Brocade Communications Systems 12.4.00 RSA challenge dialogue, GSLB message content randomization, Configuring secure GSLB

58 ServerIron ADX Global Server Load Balancing Guide

53-1002437-01

Secure GSLB

RSA challenge dialogue

Once the initial peer authentication is complete, there is a challenge response dialogue between

the two ServerIron ADXs as follows.

From GSLB controller to site ServerIron ADX:

•GSLB controller uses the site ServerIron ADX public key to encrypt a random sequence of

bytes.

•The GSLB controller sends these encrypted bytes to the site ServerIron ADX.

•The site ServerIron ADX uses its private key to decrypt the bytes.

•The site ServerIron ADX sends the decrypted bytes back to the GSLB controller.

•The GSLB controller compares the decrypted bytes to the original bytes it sent to the site

ServerIron ADX.

If the two sets of bytes match, it means the site ServerIron ADX's private key corresponds to an

authorized public key, and the site ServerIron ADX is authenticated.

From site ServerIron ADX to GSLB controller:

•Site ServerIron ADX uses the public key of the GSLB controller to encrypt a random sequence

of bytes.

•The site ServerIron ADX sends these encrypted bytes to the GSLB controller.

•The GSLB controller uses its private key to decrypt the bytes.

•The GSLB controller sends the decrypted bytes back to the site ServerIron ADX.

•The site ServerIron ADX compares the decrypted bytes to the original bytes it sent to the GSLB

controller.

If the two sets of bytes match, it means that the GSLB controller's private key corresponds to an

authorized public key, and the GSLB controller is authenticated.

NOTE

The above two exchanges are independent of each other. The decrypted bytes are sent back using

TCP/IP protocol.

GSLB message content randomization

An implicit sequence number along with changing GSLB protocol data ensures the packet data

changes from packet to packet resulting in a substantially different MAC for each packet.

Although, few of the GSLB protocol packets may have a relatively constant pattern. Therefore, the

system introduces a random 8-bit data value in each packet. This value changes for each GSLB

protocol packet resulting in a substantially different hash digest for every packet.

Configuring secure GSLB

The minimum required configuration for Secure GSLB includes the following tasks:

•Configure secure communication on the controller.

•Generate RSA Key Pair

•Exchange the Public Keys