US20080095367A1 - Methods and apparatus for confidentiality protection for fibre channel common transport - Google Patents

Methods and apparatus for confidentiality protection for fibre channel common transport Download PDF

Info

Publication number
US20080095367A1
US20080095367A1 US11/959,380 US95938007A US2008095367A1 US 20080095367 A1 US20080095367 A1 US 20080095367A1 US 95938007 A US95938007 A US 95938007A US 2008095367 A1 US2008095367 A1 US 2008095367A1
Authority
US
United States
Prior art keywords
network
traffic
fibre channel
entry
network traffic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US11/959,380
Inventor
Fabio Maino
Claudio DeSanti
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cisco Technology Inc
Original Assignee
Cisco Technology Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cisco Technology Inc filed Critical Cisco Technology Inc
Priority to US11/959,380 priority Critical patent/US20080095367A1/en
Publication of US20080095367A1 publication Critical patent/US20080095367A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data

Definitions

  • the present invention relates to Fibre Channel security. More specifically, the present invention relates to methods and apparatus for providing confidentiality for Fibre Channel control messages encapsulated within Common Transport Information Units.
  • Fibre Channel networks Very limited security exists in Fibre Channel networks.
  • One form of security for Fibre Channel networks is physical security. All Fibre Channel network entities, such as switches, disks, tape libraries, disk arrays, and servers can be located in a secure and trusted environment. Access can be limited and strict controls can be maintained over the Fibre Channel fabric. However, it is not always feasible to locate every Fibre Channel network entity in a secured environment.
  • FC-GS-3 Fibre Channel Generic Services 3
  • CT_Authentication a security transform for Fibre Channel Common Transport Information Units, that may be used to provide anti-replay and integrity protection to control traffic.
  • CT_Authentication a security transform for Fibre Channel Common Transport Information Units, that may be used to provide anti-replay and integrity protection to control traffic.
  • confidentiality no provision is currently made to provide confidentiality to control traffic, even though such confidentiality would be highly desirable. Without confidentiality, Common Transport may not be used to transport sensitive data such as passwords or secrets that are a very valuable subset of control information.
  • Methods and apparatus are provided for improving confidentiality of control traffic in a Fibre Channel network. Messages passed between Fibre Channel network entities can be encrypted using information provided during the authentication sequence. This methods and apparatus can be combined with already existing authentication services for Fibre Channel Common Transport providing a complete set of security services such as per-message authentication, confidentiality, integrity protection, and anti-replay protection.
  • a method for processing Common Transport Information Units in a Fibre Channel network having a first network entity and a second network entity is provided.
  • a CT_IU is received at a first network entity from the second network entity in a Fibre Channel network.
  • a security control indicator in the CT_IU from the second network entity is identified.
  • a security association identifier associated with the Common Transport Information Unit and corresponding to an entry in a security database is determined.
  • a portion of the CT_IU is decrypted by using algorithm information contained in the entry in the security database.
  • a method for transmitting encrypted Common Transport Information Unit in a Fibre Channel network having a first network entity and a second network entity is provided.
  • a CT_IU having a source corresponding to the first network entity and a destination corresponding to the second network entity is identified. It is determined if the CT_IU corresponds to the selectors of an entry in a security database. A portion of the CT_IU is encrypted using key and algorithm information associated with the entry in the security database.
  • the Common Transport Information Unit is transmitted to the second network entity.
  • FIG. 1 is a diagrammatic representation of a network that can use the techniques of the present invention.
  • FIG. 2 is a diagrammatic representation of a security database.
  • FIG. 3 is a diagrammatic representation of a secured Common Transport Information Unit transmitted over Fibre Channel.
  • FIG. 4 is a process flow diagram showing the generation of a secured Common Transport Information Unit.
  • FIG. 5 is a process flow diagram showing the receipt and processing of a secured Common Transport Information Unit.
  • FIG. 6 is a network device that may be configured to implement some aspects of the present invention.
  • the present invention relates to security in a Fibre Channel fabric. More specifically, the present invention relates to methods and apparatus for providing confidentiality for Fibre Channel control messages encapsulated within Common Transport Information Units.
  • Methods and apparatus of the present invention provide for security in Fibre Channel networks.
  • the techniques of the present invention cover message-based security.
  • Mechanisms are provided for encryption of Common Transport Information Units passed between Fibre Channel network entities.
  • FIG. 1 is a diagrammatic representation of a network that can use the techniques of the present invention.
  • a Fibre Channel fabric 131 can include a number of network entities such as switches 111 and 113 as well as a generic service provider 115 , which may be yet another switch.
  • the switches can be used to interconnect nodes 101 , 103 , 105 , and 107 .
  • Nodes 101 , 103 , 105 , and 107 can be entities such as servers, tape libraries, disk arrays, and/or just a bunch of disks (JBOD).
  • JBOD just a bunch of disks
  • the Fibre Channel architecture shown in FIG. 1 is a switch-based architecture. However, it should be noted that Fibre Channel networks can be implemented using a variety of different topologies such as arbitrated loop and point-to-point connections.
  • the Fibre Channel network 131 can be connected to a conventional IP network 141 through a device such as a Fibre Channel to IP gateway 121 .
  • a device such as a Fibre Channel to IP gateway 121 .
  • Various authentication and encryption schemes exist in conventional TCP/IP networks.
  • security in Fibre Channel networks has been limited primarily because physical security could be typically provided for Fibre Channel networks.
  • all of the different network entities such as the arrays of disks, tape libraries, servers, switches, and generic service providers, etc., could be located in a controlled and trusted environment such as a secure office space or server room.
  • techniques of the present invention recognize that physical security cannot always be provided.
  • Fibre Channel security mechanisms are limited in both capabilities and scope.
  • One Fibre Channel authentication mechanism provides limited link based security. When a new network entity is introduced into the Fibre Channel network, immediate neighbors authenticate the new network entity and secure the link. After the link is secured, the network is considered trusted and no other security mechanisms are necessary.
  • link based security does not prevent certain types of attacks.
  • a network intruder can “spoof” the confidential information sent over the network, capturing sensitive information that might be further used to compromise the network.
  • an attacker between two FC entities can simply forward the Information Units exchanged by the two entities, and can observe all the traffic directed toward the attacked entity. When per-message confidentiality is in place, the messages captured by the attacker will be intelligible only to the receiver that has the appropriate cryptographic key to decrypt the protected Information Unit.
  • Common Transport Information Units are used to access and provide Generic Services to Fibre Channel entities.
  • some parameters carried inside the CT_IU itself specify the service to be accessed.
  • the GS_Type parameter determines the Generic Service of interest
  • the GS_Subtype parameter selects a specific sub-server under the specified Service.
  • An existing authentication and key exchange sequence provides two Fibre Channel entities with a common key that may be leveraged to provide per-message security. Using that common key, each Fibre Channel message exchanged between two authenticated entities may be cryptographically transformed in a such a way that the receiver can verify several characteristics of the message such as the following: the message originated from the sender, the message has not been tampered with after transmission, and/or the message is not decipherable by one without the common key.
  • Each class of traffic exchanged between the two authenticated entities can be provided with different security services.
  • Some security services for control and traffic messages include authentication, protection against tampering, and encryption.
  • the relationship between two Fibre Channel ports that affords security services to traffic transmitted between the two ports is referred to herein as a security association.
  • security association parameters are a security association identifier, the source address, the destination address, a sequence number, key information, and algorithm information.
  • Outgoing traffic is transformed according to the parameters of the outgoing security association if the traffic matches the selectors of that security association.
  • Examples of security association selectors are source identifiers, destination identifiers, and class of traffic.
  • a security database can be used to determine whether Common Transport Information Units should be encrypted and authenticated based on parameters of the CT_IU itself, such as source and destination addresses and GS_Type and GS_Subtype parameters, identifying the traffic class.
  • the security can be continuous and uninterrupted and can apply to any type of data encapsulated within CT_IUs exchanged between the two network entities.
  • FIG. 2 is a diagrammatic representation of a security database such as a security association database.
  • the first three columns of the database contain the security association selectors that determine which Common Transport Information Units will be secured according to the parameters specified in the security association. Selectors can be the destination address 203 , and the class of traffic expressed as GS_Type 209 and GS_SubType 211 .
  • a security association database may contain an index such as a security association identifier SAID 201 that can be used to identify an entry in a security database.
