BSI 19/30400451 DC:2019 Edition

$45.21

BS EN IEC 14165-432. Information technology. Fibre channel. Security protocols. 2 (FC-SP-2)

Published By	Publication Date	Number of Pages
BSI	2019	315

Guaranteed Safe Checkout

Category: BSI

If you have any questions, feel free to reach out to our online customer service team by clicking on the bottom right corner. We’re here to assist you 24/7.
Email:[email protected]

Description

PDF Catalog

PDF Pages	PDF Title
22	1 Scope
23	2 Normative References 2.1 Overview 2.2 Approved references 2.3 References under development 2.4 Other References
27	3 Definitions and conventions 3.1 Overview 3.2 Definitions Access Control address identifier Anti-replay Ascending order Authentication Authentication Initiator Authentication Protocol Authentication Responder Authentication Transaction Authorization Autonomous Switch B_Port
28	Bridge Certificate Certificate Revocation List Certification Authority Child_SA Client Switch Compliance Element Confidentiality Cryptographic Integrity Data Origin Authentication E_Port Encryption entity Ephemeral key
29	ESP_Header Exchange exchange Fabric F_Port F_Port_Name FC-SP Compliance FC-SP Zoning Fx_Port IKE_SA Integrity
30	Internet Key Exchange Key Local Fx_Port Log Name_Identifier Node Node_Name Nonce N_Port N_Port_Name
31	Nx_Port Online Certificate Status Protocol Password Perfect Forward Secrecy Printable ASCII characters Private Key Proposal Public Key RADIUS Server Root Certificate Secret SA_Initiator SA Management Protocol SA Management Transaction
32	SA Proposal SA_Responder Salt Security Association Security Association Database Security Parameters Index security relationship Server Switch Switch Switch_Name T10 Vendor ID Well-known address word 3.3 Editorial Conventions
34	3.4 Abbreviations, acronyms, and symbols
35	3.5 Keywords
36	3.6 T10 Vendor ID 3.7 Sorting 3.7.1 Sorting alphabetic keys 3.7.2 Sorting numeric keys 3.8 Terminate Communication
37	3.9 State Machine notation
38	3.10 Using numbers in hash functions and concatenation functions
39	4 Structure and Concepts 4.1 Overview 4.2 FC-SP-2 Compliance 4.3 Fabric Security Architecture 4.4 Authentication Infrastructure
40	4.5 Authentication
41	4.6 Security Associations 4.7 Cryptographic Integrity and Confidentiality 4.7.1 Overview
42	4.7.2 ESP_Header Processing
43	4.7.3 CT_Authentication Processing
45	4.8 Authorization (Access Control) 4.8.1 Policy Definition 4.8.2 Policy Enforcement
46	4.8.3 Policy Distribution 4.8.4 Policy Check 4.9 Name Format
47	5 Authentication Protocols 5.1 Overview
48	5.2 Authentication Messages Structure 5.2.1 Overview
49	5.2.2 SW_ILS Authentication Messages
50	5.2.3 ELS Authentication Messages
51	5.2.4 Fields Common to All AUTH Messages
52	5.2.5 Vendor Specific Messages 5.3 Authentication Messages Common to Authentication Protocols 5.3.1 Overview
