptographic Algorithms Negotiation 6.8.7 Rekeying 6.8.8 Traffic Selector Negotiation |
| 148 | 6.8.9 Nonces 6.8.10 Reuse of Diffie-Hellman Exponential 6.8.11 Generating Keying Material 6.8.12 Generating Keying Material for the IKE_SA 6.8.13 Authentication of the IKE_SA |
| 149 | 6.8.14 Generating Keying Material for Child_SAs 6.8.15 Rekeying IKE_SAs using the IKE_Create_Child_SA exchange 6.8.16 IKE_Informational Messages outside of an IKE_SA 6.8.17 Error Handling 6.8.18 Conformance Requirements |
| 150 | 6.8.19 Rekeying IKE_SAs when Refreshing Authentication |
| 151 | 7 Fabric Policies 7.1 Policies Definition 7.1.1 Overview Figure 26 โ Policy Data Structures |
| 152 | Table 107 โ Policy Objects |
| 153 | 7.1.2 Names used to define Policies Table 108 โ Names used to define Policies |
| 155 | 7.1.3 Policy Summary Object Table 109 โ Policy Summary Object Format Table 110 โ Object Flags |
| 156 | 7.1.4 Switch Membership List Object Table 111 โ Hash Field Format Table 112 โ Hash Formats |
| 157 | Table 113 โ Switch Membership List Object Format Table 114 โ Object Flags |
| 158 | Table 115 โ Switch Entry Field Format Table 116 โ Basic Switch Attributes Format Table 117 โ Switch Flags |
| 160 | Table 118 โ Policy Data Role Table 119 โ Authentication Behavior |
| 161 | 7.1.5 Node Membership List Object Table 120 โ Node Membership List Object Format |
| 162 | Table 121 โ Node Entry Field Format Table 122 โ Basic Node Attribute Format Table 123 โ Node Flags |
| 163 | Table 124 โ Common Transport Access Specifier Format Table 125 โ CT Access Descriptor Format Table 126 โ CT Access Flags |
| 164 | Table 127 โ Examples of Common Transport Access Specifiers |
| 165 | 7.1.6 Switch Connectivity Object Table 128 โ Switch Connectivity Object Format |
| 166 | 7.1.7 IP Management List Object Table 129 โ Port Connectivity Entry Format |
| 167 | Table 130 โ IP Management List Object Format Table 131 โ IP Management Entry Format |
| 168 | Table 132 โ Basic IP Management Attributes Format Table 133 โ IP Management Flags Table 134 โ Well Known Protocols Access Specifier Format Table 135 โ WKP Access Descriptor Format |
| 169 | Table 136 โ WKP Access Flags |
| 170 | 7.1.8 Attribute Object Table 137 โ Examples of Well Known Protocols Access Specifiers |
| 171 | Table 138 โ Attribute Object Format Table 139 โ Attribute Entry Format Table 140 โ Attribute Formats |
| 172 | 7.2 Policies Enforcement 7.2.1 Overview 7.2.2 Switch-to-Switch Connections Table 141 โ Notation for Policy Enforcement |
| 173 | 7.2.3 Switch-to-Node Connections |
| 174 | 7.2.4 In-Band Management Access to a Switch |
| 175 | 7.2.5 IP Management Access to a Switch |
| 176 | 7.2.6 Direct Management Access to a Switch |
| 177 | 7.2.7 Authentication Enforcement 7.3 Policies Management 7.3.1 Management Interface |
| 178 | Figure 27 โ Policy Management Model Table 142 โ Security Policy Server โ Request Command Codes (part 1 of 2) |
| 179 | 7.3.2 Fabric Distribution Table 142 โ Security Policy Server โ Request Command Codes (part 2 of 2) Table 143 โ ESFC Operations for Fabric Policies Table 144 โ ESFC Payload for Operation โActivate Policy Summaryโ |
| 180 | Table 145 โ ESFC Payload for Operation โDeactivate Policy Summaryโ Table 146 โ ESFC Payload for Operation โAdd Policy Objectโ |
