The present disclosure relates to internet communication security, and more specifically, to establishing security over converged Ethernet by appropriating Internet Protocol Security (IPSec) Security Association (SA) credentials.
Many industries require Internet Protocol Security (IPSec) for any internet protocol (IP) network traffic that must flow over unique IP subnets (e.g., security zones). Consequently, many platforms create infrastructure to support IPSec and build in separate security features to administrate their own security ecosystem. For example, some platforms are configured to satisfy IPSec security requirements for interfacing with different IP endpoints. These same users may extend their existing management and security capabilities (IPSec policies, SAs, and administrative controls) to Remote Direct Memory Access over Converged Ethernet (RoCE) connections to the same endpoints that are associated with existing Transmission Control Protocol (TCP) connections. They do this by defining separate IPSec policies for the RoCE connections. Establishing separate security credentials for the RoCE connections can consume processing time and resources for the new connection, in addition to requiring additional security and administrative configuration. From another viewpoint, establishing a blanket security policy that encrypts all RoCE connections may over-protect data streams that do not require security. By performing IPSec where it is not required by policy or at a cryptographic strength higher than what is required by policy, valuable resources may be wasted.