53	5.3.2 AUTH_Negotiate Message
54	5.3.3 Names used in Authentication
55	5.3.4 Hash Functions 5.3.5 Diffie-Hellman Groups
56	5.3.6 Accepting an AUTH_Negotiate Message 5.3.7 AUTH_Reject Message
59	5.3.8 AUTH_Done Message
60	5.4 DH-CHAP Protocol 5.4.1 Protocol Operations
62	5.4.2 AUTH_Negotiate DH-CHAP Parameters 5.4.2.1 Overview 5.4.2.2 HashList Parameter
63	5.4.2.3 DHgIDList Parameter 5.4.3 DHCHAP_Challenge Message
64	5.4.4 DHCHAP_Reply Message
66	5.4.5 DHCHAP_Success Message
67	5.4.6 Key Generation for the Security Association Management Protocol 5.4.7 Reuse of Diffie-Hellman Exponential 5.4.8 DH-CHAP Security Considerations
69	5.5 FCAP Protocol 5.5.1 Protocol Operations
72	5.5.2 AUTH_Negotiate FCAP Parameters 5.5.2.1 Overview 5.5.2.2 HashList Parameter
73	5.5.2.3 DHgIDList Parameter 5.5.3 FCAP_Request Message 5.5.3.1 Message Format
74	5.5.3.2 FCAP Certificate Format
76	5.5.3.3 FCAP Nonce Format 5.5.4 FCAP_Acknowledge Message 5.5.4.1 Message Format
77	5.5.4.2 FCAP Signature Format
78	5.5.5 FCAP_Confirm Message 5.5.6 Key Generation for the Security Association Management Protocol
79	5.5.7 Reuse of Diffie-Hellman Exponential
80	5.6 FCPAP Protocol 5.6.1 Protocol Operations
83	5.6.2 AUTH_Negotiate FCPAP Parameters 5.6.2.1 Overview 5.6.2.2 HashList Parameter
84	5.6.2.3 DHgIDList Parameter 5.6.3 FCPAP_Init Message
85	5.6.4 FCPAP_Accept Message 5.6.5 FCPAP_Complete Message
86	5.6.6 Key Generation for the Security Association Management Protocol 5.6.7 Reuse of Diffie-Hellman Exponential
87	5.7 FCEAP Protocol 5.7.1 Protocol Operations 5.7.2 AUTH_Negotiate FCEAP Parameters
88	5.7.3 FCEAP_Request Message 5.7.4 FCEAP_Response Message
89	5.7.5 FCEAP_Success Message 5.7.6 FCEAP_Failure Message
90	5.7.7 AUTH_Reject Use 5.7.8 AUTH_ELS and AUTH_ILS Size Requirements
91	5.7.9 Supported EAP Methods 5.7.10 Key Generation for the Security Association Management Protocol
92	5.8 AUTH_ILS Specification 5.8.1 Overview
93	5.8.2 AUTH_ILS Request Sequence
94	5.8.3 AUTH_ILS Reply Sequence 5.9 B_AUTH_ILS Specification 5.9.1 Overview
96	5.9.2 B_AUTH_ILS Request Sequence
97	5.9.3 B_AUTH_ILS Reply Sequence 5.10 AUTH_ELS Specification 5.10.1 Overview
99	5.10.2 AUTH_ELS Request Sequence
100	5.10.3 AUTH_ELS Reply Sequence 5.10.4 AUTH_ELS Fragmentation
105	5.10.5 Authentication and Login
106	5.11 Re-Authentication
107	5.12 Timeouts
108	6 Security Association Management Protocol 6.1 Introduction 6.1.1 General Overview
111	6.1.2 IKE_SA_Init Overview 6.1.3 IKE_Auth Overview
112	6.1.4 IKE_Create_Child_SA Overview 6.2 SA Management Messages 6.2.1 General Structure
113	6.2.2 IKE_Header Payload
114	6.2.3 Chaining Header
116	6.2.4 AUTH_Reject Message Use 6.3 IKE_SA_Init Message 6.3.1 Overview
117	6.3.2 Security_Association Payload 6.3.2.1 Negotiation of Security Association Parameters
118	6.3.2.2 Payload Structure
122	6.3.2.3 Transform Types