  • the security association identifier (SAID) column 201 gives information for determining whether the Common Transport Information Unit should be decrypted and the authentication verified during receipt of the CT_IU.
  • the security database can also contain key information 205 .
  • Key information 205 can include session keys as well as information for encrypting, decrypting, or authenticating a message.
  • a security database can also contain information relating to the algorithm used for encryption or authentication 207 . Algorithms commonly used for encryption include 3DES/DES and AES while algorithms commonly used for authentication include MD5 and SHA1.
  • FIG. 3 is a diagrammatic representation of a secured Common Transport Information Unit that can be transmitted between network entities in a Fibre Channel fabric.
  • Each CT_IU contains a Basic CT_IU preamble as defined in FC-GS-3.
  • a flag in the Basic CT_IU preamble indicates if the Extended CT_IU preamble is also part of the Information Unit.
  • the Extended CT_IU preamble allows to secure a Common Transport Information Unit, by providing integrity services.
  • a Common Transport Information Unit may be secured with confidentiality services by encrypting a portion 319 of the CT_IU in conjunction with the Extended CT_IU preamble.
  • the Extended CT_IU preamble 323 may be also called security header.
  • the security header 323 can include a security association ID 303 for identifying an entry in a security database.
  • the security header 323 can also include a time stamp 305 for prevention of replay attacks.
  • CT_IU payload data 309 , and payload padding 311 can be encrypted with the algorithms and key as indicated in the security database. As will be appreciated by one of skill in the art, padding provides for block alignment in encryption and authentication. Padding 311 can include a padding length 315 to indicate the amount to adjust after decryption.
  • the secured Common Transport Information Unit can also include authentication data 321 , computed as specified by FC-GS-3 or by other methods.
  • the portion encrypted can vary. In one example, only payload data is encrypted.
  • FIG. 4 is a process flow diagram showing the generation of a secured Common Transport Information Unit such as the one shown in FIG. 3 .
  • a CT_IU is identified. Identifying a CT_IU may entail locating an Information Unit queued for transmission.
  • a security database is checked for a CT_IU that matches one of the selectors in the security association database. An entry may correspond to the identified CT_IU if the destination identifier of the Information Unit is contained in an entry in the security database. In another example, destination identifier, GS_Type and GS_Subtype can be compared with entries in a security database. If the CT_IU does not correspond with an entry in the security database, the Information Unit is transmitted at 417 without securing it.
  • the Extended CT_IU preamble shown in FIG. 3 with parameter values derived from the selected security association, is added to the Information Unit at 407 , and the flag indicating its present is set in the Basic CT_IU preamble.
  • the Extended CT_IU preamble can include the security association identifier, a time stamp, and authentication hash block data.
  • the payload can be padded.
  • a portion of the Common Transport Information Unit is encrypted using key information and algorithm information.
  • the CT_IU may be encrypted using a session key agreed upon during an authentication and key exchange sequence between the node and the destination.
  • the algorithm may also been agreed upon during the authentication and key exchange sequence.
  • Algorithms typically used for encryption include DES/3DES and AES.
  • authentication hash block data for inclusion in the Extended CT_IU preamble is calculated using key information, algorithm information, and a portion of the Information Unit resulting after modification in 413 .
  • FC-GS-3 Fibre Channel Information Units
  • FIG. 5 is a process flow diagram showing a network entity in a Fibre Channel fabric receiving a Common Transport Information Unit.
  • the CT_IU is received.
  • a CT_IU that supports encryption and authentication is herein referred to as a secured Common Transport Information Unit.
  • a CT_IU that supports only authentication is herein referred to as an authentication secured Common Transport Information Unit.
  • a CT_IU that supports only encryption is herein referred to as an encryption secured Common Transport Information Unit.
  • CT_IU is not secured, processing proceeds using conventional Fibre Channel rules. If the CT_IU is secured, an identifier such as a security association identifier is referenced against a security database such as a security association database at 505 . Key information and algorithm information are extracted from the entry containing the identifier or security association identifier associated with the received Common Transport Information Unit. If the CT_IU is authentication secured, processing proceeds as a conventional CT_Authentication protocol: the authentication data is computed at 507 using key information, algorithm information, and encrypted data as noted in the security database. The authentication data computed is then compared with the authentication hash block data contained in the CT_IU. If the authentication hash block data matches, the identity of the sender is verified. Otherwise the Common Transport Information Unit is not authenticated and discarded. If the CT_IU is not authentication secured, the authentication processing described above is skipped.
  • a security association identifier is referenced against a security database such as a security association database at 505 . Key information and algorithm information are extracted from the entry containing the identifier
  • the encrypted portion of the Common Transport Information Unit can then be decrypted.
  • Key information and encryption algorithm information are extracted from the entry containing the security association identifier associated with the received CT_IU, and the encrypted payload is decrypted.
  • the padding included in the payload is removed, and the CT_IU is then processed using conventional Fibre Channel rules.
  • FIG. 6 illustrates an example of a network device that may be configured to implement some methods of the present invention.
  • Network device 660 includes a master central processing unit (CPU) 662 , interfaces 668 , and a bus 667 (e.g., a PCI bus).
  • interfaces 668 include ports 669 appropriate for communication with the appropriate media.
  • one or more of interfaces 668 includes at least one independent processor 674 and, in some instances, volatile RAM.
  • Independent processors 674 may be, for example ASICs or any other appropriate processors. According to some such embodiments, these independent processors 674 perform at least some of the functions of the logic described herein.
  • one or more of interfaces 668 control such communications-intensive tasks as media control and management. By providing separate processors for the communications-intensive tasks, interfaces 668 allow the master microprocessor 662 efficiently to perform other functions such as routing computations, network diagnostics, security functions, etc.
  • the interfaces 668 are typically provided as interface cards (sometimes referred to as “linecards”). Generally, interfaces 668 control the sending and receiving of data packets over the network and sometimes support other peripherals used with the network device 660 .
  • interfaces that may be provided are FC interfaces, Ethernet interfaces, frame relay interfaces, cable interfaces, DSL interfaces, token ring interfaces, and the like.
  • various very high-speed interfaces may be provided, such as fast Ethernet interfaces, Gigabit Ethernet interfaces, ATM interfaces, HSSI interfaces, POS interfaces, FDDI interfaces, ASI interfaces, DHEI interfaces and the like.
  • CPU 662 may be responsible for implementing specific functions associated with the functions of a desired network device. According to some embodiments, CPU 662 accomplishes all these functions under the control of software including an operating system (e.g., Cisco SANOS, a proprietary operating system developed by Cisco Systems, Inc., etc.) and any appropriate applications software.
  • an operating system e.g., Cisco SANOS, a proprietary operating system developed by Cisco Systems, Inc., etc.
  • CPU 662 may include one or more processors 663 such as a processor from the Motorola family of microprocessors or the MIPS family of microprocessors. In an alternative embodiment, processor 663 is specially designed hardware for controlling the operations of network device 660 . In a specific embodiment, a memory 661 (such as non-volatile RAM and/or ROM) also forms part of CPU 662 . However, there are many different ways in which memory could be coupled to the system. Memory block 661 may be used for a variety of purposes such as, for example, caching and/or storing data, programming instructions, etc.
  • network device may employ one or more memories or memory modules (such as, for example, memory block 665 ) configured to store data, program instructions for the general-purpose network operations and/or other information relating to the functionality of the techniques described herein.
  • the program instructions may control the operation of an operating system and/or one or more applications, for example.
  • the present invention relates to machine-readable media that include program instructions, state information, etc. for performing various operations described herein.
  • machine-readable media include, but are not limited to, magnetic media such as hard disks, floppy disks, and magnetic tape; optical media such as CD-ROM disks; magneto-optical media; and hardware devices that are specially configured to store and perform program instructions, such as read-only memory devices (ROM) and random access memory (RAM).
  • ROM read-only memory devices
  • RAM random access memory
  • the invention may also be embodied in a carrier wave traveling over an appropriate medium such as airwaves, optical lines, electric lines, etc.
  • program instructions include both machine code, such as produced by a compiler, and files containing higher level code that may be executed by the computer using an interpreter.
  • FIG. 6 illustrates one specific network device of the present invention
  • the system shown in FIG. 6 illustrates one specific network device of the present invention
  • an architecture having a single processor that handles communications as well as routing computations, etc. is often used.
  • other types of interfaces and media could also be used with the network device.
  • the communication path between interfaces/linecards may be bus based (as shown in FIG. 6 ) or switch fabric based (such as a cross-bar).

