1. Field of the Invention
The present invention relates to fibre channel security. More specifically, the present invention relates to methods and apparatus for providing security for both fibre channel network entities and fibre channel messages. Security includes services such as authentication, confidentiality, integrity protection, and anti-replay protection.
2. Description of Related Art
Very limited security exists in fibre channel networks. One form of security for fibre channel networks is physical security. All fibre channel network entities, such as switches, disks, tape libraries, disk arrays, and servers can be located in a secure and trusted environment. Access can be limited and strict controls can be maintained over the fibre channel fabric. However, it is not always feasible to locate every fibre channel network entity in a secured environment.
Some security schemes have focused more on secure links. When a new fibre channel network entity is introduced into a fibre channel fabric, directly neighboring nodes check the newly introduced entity to determine whether or not the newly introduced node is authorized to connect to the fabric. However, the checks are made only once by some directly neighboring nodes. Other more distant nodes are unable to perform any checking. Furthermore, once the link is established, no further security is provided. The fabric is deemed trusted even though the fibre channel fabric is still vulnerable to certain attacks such as spoofing, hijacking, or impersonation.
It is therefore desirable to provide methods and apparatus for improving security in a fibre channel network and in particular for improving authentication, confidentiality, message integrity protection, and anti-replay protection in a fibre channel fabric with respect to some or all of the limitations noted above.