125	6.3.2.4 Mandatory Transform_IDs
126	6.3.2.5 Transform Attributes
128	6.3.3 Key_Exchange Payload 6.3.4 Nonce Payload 6.4 IKE_Auth Message 6.4.1 Overview
130	6.4.2 Encrypted Payload
131	6.4.3 Identification Payload
132	6.4.4 Authentication Payload 6.4.5 Traffic Selector Payload
134	6.4.6 Certificate Payload
135	6.4.7 Certificate Request Payload
137	6.5 IKE_Create_Child_SA Message
138	6.6 IKE_Informational Message 6.6.1 Overview
140	6.6.2 Notify Payload
143	6.6.3 Delete Payload
144	6.6.4 Vendor_ID Payload
145	6.7 Interaction with the Authentication Protocols 6.7.1 Overview 6.7.2 Concatenation of Authentication and SA Management Transactions
147	6.7.3 SA Management Transaction as Authentication Transaction
148	6.8 IKEv2 Protocol Details 6.8.1 Use of Retransmission Timers 6.8.2 Use of Sequence Numbers for Message_IDs
149	6.8.3 Overlapping Requests 6.8.4 State Synchronization and Connection Timeouts 6.8.5 Cookies and Anti-Clogging Protection 6.8.6 Cryptographic Algorithms Negotiation 6.8.7 Rekeying 6.8.8 Traffic Selector Negotiation
150	6.8.9 Nonces 6.8.10 Reuse of Diffie-Hellman Exponential 6.8.11 Generating Keying Material 6.8.12 Generating Keying Material for the IKE_SA 6.8.13 Authentication of the IKE_SA
151	6.8.14 Generating Keying Material for Child_SAs 6.8.15 Rekeying IKE_SAs using the IKE_Create_Child_SA exchange 6.8.16 IKE_Informational Messages outside of an IKE_SA 6.8.17 Error Handling 6.8.18 Conformance Requirements
152	6.8.19 Rekeying IKE_SAs when Refreshing Authentication
153	7 Fabric Policies 7.1 Policies Definition 7.1.1 Overview
155	7.1.2 Names used to define Policies
157	7.1.3 Policy Summary Object 7.1.3.1 Format
158	7.1.3.2 Ordering Requirements 7.1.4 Switch Membership List Object 7.1.4.1 Format
163	7.1.4.2 Ordering Requirements 7.1.5 Node Membership List Object 7.1.5.1 Format
166	7.1.5.2 Ordering Requirements
167	7.1.6 Switch Connectivity Object 7.1.6.1 Format
168	7.1.6.2 Ordering Requirements 7.1.7 IP Management List Object 7.1.7.1 Format
172	7.1.7.2 Ordering Requirements 7.1.8 Attribute Object 7.1.8.1 Format
174	7.1.8.2 Ordering Requirements 7.2 Policies Enforcement 7.2.1 Overview 7.2.2 Switch-to-Switch Connections
175	7.2.3 Switch-to-Node Connections
176	7.2.4 In-Band Management Access to a Switch
177	7.2.5 IP Management Access to a Switch
178	7.2.6 Direct Management Access to a Switch
179	7.2.7 Authentication Enforcement 7.3 Policies Management 7.3.1 Management Interface
181	7.3.2 Fabric Distribution
184	7.3.3 Relationship between Security Policy Server Requests and Fabric Actions 7.3.4 Policy Objects Support 7.3.4.1 Get Policy Objects Support (GPOS)
187	7.3.4.2 ESS Security Policy Server Capability Object
188	7.3.5 Optional Data 7.3.5.1 Overview
189	7.3.5.2 Vendor Specific Security Object 7.3.6 Detailed Management Specification 7.3.6.1 Get Policy Summary (GPS)