| 181 | Table 147 โ ESFC Payload for Operation โRemove Policy Objectโ Table 148 โ ESFC Payload for Operation โRemove All Non-Active Policy Objectsโ |
| 182 | 7.3.3 Relationship between Security Policy Server Requests and Fabric Actions 7.3.4 Policy Objects Support Table 149 โ Security Policy Server CT Requests and Fabric Actions |
| 183 | Table 150 โ GPOS Request CT_IU Table 151 โ Accept CT_IU to a GPOS Request |
| 184 | Table 152 โ Fabric Policy Objects Support Flags Table 153 โ Switch Policy Objects Support Entry Format |
| 185 | Table 154 โ Switch Policy Objects Support Flags Table 155 โ ESS Security Policy Server Capability Object Format |
| 186 | 7.3.5 Optional Data Table 156 โ Optional Data Field Format Table 157 โ Security Object Format Table 158 โ Security Object Tags |
| 187 | 7.3.6 Detailed Management Specification Table 159 โ Vendor Specific Security Object Payload Format Table 160 โ GPS Request CT_IU Table 161 โ Accept CT_IU to a GPS Request |
| 188 | Table 162 โ APS Request CT_IU Table 163 โ Accept CT_IU to an APS Request |
| 189 | Table 164 โ DPS Request CT_IU Table 165 โ Accept CT_IU to a DPS Request Table 166 โ GPO Request CT_IU |
| 190 | Table 167 โ Accept CT_IU to a GPO Request Table 168 โ GALN Request CT_IU |
| 191 | Table 169 โ Accept CT_IU to a GALN Request Table 170 โ GAAO Request CT_IU |
| 192 | Table 171 โ Accept CT_IU to a GAAO Request Table 172 โ APO Request CT_IU |
| 193 | Table 173 โ Accept CT_IU to an APO Request Table 174 โ RPO Request CT_IU |
| 194 | Table 175 โ Accept CT_IU to a RPO Request Table 176 โ RANA Request CT_IU |
| 195 | 7.4 Policies Check 7.4.1 Overview 7.4.2 CPS Request Sequence Table 177 โ Accept CT_IU to a RANA Request Table 178 โ Check Policy Summary SW_ILS Request Payload |
| 196 | 7.4.3 CPS Reply Sequence 7.5 Policy Summation ELSs 7.5.1 Overview 7.5.2 Fabric Change Notification Specification Table 179 โ Check Policy Summary SW_RJT Reasons Table 180 โ Check Policy Summary SW_ACC Payload |
| 197 | 7.6 Zoning Policies 7.6.1 Overview 7.6.2 Management Requests |
| 198 | Table 181 โ Fabric Enhanced Zoning Support Flags Additions Table 183 โ Fabric Enhanced Zoning Request Flags Additions |
| 199 | Table 184 โ SPCMIT Request Payload |
| 200 | 7.6.3 Fabric Operations Table 185 โ SPCMIT Accept Payload Table 186 โ ESS Zone Server Support Flags Additions |
| 201 | Table 187 โ Zoning Check Protocol SW_ILS Request Payload Table 188 โ Zoning Check Protocol SW_RJT Reasons |
| 202 | Table 189 โ Zoning Check Protocol SW_ACC Payload Table 190 โ Additional SFC Operation Request Codes |
| 203 | Table 191 โ Payload for the Operation Request โFC-SP Activate Zone Set Enhancedโ |
| 204 | Table 192 โ Payload for the Operation Request โFC-SP Deactivate Zone Set Enhancedโ Table 193 โ Payload for the Operation Request โFC-SP Distribute Zone Set Databaseโ |
| 205 | Table 194 โ Payload for the Operation Request โFC-SP Activate Zone Set by Nameโ Table 195 โ Payload for the Operation Request โFC-SP Set Zoning Policiesโ |
| 206 | 7.6.4 Zoning Ordering Rules |
| 207 | 7.6.5 The Client-Server Protocol |
| 208 | Table 196 โ Zone Information Request SW_ILS Request Payload |
| 209 | Table 197 โ Zone Information Request SW_RJT Reasons Table 198 โ Zone Information Request SW_ACC Payload |
| 210 | 8 Combinations of Security Protocols 8.1 Entity Authentication Overview 8.2 Terminology |