Abstract

Methods and apparatus are provided for improving message-based security in a Fibre Channel network. More specifically, the present invention relates to methods and apparatus for providing confidentiality for Fibre Channel control messages encapsulated within Common Transport Information Units. Control messages transported with the Fibre Channel Common Transport protocol, and passed between Fibre Channel network entities, can be encrypted providing confidentiality combined with data origin authentication, integrity and anti-replay protection provided by existing Fibre Channel security mechanisms.

Description

    CROSS-REFERENCE TO RELATED APPLICATION
  • This application is a Continuation of application Ser. No. 10/805,111, filed Mar. 19, 2004, entitled Methods And Apparatus for Confidentiality Protection for Fibre Channel Common Transport and is related to U.S. patent application Ser. No. 10/034,367, entitled “Methods and Apparatus for Security over Fibre Channel,” which is hereby incorporated by reference in its entirety for all purposes.
    • BACKGROUND OF THE INVENTION
  • 1. Field of the Invention
  • The present invention relates to Fibre Channel security. More specifically, the present invention relates to methods and apparatus for providing confidentiality for Fibre Channel control messages encapsulated within Common Transport Information Units.
  • 2. Description of Related Art
  • Very limited security exists in Fibre Channel networks. One form of security for Fibre Channel networks is physical security. All Fibre Channel network entities, such as switches, disks, tape libraries, disk arrays, and servers can be located in a secure and trusted environment. Access can be limited and strict controls can be maintained over the Fibre Channel fabric. However, it is not always feasible to locate every Fibre Channel network entity in a secured environment.
  • Some security schemes have focused more on secure links. When a new Fibre Channel network entity is introduced into a Fibre Channel fabric, directly neighboring nodes check the newly introduced entity to determine whether or not the newly introduced node is authorized to connect to the fabric. However, the checks are made only once by some directly neighboring nodes. Other more distant nodes are unable to perform any checking. Furthermore, once the link is established, no further security is provided. The fabric is deemed trusted even though the Fibre Channel fabric is still vulnerable to certain attacks such as spoofing, hijacking, or impersonation.
  • It is therefore desirable to provide methods and apparatus for improving security in a Fibre Channel network and in particular for improving authentication, confidentiality, message integrity protection, and anti-replay protection in a Fibre Channel fabric with respect to some or all of the limitations noted above.
  • The Fibre Channel Generic Services 3 (“FC-GS-3”) Standard (formerly ANSI NCITS 348-2001) defines CT_Authentication, a security transform for Fibre Channel Common Transport Information Units, that may be used to provide anti-replay and integrity protection to control traffic. However, no provision is currently made to provide confidentiality to control traffic, even though such confidentiality would be highly desirable. Without confidentiality, Common Transport may not be used to transport sensitive data such as passwords or secrets that are a very valuable subset of control information.
    • SUMMARY OF THE INVENTION
  • Methods and apparatus are provided for improving confidentiality of control traffic in a Fibre Channel network. Messages passed between Fibre Channel network entities can be encrypted using information provided during the authentication sequence. This methods and apparatus can be combined with already existing authentication services for Fibre Channel Common Transport providing a complete set of security services such as per-message authentication, confidentiality, integrity protection, and anti-replay protection.
  • According to various embodiments, a method for processing Common Transport Information Units in a Fibre Channel network having a first network entity and a second network entity is provided. A CT_IU is received at a first network entity from the second network entity in a Fibre Channel network. A security control indicator in the CT_IU from the second network entity is identified. A security association identifier associated with the Common Transport Information Unit and corresponding to an entry in a security database is determined. A portion of the CT_IU is decrypted by using algorithm information contained in the entry in the security database.
  • In still other embodiments, a method for transmitting encrypted Common Transport Information Unit in a Fibre Channel network having a first network entity and a second network entity is provided. A CT_IU having a source corresponding to the first network entity and a destination corresponding to the second network entity is identified. It is determined if the CT_IU corresponds to the selectors of an entry in a security database. A portion of the CT_IU is encrypted using key and algorithm information associated with the entry in the security database. The Common Transport Information Unit is transmitted to the second network entity.
  • These and other features and advantages of the present invention will be presented in more detail in the following specification of the invention and the accompanying figures, which illustrate by way of example the principles of the invention.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • The invention may best be understood by reference to the following description taken in conjunction with the accompanying drawings, which are illustrative of specific embodiments of the present invention.
  • FIG. 1 is a diagrammatic representation of a network that can use the techniques of the present invention.
  • FIG. 2 is a diagrammatic representation of a security database.
  • FIG. 3 is a diagrammatic representation of a secured Common Transport Information Unit transmitted over Fibre Channel.
  • FIG. 4 is a process flow diagram showing the generation of a secured Common Transport Information Unit.
  • FIG. 5 is a process flow diagram showing the receipt and processing of a secured Common Transport Information Unit.
  • FIG. 6 is a network device that may be configured to implement some aspects of the present invention.
  • The present invention relates to security in a Fibre Channel fabric. More specifically, the present invention relates to methods and apparatus for providing confidentiality for Fibre Channel control messages encapsulated within Common Transport Information Units.
  • Reference will now be made in detail to some specific embodiments of the invention including the best modes contemplated by the inventors for carrying out the invention. Examples of these specific embodiments are illustrated in the accompanying drawings. While the invention is described in conjunction with these specific embodiments, it will be understood that it is not intended to limit the invention to the described embodiments. On the contrary, it is intended to cover alternatives, modifications, and equivalents as may be included within the spirit and scope of the invention as defined by the appended claims.
  • For example, the techniques of the present invention will be described in the context of Fibre Channel Common Transport used in a storage area network. However, it should be noted that the techniques of the present invention can be applied to a variety of different protocols and networks. In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention. The present invention may be practiced without some or all of these specific details. In other instances, well known process operations have not been described in detail in order not to unnecessarily obscure the present invention.
  • Methods and apparatus of the present invention provide for security in Fibre Channel networks. The techniques of the present invention cover message-based security. Mechanisms are provided for encryption of Common Transport Information Units passed between Fibre Channel network entities.
  • Maino, Di Benedetto and DeSanti have submitted U.S. patent application Ser. No. 10/034,367 (attorney docket number ANDIP004) for “Methods and Apparatus for Security over Fibre Channel” that improves authentication, confidentiality, message integrity protection, and anti-reply protection in a Fibre Channel fabric. The method improves security of Fibre Channel frames at the FC-2 layer, but sometimes is necessary to secure only a subset of the entire Fibre Channel traffic, such as the control traffic transported as Common Transport Information Units, also called CT_IUs.
  • However, securing control traffic encapsulated in CT_IUs at the frame level may require keeping some state information associated with the frames belonging to the same CT_IU, and this complicates implementations. Providing security directly to a Common Transport Information Unit according to methods of the present invention does not require keeping frame by frame state information and is therefore advantageous.