190	7.3.6.2 Activate Policy Summary (APS) 7.3.6.3 Deactivate Policy Summary (DPS)
191	7.3.6.4 Get Policy Object (GPO)
192	7.3.6.5 Get All Lists Names (GALN)
193	7.3.6.6 Get All Attribute Objects Names (GAAO)
194	7.3.6.7 Add Policy Object (APO)
195	7.3.6.8 Remove Policy Object (RPO)
196	7.3.6.9 Remove All Non-Active Policy Objects (RANA)
197	7.4 Policies Check 7.4.1 Overview 7.4.2 CPS Request Sequence
198	7.4.3 CPS Reply Sequence 7.5 Policy Summation ELSs 7.5.1 Overview 7.5.2 Fabric Change Notification Specification
199	7.6 Zoning Policies 7.6.1 Overview 7.6.2 Management Requests 7.6.2.1 Overview
200	7.6.2.2 Get Fabric Enhanced Zoning Support (GFEZ) Additions 7.6.2.3 Set Fabric Enhanced Zoning Support (SFEZ) Additions
201	7.6.2.4 SP Commit Zone Changes (SPCMIT)
202	7.6.3 Fabric Operations 7.6.3.1 Overview 7.6.3.2 ESS Enhanced Zone Server Capability Object Additions 7.6.3.3 The Zoning Check Protocol 7.6.3.3.1 Overview
203	7.6.3.3.2 ZCP Request Sequence 7.6.3.3.3 ZCP Reply Sequence
204	7.6.3.4 Additional SFC Operation Request Codes 7.6.3.4.1 Overview
205	7.6.3.4.2 Operation Request ‘FC-SP Activate Zone Set Enhanced’
206	7.6.3.4.3 Operation Request ‘FC-SP Deactivate Zone Set Enhanced’ 7.6.3.4.4 Operation Request ‘FC-SP Distribute Zone Set Database’
207	7.6.3.4.5 Operation Request ‘FC-SP Activate Zone Set by Name’ 7.6.3.4.6 Operation Request ‘FC-SP Set Zoning Policies’ 7.6.3.5 Fabric Behavior to Handle the CT SFEZ Request
208	7.6.4 Zoning Ordering Rules 7.6.4.1 Active Zone Set 7.6.4.2 Zone Set Database
209	7.6.5 The Client-Server Protocol 7.6.5.1 Overview 7.6.5.2 Zone Information Request (ZIR) 7.6.5.2.1 Overview
210	7.6.5.2.2 ZIR Request Sequence 7.6.5.2.3 ZIR Reply Sequence
212	8 Combinations of Security Protocols 8.1 Entity Authentication Overview 8.2 Terminology
213	8.3 Scope of Security Relationships 8.3.1 N_Port_ID Virtualization 8.3.2 Nx_Port Entity to a Fabric Entity
214	8.3.3 Nx_Port Entity to Nx_Port Entity 8.4 Entity Authentication Model
216	8.5 Abstract Services for Entity Authentication 8.5.1 Overview 8.5.2 Authentication Service 8.5.2.1 Authentication Request 8.5.2.2 Abandon Authentication Request 8.5.2.3 Reauthentication 8.5.2.4 Spurious Traffic
217	8.5.3 Security Service 8.5.3.1 Maintain Security Policy 8.5.3.2 Clear Security Relationships 8.5.3.3 IKEv2 Dead Peer 8.5.4 FC-2 Service 8.5.4.1 Maintain ELS Buffer Condition Requirements 8.5.4.2 N_Port_ID Assignment Request 8.5.4.3 N_Port Login Request 8.5.4.4 Negotiate ELS Buffer Conditions Request 8.5.4.5 Explicit Logout Request
218	8.5.4.6 Implicit Logout Request 8.5.4.7 Terminate All Communication Request 8.5.4.8 Link Initialization Request 8.5.4.9 Disable Request
219	8.5.4.10 PLOGI Arrival 8.5.4.11 Login Complete 8.5.4.12 N_Port_ID Assignment Complete 8.5.4.13 Explicit Logout Complete 8.5.4.14 Port Logout 8.5.4.15 Fabric Logout 8.5.4.16 Link Parameter Change
