FC-BB-5 v1.05 Annex D Requirements Cross-Check, T11/09-244v1 David L. Black, EMC Corporation April 16, 2009 ---------------------------------------------- Goal of this exercise - find normative text in the body of FC-BB-5 that enforces the requirements in Annex D that are appropriate to enforce (e.g., Ethernet bridge recommendations are always informative). ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Requirements not totally covered (i.e., changes needed) ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo D.3 General deployment recommendations 1) No VLAN should carry more than one Fibre Channel Virtual Fabric (applies to the LAN if VLANs are not in use). --> [A] Seems to be missing - 7.8.2.1 and 7.8.2.2 need recommendations (should) that receipt of discovery advertisements for two different fabrics on same VLAN should result in no virtual link being established and an error being reported by the recipient in a vendor-specific manner. --> Solution: Add the following text at the end of 7.8.2.1: "Reception of Discovery Advertisements for more than one Fabric on the same VLAN should be reported by an ENode MAC in a vendor specific way and no subsequent VN_Port to VF_Port Virtual Links should be instantiated." And the following text at the end of 7.8.2.2: "Reception of Discovery Advertisements for more than one Fabric on the same VLAN should be reported by VE_Port capable FCF-MAC in a vendor specific way and no subsequent VE_Port to VE_Port Virtual Links should be instantiated." Editor: complete ----- D.5 ENode and FCF recommendations 1) ENodes discard all received frames with an Ethertype equal to FIP_TYPE except: I) those that contain a Destination MAC address equal to All-ENode-MACs; and II) those that contain a Destination MAC address that equals a source MAC address used in a FIP Discovery Solicitation from the ENode. --> [B] This requirement is stating a quite obvious thing (i.e., that an Ethernet frame destined to an address not recognized by the ENode MAC as one of its own shall be discarded). Add the following sentence to the last but one paragraph of 7.8.1: "An ENode MAC shall discard a FIP message destined to an address other than its ENode MAC address or the All-ENode-MACs address". Editor: complete ----- 2) ENodes discard all received frames with an Ethertype equal to FCoE_TYPE that: I) contain a destination MAC address/destination N_Port_ID pair that was not assigned by an FCF to one of the VN_Ports on the ENode; or II) contain a source MAC address that does not match the MAC address of the FCF that assigned the corresponding VN_Port MAC address. --> Almost ok, in 7.3: When decapsulating FC frames from FCoE frames, the FCoE_LEP shall verify that the destination address of the received FCoE frame is equal to the MAC address of the local link end-point and *should* verify that the source address of the received FCoE frame is equal to the MAC address of the remote link end-point. If either check fails the FCoE frame shall be discarded. For an FCoE_LEP of an ENode MAC, the MAC address of the local link end-point is the MAC address associated with its VN_Port and the remote link end-point address is the FCF-MAC address associated with the remote VF_Port. The VN_Port may use an FPMA or an SPMA as its MAC address. --> [C] The *should* in the first paragraph quoted above needs to be a *shall*. This is taken care by EMC-031. ----- 3) FCFs discard all frames received with an Ethertype = FCoE_TYPE that: I) contain a destination MAC address that does not match the MAC address of one of the FCF's VE_Ports or VF_Ports; II) contain the source MAC address that does not match the MAC addresses that the FCF has assigned to the corresponding VN_Port or was established for the corresponding VE_Port; or III) in the case of a VN_Port, contains a Fibre Channel source address that does not match the one assigned to the VN_Port by the FCF. --> Almost ok, in 7.4: --> [D] 7.4 has a *should* vs. *shall* problem for source address verification --> that corresponds to the above problem in 7.3. This is taken care by EMC-031. ----- D.6 Additional threat isolation using FPMAs 5) On reception, VN_Ports verify that the destination Fibre Channel address identifier matches the 24 least significant bits of the destination MAC address. --> [G] In 7.8.7.4.2, the last sentence of the third but last paragraph at page 116 says: "If the FCF granted an FPMA, the granted MAC address shall be a properly formed FPMA (see 7.6).". Add