Prepare to use IP security
Beginning with ONTAP 9.8, you have the option to use IP security (IPsec) to protect your network traffic. IPsec is one of several data-in-motion or in-flight encryption options available with ONTAP. You should prepare to configure IPsec before using it in a production environment.
IP security implementation in ONTAP
IPsec is an internet standard maintained by the IETF. It provides data encryption and integrity as well as authentication for the traffic flowing among the network endpoints at an IP level.
With ONTAP, IPsec secures all the IP traffic between ONTAP and the various clients, including the NFS, SMB, and iSCSI protocols. In addition to privacy and data integrity, the network traffic is protected against several attacks such as the replay and man-in-the-middle attacks. ONTAP uses the IPsec transport mode implementation. It leverages the Internet Key Exchange (IKE) protocol version 2 for negotiating the key material between ONTAP and the clients using either IPv4 or IPv6.
When the IPsec capability is enabled on a cluster, the network requires one or more entries in the ONTAP Security Policy Database (SPD) matching the various traffic characteristics. These entries map to the specific protection details needed to process and send the data (such as, cipher suite and authentication method). A corresponding SPD entry is also needed at each client.
For certain types of traffic, another data-in-motion encryption option might be preferable. For example, for the encryption of NetApp SnapMirror and cluster peering traffic, the transport layer security (TLS) protocol is generally recommended instead of IPsec. This is because TLS offers better performance in most situations.
Evolution of the ONTAP IPsec implementation
IPsec was first introduced with ONTAP 9.8. The implementation has continued to evolve and improve as described below.
When a feature is introduced beginning with a specific ONTAP release, it is also supported in subsequent releases unless otherwise noted. |
Several of the cryptographic operations, such as encryption and integrity checks, can be offloaded to a supported NIC card. See IPsec hardware offload feature for more information.
IPsec front-end host protocol support is available in MetroCluster IP and MetroCluster fabric-attached configurations. The IPsec support provided with MetroCluster clusters is limited to front-end host traffic and is not supported on MetroCluster intercluster LIFs.
Certificates can be used for IPsec authentication in addition to the pre-shared keys (PSKs). Prior to ONTAP 9.10.1, only PSKs are supported for authentication.
The encryption algorithms used by IPsec are FIPS 140-2 validated. These algorithms are processed by the NetApp Cryptographic Module in ONTAP which carries the FIPS 140-2 validation.
Support for IPsec becomes initially available based on the transport mode implementation.
IPsec hardware offload feature
If you are using ONTAP 9.16.1 or later, you have the option of offloading certain computationally intensive operations, such as encryption and integrity checks, to a network interface controller (NIC) card installed at the storage node. Using this hardware offload option can significantly improve the performance and throughput of the network traffic protected by IPsec.
Requirements and recommendations
There are several requirements you should consider before using the IPsec hardware offload feature.
You need to install and use only supported Ethernet cards on the storage nodes. The following Ethernet cards are supported with ONTAP 9.16.1:
-
X50131A (2p, 40G/100G/200G/400G Ethernet Controller CX7)
-
X60243A (4p, 10G/25G Ethernet Controller CX7)
The IPsec hardware offload feature is configured globally for the cluster. And so, for example, the command security ipsec config
applies to all the nodes in the cluster.
Supported NIC cards should be installed at all the nodes in the cluster. If a supported NIC card is only available on some of the nodes, you can see a significant performance degradation after a failover if some of the LIFs are not hosted on an offload capable NIC.
You should disable IPsec anti-replay protection at ONTAP (default configuration) and the IPsec clients. If not disabled, fragmentation and multi-path (redundant route) will not be supported.
Limitations
There are several limitations you should consider before using the IPsec hardware offload feature.
IP version 6 is not supported for the IPsec hardware offload feature. IPv6 is only supported with the IPsec software implementation.
The IPsec extended sequence numbers are not supported with the hardware offload feature. Only the normal 32-bit sequence numbers are used.
The IPsec hardware offload feature does not support link aggregation. And so it cannot be used with an interface or link aggregation group as administered through the network port ifgrp
commands at the ONTAP CLI.
Configuration support in the ONTAP CLI
Three existing CLI commands are updated in ONTAP 9.16.1 to support the IPsec hardware offload feature as described below. Also see Configure IP security in ONTAP for more information.
ONTAP command | Update |
---|---|
|
The boolean parameter |
|
The parameter |
|
Four new counters have been added to display the inbound as well as outbound traffic in bytes and packets. |
Configuration support in the ONTAP REST API
Two existing REST API endpoints are updated in ONTAP 9.16.1 to support the IPsec hardware offload feature as described below.
REST endpoint | Update |
---|---|
|
The parameter |
|
Two new counter values have been added to track the total bytes and packets processed by the offload feature. |
Learn more about the ONTAP REST API, including what's new with the ONTAP REST API, from the ONTAP automation documentation. You should also review the ONTAP automation documentation for details about IPsec endpoints.