  • FIG. 1 is a diagrammatic representation of a network that can use the techniques of the present invention. A Fibre Channel fabric 131 can include a number of network entities such as switches 111 and 113 as well as a generic service provider 115, which may be yet another switch. The switches can be used to interconnect nodes 101, 103, 105, and 107. Nodes 101, 103, 105, and 107 can be entities such as servers, tape libraries, disk arrays, and/or just a bunch of disks (JBOD). The Fibre Channel architecture shown in FIG. 1 is a switch-based architecture. However, it should be noted that Fibre Channel networks can be implemented using a variety of different topologies such as arbitrated loop and point-to-point connections.
  • The Fibre Channel network 131 can be connected to a conventional IP network 141 through a device such as a Fibre Channel to IP gateway 121. Various authentication and encryption schemes exist in conventional TCP/IP networks. However, security in Fibre Channel networks has been limited primarily because physical security could be typically provided for Fibre Channel networks. In conventional Fibre Channel networks, all of the different network entities such as the arrays of disks, tape libraries, servers, switches, and generic service providers, etc., could be located in a controlled and trusted environment such as a secure office space or server room. However, techniques of the present invention recognize that physical security cannot always be provided.
  • Conventional Fibre Channel security mechanisms are limited in both capabilities and scope. One Fibre Channel authentication mechanism provides limited link based security. When a new network entity is introduced into the Fibre Channel network, immediate neighbors authenticate the new network entity and secure the link. After the link is secured, the network is considered trusted and no other security mechanisms are necessary. However, link based security does not prevent certain types of attacks. In one example, a network intruder can “spoof” the confidential information sent over the network, capturing sensitive information that might be further used to compromise the network. Without per-message confidentiality, an attacker between two FC entities can simply forward the Information Units exchanged by the two entities, and can observe all the traffic directed toward the attacked entity. When per-message confidentiality is in place, the messages captured by the attacker will be intelligible only to the receiver that has the appropriate cryptographic key to decrypt the protected Information Unit.
  • Existing Fibre Channel security mechanisms provide for integrity verification of Common Transport Information Units. No provision is currently made to provide confidentiality to CT_IUs. Consequently, methods and apparatus are provided for the implementation of efficient message-based encryption schemes for Common Transport Information Units.
  • Common Transport Information Units are used to access and provide Generic Services to Fibre Channel entities. As defined by FC-GS-3, some parameters carried inside the CT_IU itself specify the service to be accessed. In particular, the GS_Type parameter determines the Generic Service of interest, while the GS_Subtype parameter selects a specific sub-server under the specified Service. For example, a CT_IU carrying GS_Type equal to ‘FCh’ and GS_Subtype equal to ‘02h’ is meant to access the Name Server sub-server (GS_Subtype=‘02h’) under the Directory Services (GS_Type=‘FCh’). Instead a CT_IU carrying GS_Type equal to ‘FAh’ and GS_Subtype equal to ‘03h’ is meant to access the Fabric Zone Server sub-server (GS_Subtype=‘03h’) under the Management Services (GS_Type=‘FAh’).
  • An existing authentication and key exchange sequence provides two Fibre Channel entities with a common key that may be leveraged to provide per-message security. Using that common key, each Fibre Channel message exchanged between two authenticated entities may be cryptographically transformed in a such a way that the receiver can verify several characteristics of the message such as the following: the message originated from the sender, the message has not been tampered with after transmission, and/or the message is not decipherable by one without the common key.
  • Each class of traffic exchanged between the two authenticated entities can be provided with different security services. Some security services for control and traffic messages include authentication, protection against tampering, and encryption. The relationship between two Fibre Channel ports that affords security services to traffic transmitted between the two ports is referred to herein as a security association. Examples of security association parameters are a security association identifier, the source address, the destination address, a sequence number, key information, and algorithm information. Outgoing traffic is transformed according to the parameters of the outgoing security association if the traffic matches the selectors of that security association. Examples of security association selectors are source identifiers, destination identifiers, and class of traffic. A security database can be used to determine whether Common Transport Information Units should be encrypted and authenticated based on parameters of the CT_IU itself, such as source and destination addresses and GS_Type and GS_Subtype parameters, identifying the traffic class. The security can be continuous and uninterrupted and can apply to any type of data encapsulated within CT_IUs exchanged between the two network entities.
  • FIG. 2 is a diagrammatic representation of a security database such as a security association database. In one embodiment, the first three columns of the database contain the security association selectors that determine which Common Transport Information Units will be secured according to the parameters specified in the security association. Selectors can be the destination address 203, and the class of traffic expressed as GS_Type 209 and GS_SubType 211. A security association database may contain an index such as a security association identifier SAID 201 that can be used to identify an entry in a security database. The security association identifier (SAID) column 201 gives information for determining whether the Common Transport Information Unit should be decrypted and the authentication verified during receipt of the CT_IU. The security database can also contain key information 205. Key information 205 can include session keys as well as information for encrypting, decrypting, or authenticating a message. A security database can also contain information relating to the algorithm used for encryption or authentication 207. Algorithms commonly used for encryption include 3DES/DES and AES while algorithms commonly used for authentication include MD5 and SHA1.
  • FIG. 3 is a diagrammatic representation of a secured Common Transport Information Unit that can be transmitted between network entities in a Fibre Channel fabric. Each CT_IU contains a Basic CT_IU preamble as defined in FC-GS-3. A flag in the Basic CT_IU preamble indicates if the Extended CT_IU preamble is also part of the Information Unit. The Extended CT_IU preamble allows to secure a Common Transport Information Unit, by providing integrity services. According to various embodiments of the present invention, a Common Transport Information Unit may be secured with confidentiality services by encrypting a portion 319 of the CT_IU in conjunction with the Extended CT_IU preamble.
  • The Extended CT_IU preamble 323 may be also called security header. The security header 323 can include a security association ID 303 for identifying an entry in a security database. The security header 323 can also include a time stamp 305 for prevention of replay attacks. For secured Common Transport Information Units, CT_IU payload data 309, and payload padding 311 can be encrypted with the algorithms and key as indicated in the security database. As will be appreciated by one of skill in the art, padding provides for block alignment in encryption and authentication. Padding 311 can include a padding length 315 to indicate the amount to adjust after decryption.
  • The secured Common Transport Information Unit can also include authentication data 321, computed as specified by FC-GS-3 or by other methods. The portion encrypted can vary. In one example, only payload data is encrypted.
  • FIG. 4 is a process flow diagram showing the generation of a secured Common Transport Information Unit such as the one shown in FIG. 3. At 401, a CT_IU is identified. Identifying a CT_IU may entail locating an Information Unit queued for transmission. At 403, a security database is checked for a CT_IU that matches one of the selectors in the security association database. An entry may correspond to the identified CT_IU if the destination identifier of the Information Unit is contained in an entry in the security database. In another example, destination identifier, GS_Type and GS_Subtype can be compared with entries in a security database. If the CT_IU does not correspond with an entry in the security database, the Information Unit is transmitted at 417 without securing it. That is, a portion of the CT_IU is not encrypted and a portion of the Information Unit may not be hashed to allow for authentication. If the CT_IU does correspond to an entry in the database, the Extended CT_IU preamble shown in FIG. 3, with parameter values derived from the selected security association, is added to the Information Unit at 407, and the flag indicating its present is set in the Basic CT_IU preamble. The Extended CT_IU preamble can include the security association identifier, a time stamp, and authentication hash block data.