| 211 | 8.3 Scope of Security Relationships 8.3.1 N_Port_ID Virtualization 8.3.2 Nx_Port Entity to a Fabric Entity Figure 28 โ Entity Authentication Standard Perspective |
| 212 | 8.3.3 Nx_Port Entity to Nx_Port Entity 8.4 Entity Authentication Model |
| 213 | Figure 29 โ Entity Authentication Model for an Nx_Port (Informative) |
| 214 | 8.5 Abstract Services for Entity Authentication 8.5.1 Overview 8.5.2 Authentication Service |
| 215 | 8.5.3 Security Service 8.5.4 FC-2 Service |
| 220 | 8.6 Nx_Port to Fabric Authentication (NFA) State Machine 8.6.1 Overview |
| 221 | 8.6.2 NFA States Figure 30 โ NFA State Machine |
| 222 | 8.6.3 NFA Events 8.6.4 NFA Transitions |
| 228 | 8.7 Fabric from Nx_Port Authentication (FNA) State Machine 8.7.1 Overview |
| 229 | 8.7.2 FNA States Figure 31 โ FNA State Machine |
| 230 | 8.7.3 FNA Events 8.7.4 FNA Transitions |
| 238 | 8.8 Nx_Port to Nx_Port Authentication (NNA) State Machine 8.8.1 Overview |
| 239 | 8.8.2 NNA States Figure 32 โ NNA State Machine |
| 240 | 8.8.3 NNA Events 8.8.4 NNA Transitions |
| 247 | 8.9 Additional Security State Machines 8.9.1 E_Port to E_Port Security Checks Figure 33 โ State P17:Security Checks |
| 248 | 8.9.2 B_Port Security Checks 8.9.3 Switch Security Checks with Virtual Fabrics |
| 249 | Figure 34 โ State P24(k):Security Checks |
| 250 | 8.9.4 N_Port Security Checks with Virtual Fabrics 8.10 Impact on Other Standards |
| 251 | Annex A: FC-SP-2 Compliance Summary (normative) A.1 Compliance Elements A.1.1 Overview Table A.1 โ FC-SP-2 Authentication Compliance Elements Table A.2 โ FC-SP-2 SA Management Compliance Elements Table A.3 โ FC-SP-2 Policy Compliance Elements |
| 252 | A.1.2 FC-SP-2 Compliance A.1.3 Conventions Table A.4 โ Feature Set table terms and definitions Table A.5 โ Feature Set table key abbreviations |
| 253 | A.2 Authentication Compliance Elements A.2.1 AUTH-A Table A.6 โ Authentication Protocols Support for AUTH-A Table A.7 โ AUTH Messages Support for AUTH-A Table A.8 โ Hash Functions Support for AUTH-A Table A.9 โ DH Groups Support for AUTH-A |
| 254 | A.2.2 AUTH-B1 Table A.10 โ Authentication Protocols Support for AUTH-B1 Table A.11 โ AUTH Messages Support for AUTH-B1 Table A.12 โ Hash Functions Support for AUTH-B1 Table A.13 โ DH Groups Support for AUTH-B1 |
| 255 | A.2.3 AUTH-B2 Table A.14 โ Authentication Protocols Support for AUTH-B2 Table A.15 โ AUTH Messages Support for AUTH-B2 Table A.16 โ Hash Functions Support for AUTH-B2 Table A.17 โ DH Groups Support for AUTH-B2 |
| 256 | A.2.4 AUTH-B3 Table A.18 โ Authentication Protocols Support for AUTH-B3 Table A.19 โ AUTH Messages Support for AUTH-B3 Table A.20 โ Hash Functions Support for AUTH-B3 Table A.21 โ DH Groups Support for AUTH-B3 |
| 257 | A.3 SA Management Compliance Elements A.3.1 Algorithms Support Table A.22 โ Security Protocols Support Table A.23 โ Encryption Algorithms Support Table A.24 โ Pseudo Random Functions Support |
| 258 | Table A.25 โ Integrity Algorithms Support Table A.26 โ SA Management DH Groups Support |
| 259 | A.3.2 SA-A Table A.27 โ SA Management Protocol Support for SA-A Table A.28 โ AUTH Messages Support for SA-A Table A.29 โ IKEv2 Payloads Support for SA-A |
| 260 | A.3.3 SA-B Table A.29 โ IKEv2 Payloads Support for SA-A Table A.30 โ SA Management Protocol Support for SA-B |