after that sentence the following one: "An ENode shall verify that a granted FPMA address is properly formed." Editor: complete ----- 8) FCF ports that implement multiple port types (i.e., VF_Port and VE_Port) do not use the same MAC address for different port types. --> [F] This is in 7.4, last sentence of the second paragraph in page 87: "Support for both VE_Port/FCoE_LEP pairs and VF_Port/FCoE_LEP pairs on the same FCF-MAC is prohibited." Add after that sentence the following one: "MAC addresses used by FCFs for FCF-MACs shall be different by MAC addresses used by ENodes for ENode MACs." Editor: complete ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Requirements covered (i.e., no changes needed) ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo 4) On transmission, VN_Ports construct all frames with: I) the destination MAC address set to the MAC address of the FCF that it successfully performed a FIP FLOGI or FIP NPIV FDISC with; and II) the source MAC address set to the MAC address assigned to the VN_Port by the FCF as a result of the FIP FLOGI or FIP NPIV FDISC. --> Ok, in 7.3: When encapsulating FC frames into FCoE frames, the MAC address of the local link end-point shall be used as source address and the MAC address of the remote link end-point shall be used as destination address of the generated FCoE frame. ----- 5) On transmission, VF_Ports construct all frames with: I) the destination MAC address set to the MAC address of the VN_Port as assigned by the transmitting FCF during FIP FLOGI/FIP NPIV FDISC; and II) the source MAC address set to the MAC address of the VF_Port (i.e., that of the FCF). 6) On transmission, VE_Ports construct all frames with: I) the source MAC address of the transmitting VE_Port; and II) the destination MAC address of the remote VE_Port. --> Ok, both 5) and 6) are in 7.4: When encapsulating FC frames into FCoE frames, the MAC address of the local link end-point shall be used as source address and the MAC address of the remote link end-point shall be used as destination address of the generated FCoE frame. ----- 7) The MAC Client within a FCF does not deliver: I) to a VE_Port or VF_Port, any frame whose Ethertype is not equal to FCoE_TYPE; and II) to the FCoE controller, any frame whose Ethertype is not equal to FIP_TYPE; or III) alternatively, VE_Ports, VF_Ports, and FCoE Controllers discard all frames that do not contain an Ethertype of FCoE_TYPE, FCoE_TYPE, and FIP_TYPE, respectively. --> [E] This Ethertype discard requirements appears to be in 7.6, when we say "FPMAs should not be used for other protocols", and "SPMAs used for FCoE and FIP traffic should not be used for other protocols". ----- 9) ENodes may choose to transmit a FIP FLOGI/FIP NPIV FDISC to any FCF(s). --> No requirements text needed. ----- 10) While processing a FIP FLOGI or FIP NPIV FDISC, an FCF either rejects the request or ensures that the MAC address assigned to the requesting ENode: I) complies with local administrative policy; and II) in the case of FPMA, the 24 most significant bits contain the Fabric's FC-MAP and the 24 least significant bits equal that of the assigned Fibre Channel address identifier. --> II) is in 7.8.3.1. ----- 11) FCFs may chose to create or not create VE_Ports with other FCFs based on local policy information (e.g., the MAC address of other FCFs). --> Ok. ----- 12) All source MAC addresses used in FIP should be globally assigned (see IEEE 802-2001 for a description of globally assigned MAC addresses). --> Ok, at end of 7.6: SPMAs should be globally assigned, not locally generated (i.e., they should have the U/L bit set to zero, see IEEE 802.3-2008). D.6 Additional threat isolation using FPMAs --> 1) - 4) are about bridges, all bridge recommendations are informative. 6) On reception, VF_Ports verify that the source Fibre Channel address identifier matches the 24 least significant bits of the source MAC address. --> Ok, it is the combination of the FCoE_LEP and VF_Port checks in 7.4. 7) On transmission, VN_Ports construct all frames such that the source Fibre Channel address identifier matches the 24 least significant bits of the source MAC address. --> Ok, Specified as part of the FCoE_LEP/VN_Port pair processing. 8) On transmission, VF_Ports construct all frames such that the destination Fibre Channel address identifier matches the 24 least significant bits of the destination MAC address. --> Ok, Specified as part of the FCoE_LEP/VF_Port pair processing.