  • To allow for encryption and authentication at 411, the payload can be padded. At 413, a portion of the Common Transport Information Unit is encrypted using key information and algorithm information. The CT_IU may be encrypted using a session key agreed upon during an authentication and key exchange sequence between the node and the destination. The algorithm may also been agreed upon during the authentication and key exchange sequence. Algorithms typically used for encryption include DES/3DES and AES. At 415, authentication hash block data for inclusion in the Extended CT_IU preamble is calculated using key information, algorithm information, and a portion of the Information Unit resulting after modification in 413.
  • It should be noted that techniques of the present invention support both encryption and authentication for a subset of Fibre Channel Information Units, termed Common Transport Information Units. The standard FC-GS-3, however, does not provide encryption or privacy protection.
  • FIG. 5 is a process flow diagram showing a network entity in a Fibre Channel fabric receiving a Common Transport Information Unit. At 501, the CT_IU is received. At 503, it is determined if the Information Unit is secured. Any indicator showing that the CT_IU is secured is referred to herein as a security control indicator. It should also be noted that, in certain embodiments, this is the same security control indicator used to determine if the Information Unit has an Extended CT_IU preamble. In other embodiments, a vendor specific indicator may be used. A CT_IU that supports encryption and authentication is herein referred to as a secured Common Transport Information Unit. A CT_IU that supports only authentication is herein referred to as an authentication secured Common Transport Information Unit. A CT_IU that supports only encryption is herein referred to as an encryption secured Common Transport Information Unit.
  • If the CT_IU is not secured, processing proceeds using conventional Fibre Channel rules. If the CT_IU is secured, an identifier such as a security association identifier is referenced against a security database such as a security association database at 505. Key information and algorithm information are extracted from the entry containing the identifier or security association identifier associated with the received Common Transport Information Unit. If the CT_IU is authentication secured, processing proceeds as a conventional CT_Authentication protocol: the authentication data is computed at 507 using key information, algorithm information, and encrypted data as noted in the security database. The authentication data computed is then compared with the authentication hash block data contained in the CT_IU. If the authentication hash block data matches, the identity of the sender is verified. Otherwise the Common Transport Information Unit is not authenticated and discarded. If the CT_IU is not authentication secured, the authentication processing described above is skipped.
  • After authentication, at 511, the encrypted portion of the Common Transport Information Unit can then be decrypted. Key information and encryption algorithm information are extracted from the entry containing the security association identifier associated with the received CT_IU, and the encrypted payload is decrypted. The padding included in the payload is removed, and the CT_IU is then processed using conventional Fibre Channel rules.
  • FIG. 6 illustrates an example of a network device that may be configured to implement some methods of the present invention. Network device 660 includes a master central processing unit (CPU) 662, interfaces 668, and a bus 667 (e.g., a PCI bus). Generally, interfaces 668 include ports 669 appropriate for communication with the appropriate media. In some embodiments, one or more of interfaces 668 includes at least one independent processor 674 and, in some instances, volatile RAM. Independent processors 674 may be, for example ASICs or any other appropriate processors. According to some such embodiments, these independent processors 674 perform at least some of the functions of the logic described herein. In some embodiments, one or more of interfaces 668 control such communications-intensive tasks as media control and management. By providing separate processors for the communications-intensive tasks, interfaces 668 allow the master microprocessor 662 efficiently to perform other functions such as routing computations, network diagnostics, security functions, etc.
  • The interfaces 668 are typically provided as interface cards (sometimes referred to as “linecards”). Generally, interfaces 668 control the sending and receiving of data packets over the network and sometimes support other peripherals used with the network device 660. Among the interfaces that may be provided are FC interfaces, Ethernet interfaces, frame relay interfaces, cable interfaces, DSL interfaces, token ring interfaces, and the like. In addition, various very high-speed interfaces may be provided, such as fast Ethernet interfaces, Gigabit Ethernet interfaces, ATM interfaces, HSSI interfaces, POS interfaces, FDDI interfaces, ASI interfaces, DHEI interfaces and the like.
  • When acting under the control of appropriate software or firmware, in some implementations of the invention CPU 662 may be responsible for implementing specific functions associated with the functions of a desired network device. According to some embodiments, CPU 662 accomplishes all these functions under the control of software including an operating system (e.g., Cisco SANOS, a proprietary operating system developed by Cisco Systems, Inc., etc.) and any appropriate applications software.
  • CPU 662 may include one or more processors 663 such as a processor from the Motorola family of microprocessors or the MIPS family of microprocessors. In an alternative embodiment, processor 663 is specially designed hardware for controlling the operations of network device 660. In a specific embodiment, a memory 661 (such as non-volatile RAM and/or ROM) also forms part of CPU 662. However, there are many different ways in which memory could be coupled to the system. Memory block 661 may be used for a variety of purposes such as, for example, caching and/or storing data, programming instructions, etc.
  • Regardless of network device's configuration, it may employ one or more memories or memory modules (such as, for example, memory block 665) configured to store data, program instructions for the general-purpose network operations and/or other information relating to the functionality of the techniques described herein. The program instructions may control the operation of an operating system and/or one or more applications, for example.
  • Because such information and program instructions may be employed to implement the systems/methods described herein, the present invention relates to machine-readable media that include program instructions, state information, etc. for performing various operations described herein. Examples of machine-readable media include, but are not limited to, magnetic media such as hard disks, floppy disks, and magnetic tape; optical media such as CD-ROM disks; magneto-optical media; and hardware devices that are specially configured to store and perform program instructions, such as read-only memory devices (ROM) and random access memory (RAM). The invention may also be embodied in a carrier wave traveling over an appropriate medium such as airwaves, optical lines, electric lines, etc. Examples of program instructions include both machine code, such as produced by a compiler, and files containing higher level code that may be executed by the computer using an interpreter.
  • Although the system shown in FIG. 6 illustrates one specific network device of the present invention, it is by no means the only network device architecture on which the present invention can be implemented. For example, an architecture having a single processor that handles communications as well as routing computations, etc. is often used. Further, other types of interfaces and media could also be used with the network device. The communication path between interfaces/linecards may be bus based (as shown in FIG. 6) or switch fabric based (such as a cross-bar).
  • The above-described devices and materials will be familiar to those of skill in the computer hardware and software arts. Although many of the components and processes are described above in the singular for convenience, it will be appreciated by one of skill in the art that multiple components and repeated processes can also be used to practice the techniques of the present invention.
  • While the invention has been particularly shown and described with reference to specific embodiments thereof, it will be understood by those skilled in the art that changes in the form and details of the disclosed embodiments may be made without departing from the spirit or scope of the invention. For example, embodiments of the present invention may be employed with a variety of architectures. In one example confidentiality protection could be extended to the requesting N_Port name field of the extended CT_IU preamble providing anonymity of the requester. It is therefore intended that the invention be interpreted to include all variations and equivalents that fall within the true spirit and scope of the present invention.