| 261 | Table A.31 โ AUTH Messages Support for SA-B Table A.32 โ Authentication Hash Functions Support for SA-B Table A.33 โ Authentication DH Groups Support for SA-B Table A.34 โ IKEv2 Payloads Support for SA-B (part 1 of 2) |
| 262 | Table A.34 โ IKEv2 Payloads Support for SA-B (part 2 of 2) |
| 263 | A.3.4 SA-C1 Table A.35 โ SA Management Protocol Support for SA-C1 Table A.36 โ AUTH Messages Support for SA-C1 Table A.37 โ Authentication Hash Functions Support for SA-C1 |
| 264 | Table A.38 โ Authentication DH Groups Support for SA-C1 Table A.39 โ IKEv2 Payloads Support for SA-C1 |
| 265 | A.3.5 SA-C2 Table A.40 โ SA Management Protocol Support for SA-C2 Table A.41 โ AUTH Messages Support for SA-C2 Table A.42 โ Authentication Hash Functions Support for SA-C2 |
| 266 | Table A.43 โ Authentication DH Groups Support for SA-C2 Table A.44 โ IKEv2 Payloads Support for SA-C2 |
| 267 | A.3.6 SA-C3 Table A.45 โ SA Management Protocol Support for SA-C3 Table A.46 โ AUTH Messages Support for SA-C3 Table A.47 โ Authentication Hash Functions Support for SA-C3 |
| 268 | Table A.48 โ Authentication DH Groups Support for SA-C3 Table A.49 โ IKEv2 Payloads Support for SA-C3 |
| 269 | A.4 Policy Compliance Elements A.4.1 POL-A1 Table A.50 โ Protocols Support for POL-A1 Table A.51 โ Policy Objects Support for POL-A1 Table A.52 โ Switch Flags Support for POL-A1 |
| 270 | A.4.2 POL-A2 Table A.53 โ Security Policy Server Support for POL-A1 Table A.54 โ EUFC Operations Support for POL-A1 Table A.55 โ Protocols Support for POL-A2 |
| 271 | A.4.3 POL-A3 Table A.56 โ Policy Objects Support for POL-A2 Table A.57 โ Security Policy Server Support for POL-A2 Table A.58 โ EUFC Operations Support for POL-A2 Table A.59 โ Protocols Support for POL-A3 |
| 272 | A.4.4 POL-B3 Table A.60 โ Protocols Support for POL-B3 Table A.61 โ Policy Objects Support for POL-B3 Table A.62 โ Switch Flags Support for POL-B3 |
| 273 | Table A.63 โ Security Policy Server Support for POL-B3 Table A.64 โ EUFC Operations Support for POL-B3 |
| 274 | Annex B: KMIP Profile for FC-SP-2 EAP-GPSK (Normative) B.1 Overview B.2 General B.3 KMIP profile specification B.3.1 FC-SP-2 EAP-GPSK Profile B.3.2 FC-SP-2 EAP-GPSK Authentication Suite B.3.2.1 Protocol |
| 275 | B.3.2.2 Client Authenticity B.3.2.3 Client Identity B.3.2.4 Object Creator B.3.2.5 Access Policy |
| 276 | B.3.3 FC-SP-2 EAP/GPSK Key Foundry and Server Conformance Clause |
| 278 | Annex C: Random Number Generation and Secret Storage (informative) C.1 Random Number Generator C.2 Secret Storage |
| 279 | Annex D: RADIUS Deployment (informative) D.1 Overview D.2 RADIUS Servers D.2.1 Overview |
| 280 | D.2.2 Digest Algorithm D.3 RADIUS Messages D.3.1 Message Types Table D.1 โ RADIUS Message Format Table D.2 โ RADIUS Message Codes |
| 281 | D.3.2 Radius Attributes D.3.2.1 User-Name Table D.3 โ User-Name Attribute |
| 282 | Table D.4 โ Binary to UTF-8 Transformation |
| 283 | D.3.2.2 CHAP-Password D.3.2.3 CHAP-Challenge Table D.5 โ CHAP-Password Attribute |
| 284 | D.4 RADIUS Authentication D.4.1 RADIUS Authentication Method Table D.6 โ CHAP-Challenge Attribute |
| 285 | D.4.2 RADIUS Authentication with NULL DH algorithm Table D.7 โ Mathematical Notation for RADIUS Authentication |
| 286 | Figure D.1 โ Unidirectional Authentication with RADIUS |
