1 Secure GSLB

RSA challenge dialogue

Once the initial peer authentication is complete, there is a challenge response dialogue between the two ServerIron ADXs as follows.

From GSLB controller to site ServerIron ADX:

GSLB controller uses the site ServerIron ADX public key to encrypt a random sequence of bytes.

The GSLB controller sends these encrypted bytes to the site ServerIron ADX.

The site ServerIron ADX uses its private key to decrypt the bytes.

The site ServerIron ADX sends the decrypted bytes back to the GSLB controller.

The GSLB controller compares the decrypted bytes to the original bytes it sent to the site ServerIron ADX.

If the two sets of bytes match, it means the site ServerIron ADX's private key corresponds to an authorized public key, and the site ServerIron ADX is authenticated.

From site ServerIron ADX to GSLB controller:

Site ServerIron ADX uses the public key of the GSLB controller to encrypt a random sequence of bytes.

The site ServerIron ADX sends these encrypted bytes to the GSLB controller.

The GSLB controller uses its private key to decrypt the bytes.

The GSLB controller sends the decrypted bytes back to the site ServerIron ADX.

The site ServerIron ADX compares the decrypted bytes to the original bytes it sent to the GSLB controller.

If the two sets of bytes match, it means that the GSLB controller's private key corresponds to an authorized public key, and the GSLB controller is authenticated.

NOTE

The above two exchanges are independent of each other. The decrypted bytes are sent back using TCP/IP protocol.

GSLB message content randomization

An implicit sequence number along with changing GSLB protocol data ensures the packet data changes from packet to packet resulting in a substantially different MAC for each packet.

Although, few of the GSLB protocol packets may have a relatively constant pattern. Therefore, the system introduces a random 8-bit data value in each packet. This value changes for each GSLB protocol packet resulting in a substantially different hash digest for every packet.

Configuring secure GSLB

The minimum required configuration for Secure GSLB includes the following tasks:

Configure secure communication on the controller.

Generate RSA Key Pair

Exchange the Public Keys

58

ServerIron ADX Global Server Load Balancing Guide

 

53-1002437-01

Page 70
Image 70
Brocade Communications Systems 12.4.00 RSA challenge dialogue, Gslb message content randomization, Configuring secure Gslb