Claims (18)

1. A method comprising:
identifying network traffic having a source corresponding to a first network entity in a network and a destination corresponding to a second network entity in the network;
determining if the network traffic corresponds to selectors of a first entry in a security database, wherein the determining includes comparing a class of traffic of the network traffic against a class of traffic identified in the first entry;
assigning a security association identified to the network traffic; and
creating a second entry in the security database, the second entry including the security association identification and encryption information, wherein the encryption information is to be used to encrypt a first portion of the network traffic.
2. The method of claim 1, further comprising transmitting the network traffic to the second network entity.
3. The method of claim 1, wherein the network is a Fibre Channel network.
4. The method of claim 1, wherein the determining includes comparing the source of the network traffic against a source identified in the first entry.
5. The method of claim 1, wherein the determining includes comparing the destination of the network traffic against a destination identified in the first entry.
6. The method of claim 1, wherein a payload of the network traffic is padded prior to encrypting the first portion of the network traffic.
7. An apparatus comprising:
means for identifying network traffic having a source corresponding to a first network entity in a network and a destination corresponding to a second network entity in the network;
means for determining if the network traffic corresponds to selectors of a first entry in a security database, wherein the determining includes comparing a class of traffic of the network traffic against a class of traffic identified in the first entry;
means for assigning a security association identified to the network traffic; and
means for creating a second entry in the security database, the second entry including the security association identification and encryption information, wherein the encryption information is to be used to encrypt a first portion of the network traffic.
8. The apparatus of claim 7, further comprising means for transmitting the network traffic to the second network entity.
9. The apparatus of claim 7, wherein the network is a Fibre Channel network.
10. The apparatus of claim 7, wherein the means for determining includes means for comparing the source of the network traffic against a source identified in the first entry.
11. The apparatus of claim 7, wherein the means for determining includes means for comparing the destination of the network traffic against a destination identified in the first entry.
12. The apparatus of claim 7, further comprising means for padding the network traffic prior to encrypting the first portion of the network traffic.
13. A network device comprising:
one or more ports; and
at least one processor configured to perform the following steps:
identifying network traffic having a source corresponding to a first network entity in a network and a destination corresponding to a second network entity in the network;
determining if the network traffic corresponds to selectors of a first entry in a security database, wherein the determining includes comparing a class of traffic of the network traffic against a class of traffic identified in the first entry;
assigning a security association identified to the network traffic; and
creating a second entry in the security database, the second entry including the security association identification and encryption information, wherein the encryption information is to be used to encrypt a first portion of the network traffic.
14. The network device of claim 13, wherein the one or more processors are further configured to transmit the network traffic to the second network entity.
15. The network device of claim 13, wherein the network is a Fibre Channel network.
16. The network device of claim 13, wherein the determining includes comparing the source of the network traffic against a source identified in the first entry.
17. The network device of claim 13, wherein the determining includes comparing the destination of the network traffic against a destination identified in the first entry.
18. The network device of claim 13, wherein the one or more processors are further configured to pad a payload of the network traffic prior to encrypting the first portion of the network traffic.
US11/959,380 2004-03-19 2007-12-18 Methods and apparatus for confidentiality protection for fibre channel common transport Abandoned US20080095367A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US11/959,380 US20080095367A1 (en) 2004-03-19 2007-12-18 Methods and apparatus for confidentiality protection for fibre channel common transport

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US10/805,111 US7333612B2 (en) 2004-03-19 2004-03-19 Methods and apparatus for confidentiality protection for Fibre Channel Common Transport
US11/959,380 US20080095367A1 (en) 2004-03-19 2007-12-18 Methods and apparatus for confidentiality protection for fibre channel common transport