| 287 | D.4.3 Bidirectional Authentication with RADIUS Figure D.2 โ Bidirectional Authentication with RADIUS |
| 288 | D.4.4 RADIUS Authentication with DH option |
| 289 | Figure D.3 โ DH-CHAP Authentication with RADIUS |
| 290 | Annex E: Examples of Proposals Negotiation for the SA Management Protocol (informative) |
| 291 | Annex F: Guidelines for Mapping Access Control Requirements to Fabric Policies (informative) |
| 292 | Annex G: Pre FC-SP-2 Fabric Policy Implementations (informative) G.1 Overview G.2 Fabric Management Policy Set G.2.1 Fabric Management Policy Set Overview G.2.2 FMPS Hierarchy Model G.2.3 Policy Description |
| 293 | G.2.4 Policy Distribution G.2.5 Signature, Version Stamp, and Timestamp |
| 294 | G.2.6 FMPS Object Structure G.2.7 Fabric Initialization And Fabric Join Procedures G.2.7.1 Overview |
| 295 | G.2.7.2 Protocol Requirements G.2.7.3 Fabric Initialization Process |
| 296 | G.2.7.4 Fabric Join G.2.7.5 Full Database Distribution During Initialization and Joining Process G.2.7.6 Database Distribution Request from an administrator |
| 297 | G.2.8 FMPS Payload Format G.2.8.1 General Download Request Format |
| 298 | Table G.1 โ Security Request Payload Table G.2 โ Security Command Code |
| 299 | G.2.8.2 Certificate Download Request Table G.3 โ Version Stamp Format Table G.4 โ Certificate Download Object |
| 300 | G.2.8.3 Security Policy Download Request G.2.8.4 Security Policy Set Object Table G.5 โ Security Policy Set Object |
| 301 | G.2.8.5 Security Policy Object Table G.6 โ Security Policy Object Table G.7 โ Type Value |
| 302 | G.2.8.6 Policy Member Object Table G.8 โ Policy Type Value Table G.9 โ Policy Member Object |
| 303 | G.2.8.7 Zone Set Object Structure G.2.8.8 General Download Accept Format Table G.10 โ Member Type Value Table G.11 โ Download Accept Payload Format |
| 304 | G.3 Fabric Binding G.3.1 Fabric Binding Overview Table G.12 โ Request Response Code values Table G.13 โ Request Reason Code values |
| 305 | G.3.2 Joining Switches G.3.3 Managing User-Initiated Change Requests G.3.4 Fabric Binding Objects G.3.4.1 Fabric Binding Membership List Entry G.3.5 Fabric Binding Commands Table G.14 โ Fabric Binding Membership List Entry |
| 306 | G.3.6 Exchange Fabric Membership Data (EFMD) G.3.6.1 Overview G.3.6.2 EFMD Request Payload Table G.15 โ Fabric Configuration Data Requests Table G.16 โ EFMD Request Payload |
| 307 | G.3.6.3 Fabric Membership Data Exchange Rules Table G.17 โ Operation Field Values Table G.18 โ Fabric Binding Operation Membership Data |
| 308 | G.3.6.4 EFMD Accept Payload G.3.7 Exchange Security Attributes (ESA) G.3.7.1 Overview Table G.19 โ EFMD Accept Payload Table G.20 โ EFMD Reason Codes Additions |
| 309 | G.3.7.2 ESA Request Payload G.3.7.3 Enforced Security Attribute Object G.3.7.4 Use of Enforced Security Attribute and Required Security Attribute Mask Table G.21 โ ESA Request Payload |
| 310 | G.3.7.5 Extended Security Attribute Object G.3.7.6 Use of Extended Security Attribute and Required Extended Security Attribute Mask G.3.7.7 ESA Accept Payload G.3.8 Query Security Attributes (QSA) Version 1 G.3.8.1 Overview Table G.22 โ ESA Accept Payload |
| 311 | G.3.8.2 QSA Version 1 Request Payload G.3.8.3 QSA Version 1 Accept Payload Table G.23 โ QSA Request Payload |