220	8.5.4.17 Security Change 8.5.4.18 Security Enforcement
222	8.6 Nx_Port to Fabric Authentication (NFA) State Machine 8.6.1 Overview
223	8.6.2 NFA States
224	8.6.3 NFA Events 8.6.4 NFA Transitions 8.6.4.1 All:S1
225	8.6.4.2 All:S2 8.6.4.3 All:S6
226	8.6.4.4 S1:S2 8.6.4.5 S2:S1
227	8.6.4.6 S2:S3 8.6.4.7 S2:S4 8.6.4.8 S2:S5
228	8.6.4.9 S3:S4 8.6.4.10 S3:S6 8.6.4.11 S4:S1
229	8.6.4.12 S4:S5 8.6.4.13 S4:S6 8.6.4.14 S5:S1 8.6.4.15 S5:S5
230	8.6.4.16 S5:S6 8.7 Fabric from Nx_Port Authentication (FNA) State Machine 8.7.1 Overview
231	8.7.2 FNA States
232	8.7.3 FNA Events 8.7.4 FNA Transitions 8.7.4.1 All:S1
233	8.7.4.2 All:S2
234	8.7.4.3 All:S6 8.7.4.4 S2:S1
235	8.7.4.5 S2:S2 8.7.4.6 S2:S3
236	8.7.4.7 S2:S4 8.7.4.8 S2:S5
237	8.7.4.9 S3:S4 8.7.4.10 S3:S6 8.7.4.11 S4:S1
238	8.7.4.12 S4:S2 8.7.4.13 S4:S5 8.7.4.14 S4:S6 8.7.4.15 S5:S1
239	8.7.4.16 S5:S2 8.7.4.17 S5:S5 8.7.4.18 S5:S6
240	8.8 Nx_Port to Nx_Port Authentication (NNA) State Machine 8.8.1 Overview
241	8.8.2 NNA States
242	8.8.3 NNA Events 8.8.4 NNA Transitions 8.8.4.1 All:S1
243	8.8.4.2 All:S2
244	8.8.4.3 All:S6 8.8.4.4 S1:S1 8.8.4.5 S1:S2 8.8.4.6 S2:S1
245	8.8.4.7 S2:S3
246	8.8.4.8 S2:S4 8.8.4.9 S2:S5 8.8.4.10 S3:S4
247	8.8.4.11 S3:S6 8.8.4.12 S4:S1 8.8.4.13 S4:S5 8.8.4.14 S4:S6
248	8.8.4.15 S5:S1 8.8.4.16 S5:S5 8.8.4.17 S5:S6
249	8.9 Additional Security State Machines 8.9.1 E_Port to E_Port Security Checks 8.9.1.1 Overview 8.9.1.2 States
250	8.9.1.3 Transitions 8.9.2 B_Port Security Checks 8.9.3 Switch Security Checks with Virtual Fabrics 8.9.3.1 Overview
251	8.9.3.2 States 8.9.3.3 Transitions
252	8.9.4 N_Port Security Checks with Virtual Fabrics 8.10 Impact on Other Standards
254	Annex A: FC-SP-2 Compliance Summary (normative) A.1 Compliance Elements A.1.1 Overview
255	A.1.2 FC-SP-2 Compliance A.1.3 Conventions
256	A.2 Authentication Compliance Elements A.2.1 AUTH-A
257	A.2.2 AUTH-B1
258	A.2.3 AUTH-B2
259	A.2.4 AUTH-B3
260	A.3 SA Management Compliance Elements A.3.1 Algorithms Support
262	A.3.2 SA-A
263	A.3.3 SA-B
266	A.3.4 SA-C1
268	A.3.5 SA-C2
270	A.3.6 SA-C3
272	A.4 Policy Compliance Elements A.4.1 POL-A1
273	A.4.2 POL-A2
274	A.4.3 POL-A3
275	A.4.4 POL-B3
278	Annex B: KMIP Profile for FC-SP-2 EAP-GPSK (Normative) B.1 Scope B.2 Overview B.3 KMIP profile specification B.3.1 FC-SP-2 EAP-GPSK Profile B.3.2 FC-SP-2 EAP-GPSK Authentication Suite B.3.2.1 Protocol
279	B.3.2.2 Client Authenticity B.3.2.3 Client Identity B.3.2.4 Object Creator B.3.2.5 Access Policy
280	B.3.3 FC-SP-2 EAP/GPSK Key Foundry and Server Conformance Clause
282	Annex C: Random Number Generation and Secret Storage (informative) C.1 Random Number Generator C.2 Secret Storage
283	Annex D: RADIUS Deployment (informative) D.1 Overview D.2 RADIUS Servers D.2.1 Overview
284	D.2.2 Digest Algorithm D.3 RADIUS Messages D.3.1 Message Types
285	D.3.2 Radius Attributes D.3.2.1 User-Name