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US10/805,111 Continuation US7333612B2 (en) 2004-03-19 2004-03-19 Methods and apparatus for confidentiality protection for Fibre Channel Common Transport

Publications (1)

Publication Number Publication Date
US20080095367A1 true US20080095367A1 (en) 2008-04-24

Family

ID=34986299

Family Applications (2)

Application Number Title Priority Date Filing Date
US10/805,111 Expired - Fee Related US7333612B2 (en) 2004-03-19 2004-03-19 Methods and apparatus for confidentiality protection for Fibre Channel Common Transport
US11/959,380 Abandoned US20080095367A1 (en) 2004-03-19 2007-12-18 Methods and apparatus for confidentiality protection for fibre channel common transport

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US10/805,111 Expired - Fee Related US7333612B2 (en) 2004-03-19 2004-03-19 Methods and apparatus for confidentiality protection for Fibre Channel Common Transport

Country Status (5)

Country Link
US (2) US7333612B2 (en)
EP (1) EP1726112A4 (en)
CN (1) CN100580652C (en)
AU (1) AU2005226659B2 (en)
WO (1) WO2005092001A2 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7965843B1 (en) 2001-12-27 2011-06-21 Cisco Technology, Inc. Methods and apparatus for security over fibre channel
US20110207497A1 (en) * 2008-08-17 2011-08-25 Precyse Technologies, Inc Coded system for radio frequency communication
CN102611624A (en) * 2012-03-16 2012-07-25 北京星网锐捷网络技术有限公司 Method and device for controlling safety access to storage network and switching equipment
US9407547B2 (en) 2013-12-13 2016-08-02 Cisco Technology, Inc. Fibre channel over ethernet (FCoE) over virtual port channel (vPC)
US11115398B2 (en) * 2017-03-08 2021-09-07 Abb Power Grids Switzerland Ag Methods and devices for preserving relative timing and ordering of data packets in a network

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7333612B2 (en) * 2004-03-19 2008-02-19 Cisco Technology, Inc. Methods and apparatus for confidentiality protection for Fibre Channel Common Transport
US8769021B2 (en) * 2006-01-12 2014-07-01 Broadcom Corporation Method and system for light-weight SOAP transport for web services based management
US8514856B1 (en) 2010-06-24 2013-08-20 Cisco Technology, Inc. End-to-end fibre channel over ethernet
US8832331B2 (en) * 2011-08-29 2014-09-09 Ati Technologies Ulc Data modification for device communication channel packets
CN104219057A (en) * 2014-09-17 2014-12-17 中国能源建设集团广东省电力设计研究院 Method and device of real-time encryption for data communication network of wide area protection system
US20210271684A1 (en) 2020-02-28 2021-09-02 Clumio, Inc. Retrieval of data from a time-series data lake

Citations (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4217488A (en) * 1977-01-21 1980-08-12 Bell Telephone Laboratories, Incorporated Secure optical communication components, method, and system
US5070528A (en) * 1990-06-29 1991-12-03 Digital Equipment Corporation Generic encryption technique for communication networks
US5764890A (en) * 1994-12-13 1998-06-09 Microsoft Corporation Method and system for adding a secure network server to an existing computer network
US5946467A (en) * 1996-09-20 1999-08-31 Novell, Inc. Application-level, persistent packeting apparatus and method
US5959990A (en) * 1996-03-12 1999-09-28 Bay Networks, Inc. VLAN frame format
US6070243A (en) * 1997-06-13 2000-05-30 Xylan Corporation Deterministic user authentication service for communication network
US6081900A (en) * 1999-03-16 2000-06-27 Novell, Inc. Secure intranet access
US6108583A (en) * 1997-10-28 2000-08-22 Georgia Tech Research Corporation Adaptive data security system and method
US6263445B1 (en) * 1998-06-30 2001-07-17 Emc Corporation Method and apparatus for authenticating connections to a storage system coupled to a network
US20020129246A1 (en) * 1998-06-29 2002-09-12 Blumenau Steven M. Electronic device for secure authentication of objects such as computers in a data network
US20020184068A1 (en) * 2001-06-04 2002-12-05 Krishnan Krish R. Communications network-enabled system and method for determining and providing solutions to meet compliance and operational risk management standards and requirements
US20030028804A1 (en) * 2001-08-03 2003-02-06 Noehring Lee P. Apparatus and method for resolving security association database update coherency in high-speed systems having multiple security channels
US20030120915A1 (en) * 2001-11-30 2003-06-26 Brocade Communications Systems, Inc. Node and port authentication in a fibre channel network
US20030131228A1 (en) * 2002-01-10 2003-07-10 Twomey John E. System on a chip for network storage devices
US20040120528A1 (en) * 2002-12-20 2004-06-24 Elliott Brig Barnum Key transport in quantum cryptographic networks
US20040139313A1 (en) * 2002-12-05 2004-07-15 Buer Mark L. Tagging mechanism for data path security processing
US20040143734A1 (en) * 2002-12-05 2004-07-22 Buer Mark L. Data path security processing
US20040158706A1 (en) * 2002-10-16 2004-08-12 Haruo Moritomo System, method, and device for facilitating multi-path cryptographic communication
US20050044354A1 (en) * 2000-10-06 2005-02-24 Hagerman Douglas L. Apparatus and method for implementing spoofing-and replay-attack-resistant virtual zones on storage area networks
US20050102514A1 (en) * 2003-11-10 2005-05-12 Telefonaktiebolaget Lm Ericsson (Publ) Method, apparatus and system for pre-establishing secure communication channels
US20050207579A1 (en) * 2004-03-19 2005-09-22 Cisco Technology, Inc. Methods and apparatus for confidentially protection for Fibre Channel Common Transport
US20060274899A1 (en) * 2005-06-03 2006-12-07 Innomedia Pte Ltd. System and method for secure messaging with network address translation firewall traversal
US7215667B1 (en) * 2001-11-30 2007-05-08 Corrent Corporation System and method for communicating IPSec tunnel packets with compressed inner headers
US7965843B1 (en) * 2001-12-27 2011-06-21 Cisco Technology, Inc. Methods and apparatus for security over fibre channel

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6061794A (en) * 1997-09-30 2000-05-09 Compaq Computer Corp. System and method for performing secure device communications in a peer-to-peer bus architecture