287	D.3.2.2 CHAP-Password D.3.2.3 CHAP-Challenge
288	D.4 RADIUS Authentication D.4.1 RADIUS Authentication Method
289	D.4.2 RADIUS Authentication with NULL DH algorithm
291	D.4.3 Bidirectional Authentication with RADIUS
292	D.4.4 RADIUS Authentication with DH option
294	Annex E: Examples of Proposals Negotiation for the SA Management Protocol (informative)
295	Annex F: Guidelines for Mapping Access Control Requirements to Fabric Policies (informative)
296	Annex G: Pre FC-SP-2 Fabric Policy Implementations (informative) G.1 Overview G.2 Fabric Management Policy Set G.2.1 Fabric Management Policy Set Overview G.2.2 FMPS Hierarchy Model G.2.3 Policy Description
297	G.2.4 Policy Distribution G.2.5 Signature, Version Stamp, and Timestamp
298	G.2.6 FMPS Object Structure G.2.7 Fabric Initialization And Fabric Join Procedures G.2.7.1 Overview
299	G.2.7.2 Protocol Requirements G.2.7.3 Fabric Initialization Process
300	G.2.7.4 Fabric Join G.2.7.5 Full Database Distribution During Initialization and Joining Process G.2.7.6 Database Distribution Request from an administrator G.2.8 FMPS Payload Format G.2.8.1 General Download Request Format
303	G.2.8.2 Certificate Download Request G.2.8.3 Security Policy Download Request G.2.8.4 Security Policy Set Object
304	G.2.8.5 Security Policy Object
305	G.2.8.6 Policy Member Object
306	G.2.8.7 Zone Set Object Structure G.2.8.8 General Download Accept Format
307	G.3 Fabric Binding G.3.1 Fabric Binding Overview
308	G.3.2 Joining Switches G.3.3 Managing User-Initiated Change Requests G.3.4 Fabric Binding Objects G.3.4.1 Fabric Binding Membership List Entry G.3.5 Fabric Binding Commands
309	G.3.6 Exchange Fabric Membership Data (EFMD) G.3.6.1 Overview G.3.6.2 EFMD Request Payload
310	G.3.6.3 Fabric Membership Data Exchange Rules
311	G.3.6.4 EFMD Accept Payload G.3.7 Exchange Security Attributes (ESA) G.3.7.1 Overview
312	G.3.7.2 ESA Request Payload G.3.7.3 Enforced Security Attribute Object G.3.7.4 Use of Enforced Security Attribute and Required Security Attribute Mask
313	G.3.7.5 Extended Security Attribute Object G.3.7.6 Use of Extended Security Attribute and Required Extended Security Attribute Mask G.3.7.7 ESA Accept Payload G.3.8 Query Security Attributes (QSA) Version 1 G.3.8.1 Overview
314	G.3.8.2 QSA Version 1 Request Payload G.3.8.3 QSA Version 1 Accept Payload

Additional information

Status	Definitive
Pages	315
Publication Date	2019-09-20
Standard Number	19/30400451 DC
Title	BS EN IEC 14165-432. Information technology. Fibre channel. Security protocols. 2 (FC-SP-2)
Descriptors	Information technology, Fibres, Security, Authentication, Fabrics
Publisher	BSI
Committee	TCT/7
ICS Codes	35.200 - Interface and interconnection equipment

Preview PDF


PDF Format	Searchable	Printable	Preview Now

BSI 19/30400451 DC:2019 Edition

PDF Catalog

Related products