Patent Citations (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4217488A (en) * 1977-01-21 1980-08-12 Bell Telephone Laboratories, Incorporated Secure optical communication components, method, and system
US5070528A (en) * 1990-06-29 1991-12-03 Digital Equipment Corporation Generic encryption technique for communication networks
US5764890A (en) * 1994-12-13 1998-06-09 Microsoft Corporation Method and system for adding a secure network server to an existing computer network
US5959990A (en) * 1996-03-12 1999-09-28 Bay Networks, Inc. VLAN frame format
US5946467A (en) * 1996-09-20 1999-08-31 Novell, Inc. Application-level, persistent packeting apparatus and method
US6070243A (en) * 1997-06-13 2000-05-30 Xylan Corporation Deterministic user authentication service for communication network
US6108583A (en) * 1997-10-28 2000-08-22 Georgia Tech Research Corporation Adaptive data security system and method
US6865426B1 (en) * 1997-10-28 2005-03-08 Georgia Tech Research Corporation Adaptive data security systems and methods
US20020129246A1 (en) * 1998-06-29 2002-09-12 Blumenau Steven M. Electronic device for secure authentication of objects such as computers in a data network
US6263445B1 (en) * 1998-06-30 2001-07-17 Emc Corporation Method and apparatus for authenticating connections to a storage system coupled to a network
US6081900A (en) * 1999-03-16 2000-06-27 Novell, Inc. Secure intranet access
US20050044354A1 (en) * 2000-10-06 2005-02-24 Hagerman Douglas L. Apparatus and method for implementing spoofing-and replay-attack-resistant virtual zones on storage area networks
US20020184068A1 (en) * 2001-06-04 2002-12-05 Krishnan Krish R. Communications network-enabled system and method for determining and providing solutions to meet compliance and operational risk management standards and requirements
US20030028804A1 (en) * 2001-08-03 2003-02-06 Noehring Lee P. Apparatus and method for resolving security association database update coherency in high-speed systems having multiple security channels
US20030120915A1 (en) * 2001-11-30 2003-06-26 Brocade Communications Systems, Inc. Node and port authentication in a fibre channel network
US7215667B1 (en) * 2001-11-30 2007-05-08 Corrent Corporation System and method for communicating IPSec tunnel packets with compressed inner headers
US7965843B1 (en) * 2001-12-27 2011-06-21 Cisco Technology, Inc. Methods and apparatus for security over fibre channel
US20030131228A1 (en) * 2002-01-10 2003-07-10 Twomey John E. System on a chip for network storage devices
US20040158706A1 (en) * 2002-10-16 2004-08-12 Haruo Moritomo System, method, and device for facilitating multi-path cryptographic communication
US20040139313A1 (en) * 2002-12-05 2004-07-15 Buer Mark L. Tagging mechanism for data path security processing
US20040143734A1 (en) * 2002-12-05 2004-07-22 Buer Mark L. Data path security processing
US20040120528A1 (en) * 2002-12-20 2004-06-24 Elliott Brig Barnum Key transport in quantum cryptographic networks
US20050102514A1 (en) * 2003-11-10 2005-05-12 Telefonaktiebolaget Lm Ericsson (Publ) Method, apparatus and system for pre-establishing secure communication channels
US20050207579A1 (en) * 2004-03-19 2005-09-22 Cisco Technology, Inc. Methods and apparatus for confidentially protection for Fibre Channel Common Transport
US7333612B2 (en) * 2004-03-19 2008-02-19 Cisco Technology, Inc. Methods and apparatus for confidentiality protection for Fibre Channel Common Transport
US20060274899A1 (en) * 2005-06-03 2006-12-07 Innomedia Pte Ltd. System and method for secure messaging with network address translation firewall traversal

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Fibre Channel Generic Services - 3 (FC-GS-3). 13 January 2000. p. 1-198. *

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7965843B1 (en) 2001-12-27 2011-06-21 Cisco Technology, Inc. Methods and apparatus for security over fibre channel
US20110219438A1 (en) * 2001-12-27 2011-09-08 Cisco Technology, Inc. Methods and apparatus for security over fibre channel
US8914858B2 (en) 2001-12-27 2014-12-16 Cisco Technology, Inc. Methods and apparatus for security over fibre channel
US10298595B2 (en) 2001-12-27 2019-05-21 Cisco Technology, Inc. Methods and apparatus for security over fibre channel
US20110207497A1 (en) * 2008-08-17 2011-08-25 Precyse Technologies, Inc Coded system for radio frequency communication
US8615265B2 (en) * 2008-08-17 2013-12-24 Precyse Technologies, Inc. Coded system for radio frequency communication
CN102611624A (en) * 2012-03-16 2012-07-25 北京星网锐捷网络技术有限公司 Method and device for controlling safety access to storage network and switching equipment
US9407547B2 (en) 2013-12-13 2016-08-02 Cisco Technology, Inc. Fibre channel over ethernet (FCoE) over virtual port channel (vPC)
US11115398B2 (en) * 2017-03-08 2021-09-07 Abb Power Grids Switzerland Ag Methods and devices for preserving relative timing and ordering of data packets in a network

Also Published As

Publication number Publication date
US7333612B2 (en) 2008-02-19
EP1726112A2 (en) 2006-11-29
AU2005226659B2 (en) 2009-12-10
CN101076792A (en) 2007-11-21
CN100580652C (en) 2010-01-13
AU2005226659A1 (en) 2005-10-06
EP1726112A4 (en) 2010-12-15
US20050207579A1 (en) 2005-09-22
WO2005092001A3 (en) 2007-05-31
WO2005092001A2 (en) 2005-10-06

Similar Documents

Publication Publication Date Title
US10298595B2 (en) Methods and apparatus for security over fibre channel
US20080095367A1 (en) Methods and apparatus for confidentiality protection for fibre channel common transport
JP3688830B2 (en) Packet transfer method and packet processing apparatus
US5898784A (en) Transferring encrypted packets over a public network
US5638448A (en) Network with secure communications sessions
US7937759B2 (en) System and method for protecting communication devices from denial of service attacks
CN109428867B (en) Message encryption and decryption method, network equipment and system
US20040210754A1 (en) Shared security transform device, system and methods
US20170237562A1 (en) Network service packet header security
US20080065777A1 (en) Method and system for establishing a secure over-the-air (ota) device connection
JP2009506617A (en) System and method for processing secure transmission information
WO1997026735A1 (en) Key management for network communication
US7076653B1 (en) System and method for supporting multiple encryption or authentication schemes over a connection on a network
KR100480999B1 (en) Apparatus and method for providing trusted channel in secure operating systems which are by using mandatory access control policy
US8510831B2 (en) System and method for protecting network resources from denial of service attacks
KR101979157B1 (en) Non-address network equipment and communication security system using it
US20080059788A1 (en) Secure electronic communications pathway
JP2007074761A (en) Data encrypting method, data decrypting method, lan control device including illegal access prevention function, and information processing apparatus
KR100381710B1 (en) Method For Security In Internet Server Based Upon Membership Operating System And Server Systems Regarding It
KR101448711B1 (en) security system and security method through communication encryption
JP3962050B2 (en) Packet encryption method and packet decryption method
CN114189370A (en) Access method and device
KR20110087972A (en) Method for blocking abnormal traffic using session table
CN109474615A (en) A kind of service encryption system and the communication for service method based on ciphering process
Bocovich et al. The road not taken: Secure asymmetry and deployability for decoy routing systems

Legal Events

Date Code Title Description
STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION